squatter icon indicating copy to clipboard operation
squatter copied to clipboard

Published 20 hours ago verified publisher icon sholladay

Handle packages without publish time

Open bokub opened this issue 7 years ago • 2 comments

Trying to know if clutch is a squatter throws an error in recent-publish:5

A modified time is required.

Of course, because meta.time doesn't exist. I don't know how this happens, but it is possible, so squatter should handle it.

bokub avatar Aug 29 '18 06:08 bokub

Oh dear.

We could ignore bad data, but if we go down that rabbit hole, eventually the heuristic will become somewhat useless. I don't want to say, "No, we can't make any rules optional." But where do we draw the line? And what should the behavior be in this case?

We could improve the error message, or If you really don't want it to error, I'm inclined to say we should assume such packages are squatters, since no legit package should be in this state. meta.time is a critical piece of information used by all kinds of npm infrastructure. It must be corrupted data on the registry, perhaps due to an npm publish from a buggy npm CLI version or when their backend was having trouble. If no one has bothered to fix it, then it leads me to believe that no one cares about that package, including the maintainer.

This is also consistent with the rest of the algorithm assuming packages are guilty until proven innocent, which is documented in the README. I explained the reasoning for that here:

I decided to do that because most of the signals available from npm tell us good things about a package. In other words, there is no dislike button on npm, and that leads to a sort of bias that squatter has to compensate for. The way I did it, if the answer is wrong, it will almost always be a false positive where squatter thinks a package is a squatter when humans would say it isn't. This seems good to me because my goal was to determine when a name is worth disputing if you want it. Authors are sometimes willing to give up legitimate non-squatter packages that have very few users, so my experience leads me to believe that it's better to return true when in doubt.

sholladay avatar Aug 29 '18 08:08 sholladay

Rather than being corrupted records, is it possible that these modules pre-date the addition of the time field? clutch is from 2010, as is boxer:

$ npm-name boxer

Error

TypeError: A modified time is required.
    at recentPublish (npm-name-cli/node_modules/squatter/lib/recent-publish.js:5:15)
    at npm-name-cli/node_modules/squatter/index.js:45:16
    at npm-name-cli/node_modules/p-one/index.js:6:54
    at npm-name-cli/node_modules/p-map/index.js:46:16

Environment

  • squatter: 0.2.0
  • npm-name-cli: 2.6.1
  • node: v12.13.0
  • npm: 6.12.0
  • OS: Linux (Arch)

chocolateboy avatar Nov 05 '19 16:11 chocolateboy