Laurie Voss, a Co-founder and Chief Data Office of NPM(A package manager for JavaScript, and a huge database of public and private JavaScript packages), had an interesting story to tell on Twitter:
A major international bank accidentally published a private package of their own to the public npm Registry, took *3 years* to notice, and then sent DMCA takedown notices to Amazon and Cloudflare for hosting "stolen code". Now I have to pay a lawyer to explain this to them.
— Laurie Voss (@seldo) 11 March 2019
We sell a thing that prevents this kind of mistake, it is called npm Enterprise, you should all really look into it instead of making me spend money to explain how npm publish works to your lawyer.
— Laurie Voss (@seldo) 11 March 2019
(I should make clear that this kind of legal confusion happens ALL THE TIME and is a genuine source of overhead in running the registry)
— Laurie Voss (@seldo) 11 March 2019
Our lawyer is also going to need to explain to a bank why a React package does not constitute "Stolen Financial Credentials" oh lord
— Laurie Voss (@seldo) 11 March 2019
My first reaction was something akin to "How the hell do you do this by mistake?". Surely publishing a package to NPM has just enough friction that you don’t publish private IP to a public repository.
You have to also keep in mind thatNPM have supported private repositories since 2014, and also offer a full enterprise solution already, NPM Enterprise.