Post-mortem of this weekend's NPM incident

This is a good post-mortem with clear, policy-based remediations. Nicely done.<p>I wonder why they are only preventing republishing for 24 hours. Is there a good reason to allow a package namespace to be recycled with less than, say, a week? Is it based on the assumption that the only case where it comes up is during an incident, and 24 hours is enough time to assume an incident will be resolved? I&#x27;m curious what went in to that number.

So, a spammer uploaded something containing copied data from a legitimate user and npm deleted everything from that user. Oy.<p>Seems like npm might want to review the policy that allows stuff like that to happen.<p>Even if a user violates the spam policy (which, to be clear, it seems the affected user in this case did NOT do), that hardly seems to be appropriate grounds for deleting everything the user has ever published on npm.<p>That is a policy that is just begging for griefing.

&gt; we have policies against ever running SQL by hand against production databases—but in this case we were forced to do so<p>Uh... Add in the fact that staff are now trigger happy, since a single button can do a lot of damage.

<i>Our first action, which began immediately after the incident concluded, was to implement a 24-hour cooldown on republication of any deleted package name.</i><p>Why not infinity hours? I don&#x27;t get it.

&gt; Our first action, which began immediately after the incident concluded, was to implement a 24-hour cooldown on republication of any deleted package name<p>I don&#x27;t understand this. Why hard delete packages at all? Soft deleting feels like it would be easier and would stop people republishing with the same name.<p>They could also bake their warning process for dependent libraries (i.e. &quot;this package is gone!&quot;) into the soft delete process.

I feel like a project that could help with this to identify package importance by the dependents and downloads.

&gt; At the time of Saturday’s incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam.<p>I see this acknowledgement, but I cannot find where they will remedy this by putting placeholders in place of spam removals. As a concession, maybe only placeholders for spam removals of packages that are older than X days or depended on (explicitly or transitively) by X packages. Did I miss where the remedy for this spam-removed-package-reuse was in the blog post?