packagephobia
packagephobia copied to clipboard
styfle
Increased load due to badges on cnpmjs.org
Today I noticed some slowness and some intermittent connection issues.
I thought maybe zeit was down but it turns out, the server load has increased quite a bit.
A lot of that is coming from Chinese mirrors.
npm.taobao.org
cnpmjs.org
But these packages don't look real.
strange logs
So should I attempt to block these based on referrer or maybe add an API key so I know where traffic is coming from?
TAONPM now using packagephobia badge on package page https://npm.taobao.org/package/koa-body https://npm.taobao.org/package/paypal-adder-online-2018
Well that is really cool 😄
But it seems like the second one is not a package in npm 🤔
https://www.npmjs.com/package/paypal-adder-online-2018
That's nice 👍
While some package looks like scams:
- https://npm.taobao.org/package/paypal-adder-online-2018
- https://npm.taobao.org/package/paypal-money-a-d-d-e-r-g-e-n-e-r-a-t-o-r-h-a-c-k
I've raise an issue at https://github.com/cnpm/registry.cnpmjs.org/issues/10
Thanks for creating the issue!
I hope the authors will get in contact because they have increased my data storage by 10x (went from 5,000 keys to 50,000 keys in a week).
Maybe @fengmk2 (the author of cnpm) can comment here 😄
Someone familiar with cnpm team told me that (packages missing on npm) might be the cache of cnpm. The original package is deleted on npm, but cnpm hasn't prune the cache for them.
In this case, I think the bad requests should only consume small part of traffic 🤔
cnpm is disable sync unpublished package from npmjs.org. So the un exists packages still exists on cnpmjs.org. 😢
@amio The chart I posted is showing the redis data storage so it’s for packages that exist. I’m not sure if zeit now has a good way to count logs but I can see that the redis cache hit ratio dropped from 60% to 40% so that’s likely from all of the removed packages.
@fengmk2 I wasn’t aware that you were going to add the badge to the website. It would have been nice to know ahead of time.
That being said, my long term goal was to get this data added on the true npmjs.com website so this is a great start.
I’m a bit concerned about how much I’ll pay out of my own pocket for data storage, especially since there are several feature requests (#87 and #124) which would track even more data points.
Can you change the badge logic on cnpm so it only displays if the package has more than 1000 downloads per month? (This could greatly reduce the load on my servers and also prevent the fake packages from even hitting the server at all)
@fengmk2 I'm still seeing fake npm packages such as the following:
/[email protected]
/badge?p=hack-cats-crash-arena-turbo-stars-cheat-coins-unlimited-2018@1.0.0
/badge?p=kaspersky-internet-security-premium-serial-number-key-keygen-license-generator-and-activator@1.0.0
/[email protected]
/[email protected]
/[email protected]
/[email protected]
/badge?p=parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator@1.0.5
/[email protected]
/[email protected]
/[email protected]
/[email protected]
/[email protected]
How can these packages be getting more than 1000 downloads per month if they do not exist?
Can you avoid making the http request to package phobia if the npm package doesn't exist?
@fengmk2 We might need a better strategy for cleaning up deleted packages on cnpm.
I had hide the badge if downloads < 1000 now https://cnpmjs.org/package/hack-cats-crash-arena-turbo-stars-cheat-coins-unlimited-2018
@fengmk2 Thanks!
I checked the logs for the last hour and I still see many more non-existent package requests.
corel-draw-x7-activation-code-2018-crack-keygen
8-ball-pool-hack-no-verification-2018
need-for-speed-payback-cd-key-generator
how-to-recover-deleted-instagram-account
dream-league-soccer-2018-hack-cheat-coins
parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator
bitcoin-generator-hack-free
free-icloud-unlock-service
free-coins-for-house-of-fun-2018
freee-p-s-n-codes-no-human-verification
thepackageofmyldreams
react-native-timeline-list
design-home-cheat-diamond
sketchup-pro-2018-serial-number-2018-key-keygen-license-generator-and-activator
playerunknowns-battlegrounds-key-generator
localiser-un-telephone-portable-gratuitement
football-strike-hack-coins
wso-free-chips-no-verification-2018
private-instagram-profile-viewer-online-2018
@prichodko/react-scripts
snapchat-views-hack
tik-tik-tik-tamil-full-movie-waatch-online-download
paypal-hack-2018-no-survey
moviestarplanet-hack-vip-diamants-gratuit
gta-5-android-download-2018
rules-of-survival-2018-hack-99999
Why are these still coming through? Can you remove?
