npm install turboencabulator
• ~500 words • 2 minute read
Someone recently shared this story with me about an open-source developer corrupting their popular open-source NPM libraries:
The incident raises questions about the modern web ecosystem & development practices, the economics of open-source maintenance and whether or not you truly "own" the code you store on any of these platforms.
But writing more in-depth on these topics is a topic best left to more serious blogs.
After I read about it I wasted a little time looking up random NPM package names to see if they'd been claimed. Sometimes I peruse possibly names for future project. Other times I just look up funny words or ideas to see if they exist.
That last line of thought made me think about turboencabulators.
If you're not familiar, a turboencabulator is probably the longest-running jokes in modern engineering. It's description, from 1944, is inscrutable, jargon-laden nonsense for an impossible, non-existing machine. In other words: the perfect kind of thing to publish as an NPM package.
The thought of someone installing a turboencabulator as a dependency made me laugh, and seemed too perfect. I assumed someone out there must've had the same idea and done it years ago.
I looked it up, and much to my astonishment, it was available! I nabbed it quickly:
Success!
Now anyone can add the turboencabulator as a dependency to their project:
# Bash
npm install turboencabulator
# Yarn
yarn add turboencabulator
A strange turn: Within couple days, when all that existed in the project was a README file, I noticed the package had already been downloaded from NPM over 30 times (?!?)
What is that all about?
My theory: is that someone previously owned this package on NPM and other projects out there must have still had it listed as a dependency. I couldn't find any precise evidence of this yet, but it makes the most sense to me.
That's terrifying for an entirely different set of reasons than what the article I linked to at the beginning raises. I explained NPM package dependencies to someone not precisely in the tech industry the other day and realized just how bananas the whole thing is. I'm honestly astonished it isn't a bigger mess.
If the traffic persists for the next couple of weeks I might do more sleuthing and write a followup. It's only been a couple of days.
Lastly, as you may have noticed, there is actually code inside the turboencabulator. What does it actually... do?
It does exactly what it says in the description. I can't explain it any more clearly than that.
P.S. If you are the type to parse through the turboencabulator source and enjoyed deciphering it, you might enjoy contributing to another project of mine: 101 Hello Worlds.