[ad_1]
In a surprising move, the popular open source project, SheetJS, also known as “xlsx”, dropped support for npm registration.
Downloaded around 1.4 million times per week on npm, SheetJS is trusted by NodeJS developers to create and analyze Excel spreadsheets using only JavaScript.
The project maintainer suggests that the decision to deregister npm is based on recently introduced two-factor requirements for major projects, GitHub’s abrupt decision-making, and ongoing “legal issues” between SheetJS and npm.
SheetJS moves away from npm logging
On April 14, the SheetJS maintainer introduced a code change that removed the npm dependencies used by the project.
All URL references to npm domains within the SheetJS source code have also been updated to use the SheetJS CDN, as seen by BleepingComputer.
Future versions of SheetJS are expected to be published on their CDN, cdn.sheetjs.com, instead of the npmjs registry.
SheetJS (also known as xlsx) is listed in the “Top 500 Packages” based on the number of components that depend on this library.
Note that the ‘sheetjs’ npm package is a mere placeholder reserved for SheetJS, while the official SheetJS npm library lives in ‘xlsx’:
From 2FA requirement to pending ‘legal issues’
This move by SheetJS has completely confused developers who opened a discussion thread on the project’s GitHub repository, questioning why.
The developer behind SheetJS cites a number of reasons behind npm, including the registry’s decision to force maintainers of major open source projects to two-factor authentication.
GitHub’s initiative to enforce multi-factor authentication (MFA) came on the heels of last year’s hijacking incidents involving famous npm packages like ua-parser-js, coa, and rc.
These npm libraries, trusted by thousands of projects and businesses, were contaminated with malware in 2021 after attackers compromised npm accounts of its maintainers.
As such, the GitHub-owned npm registry announced earlier this year that developers of the top 100 npm packages will be required to set up two-factor authentication to increase the security of their projects, with similar rules introduced for projects that meet other criteria. . And apparently SheetJS falls under that criteria and needs to configure MFA, leaving the maintainer unhappy.
Another reason cited by SheetJS is its pending “legal issues” with npm.
“Due to ongoing legal issues between SheetJS LLC and npm, Inc. (which will not be discussed here), there was no point in continuing to use npm’s public registry for distribution,” states the SheetJS developer.
Lastly, SheetJS vaguely states that GitHub’s decision to shut down its git.io URL redirection service with just four days’ notice had echoes of “the ephemerality of the Internet and the inherent risks of trusting platforms.”
And all these reasons have caused a lot of confusion among the developers who are now speculating, what will be the real the reason behind abandoning npm could be.
“List of the top 500 NPM packages, 1.26 million downloads per week, over 3,000 dependent packages, and not even a mention in the README about the fact that continued development of this package will no longer exist on the platform. largest JS library on the planet (after 8 years), said Clay Levering, director of product engineering at Blu Digital Group.
Some called the reasons for SheetJS “strange”, while others supported that open source maintainers were free to do what they wanted with their creations, but there could be caveats.
“OSS project maintainers don’t owe people anything, of course, but all I can say is that you shouldn’t be surprised when people (including your paying customers) see all this and decide to fork the project or switch to a competing library not maintained by someone who makes decisions like this,” wrote the developer lynn romich in the same thread.
“Because npm is statistically much more likely to exist 5 years from now than your personal CDN,” Romich continued.
A Reddit user surmises that SheetJS’s ‘bold decision’ may have to do with nothing more than pending litigation between the two parties.
“I guess they don’t want to spend a dime of their developer’s time to help a company (npm) they have a lawsuit with,” the user writes.
Reddit users were also polarized over whether mandatory two-factor authentication imposes additional hurdles on developers and whether, at the end of the day, the trade-off between security and convenience is justified.
BleepingComputer reached out to GitHub (npm) and SheetJS to better understand what the legal issues entail. At this time, we have not found any public litigation documents. This post will be updated once we have more information.
[ad_2]