@fengmk2 Thanks!
I checked the logs for the last hour and I still see many more non-existent package requests.
corel-draw-x7-activation-code-2018-crack-keygen 8-ball-pool-hack-no-verification-2018 need-for-speed-payback-cd-key-generator how-to-recover-deleted-instagram-account dream-league-soccer-2018-hack-cheat-coins parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator bitcoin-generator-hack-free free-icloud-unlock-service free-coins-for-house-of-fun-2018 freee-p-s-n-codes-no-human-verification thepackageofmyldreams react-native-timeline-list design-home-cheat-diamond sketchup-pro-2018-serial-number-2018-key-keygen-license-generator-and-activator playerunknowns-battlegrounds-key-generator localiser-un-telephone-portable-gratuitement football-strike-hack-coins wso-free-chips-no-verification-2018 private-instagram-profile-viewer-online-2018 @prichodko/react-scripts snapchat-views-hack tik-tik-tik-tamil-full-movie-waatch-online-download paypal-hack-2018-no-survey moviestarplanet-hack-vip-diamants-gratuit gta-5-android-download-2018 rules-of-survival-2018-hack-99999Why are these still coming through? Can you remove?
remove now.
I am still seeting hits from parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator. Are you sure you removed those?
Here's some more..
Package cleanmymac-3-serial-number-updated does not exist in npm
Package parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator does not exist in npm
Package idle-miner-tycoon-hack does not exist in npm
Package sweatcoin-coins-generator does not exist in npm
Package icloud-unlocker-online-2018 does not exist in npm
Package hack-zombie-gunship-survival-cheat-unlimited does not exist in npm
Package cuentas-netflix-gratis does not exist in npm
Package choices-stories-you-play-hack-cheat-diamonds does not exist in npm
Package private-instagram-viewer-no-survey does not exist in npm
Package 172 does not exist in npm
Package 290 does not exist in npm
Package design-home-cheats-hack-2018 does not exist in npm
Package kc-ng2-img-max does not exist in npm
Package the-sims-mobile-hack does not exist in npm
Package kaspersky-internet-security-premium-serial-number-key-keygen-license-generator-and-activator does not exist in npm
Package gta-vice-city-highly-compressed-2018 does not exist in npm
Package design-home-cheats-hack-2018 does not exist in npm
Package diggys-adventure-hack-cheats does not exist in npm
Package gta-vice-city-highly-compressed-2018 does not exist in npm
Package malik-montana-tijara-plyta-chomikuj does not exist in npm
Package aiseesoft-video-converter-ultimate-serial-number-key-keygen-license-activator-generator does not exist in npm
Package @rockit/just-another-logger does not exist in npm
Package angular-mat-time-picker does not exist in npm
Package hack-flip-master-cheats does not exist in npm
Package sweatcoin-coins-generator does not exist in npm
Package minecraft-account-generator-online-2018 does not exist in npm
Package free-robux-no-human-verification does not exist in npm
Package hackear-facebook-online-2018 does not exist in npm
Package free-robux-no-human-verification does not exist in npm
Package free-icloud-unlock-bypass does not exist in npm
Package free-robux-no-human-verification does not exist in npm
Package parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator does not exist in npm
Package ultimate-netflix-accounts-generator-free does not exist in npm
Package free-iphone-x-giveaway-contest-2018 does not exist in npm
Package hack-webkinz-codes does not exist in npm
Package leaked-snapchats-wiki-online-2018 does not exist in npm
Package toon-blast-hack-cheat-coins does not exist in npm
Package @casdl/seo does not exist in npm
Package lords-mobile-unlimited-gems-and-gold does not exist in npm
Package hack-fifa-mobile-soccer-cheat-unlimited-coins does not exist in npm
Package seekers-notes-hackz-2018-noverification does not exist in npm
Package windows-7-ultimate-highly-compressed-working does not exist in npm
Package microsoft-office-2007-highly-compressed-working does not exist in npm
Package sky-force-reloaded-hack does not exist in npm
Package parallels-desktop-13-2-0-serial-number-2018-key-keygen-license-generator-and-activator does not exist in npm
Package shadow-fight-3-hack-2018-no-verification does not exist in npm
@fengmk2 Maybe these malware packages have over 1000 downloads.
Can you change it to only hide the badge if total downloads < 50000?
@fengmk2 Can you update cnpmjs.org links from packagephobia.now.sh to packagephobia.com? Thanks!