23 August 2018 satire code

Very Fascinating NPM Packages

Recently, I was browsing through NPM (what?) when I came across some really interesting and fascinating packages. Of course, I left the most interesting one to the last 😬.

is-positive

This was the package that initiated my deep dive into the depths of NPM’s 683162 packages (it’s probably more by the time I post this).

As it turns out, this package does indeed return whether the argument is positive.

const isPositive = require("is-positive");

isPositive(1);
//=> true

And that’s all it does. I pondered about the possible use-cases of this package, because apparently, there are many.

is-positive weekly downloads
is-positive weekly downloads

I discovered another hidden gem when looking through the Dependents section that NPM provides (there were 4 of them).

is-not-positive

This package simply does the exact opposite of what is-positive does. Its description is incredibly apt.

is-not-positive description
is-not-positive description

is-negative

This being JavaScript, being non-positive probably doesn’t mean being negative, so a new package had to be created to check for negativity.

This package’s negativity was even apparent through its weekly downloads, which are considerably less than its more radiant counterpart.

is-negative weekly downloads
is-negative weekly downloads

true

This is where the true fun begins. I stumbled across this quite by accident after entering a few other search queries like “is-wrong” and “woah”. It turns out that this is actually a port of the Unix utility true.

As with all Unix utilities, its usage was quite easy to grasp.

var t = require("./true");
var myTrueValue = t();

console.log(myTrueValue === true); // Logs 'true'

However, I felt that this package looked a bit shadier than the rest due to its use of var. Thus, I decided to take a look at some of the open issues on its GitHub. You won’t believe what happened next.

true critical issue
true critical issue

I felt betrayed.

As it turns out, there was a critical vulnerability in the code, discovered by Patrick Steele-Idem, who spent hours tracing down the problem down.

It turns out that another library had contained the following code, which caused true to return false.

require.cache[require.resolve("true")].exports = function() {
  return false;
};

Luckily, he came up with a very quick fix that solved this issue.

setInterval(function() {
  if (require("true")() !== true) {
    // Fix it!
    require.cache[require.resolve("true")].exports = function() {
      return true;
    };
  }
}, 10);

Conclusion

Overall, (re)discovering all these wonderful packages has been a very rewarding experience for me. I will probably never do this again.