PSA: You have 28 days to respond to NPM package takeovers, or you'll lose them
Learned the hard way. I got an email from a person trying to take over one of my NPM packages on November 16th. I didn't see the email until today (I don't check email very often), and NPM had already transferred the package to the third party on December 15th without my consent.
Turns out, it's laid out in the NPM policy. You have exactly 4 weeks to respond to a takeover request, or you lose the package: https://www.npmjs.com/policies/disputes
Now I've set up a canned response in Gmail to automatically respond to NPM support if they try to do it again. Maybe that will help. Makes me very nervous about my other packages though.
Seems like a pretty good attack vector for hackers.
6 comments
[ 2.8 ms ] story [ 26.8 ms ] threadThat means, now I have to divert time to maintaining my own fork.
The funny thing is I'm the person doing the heavy lifting. I make the fixes, write the tests, make sure CI passes and older versions don't break, even update the change log. Everything to assure stuff is in order. All they have to do is accept the pull request and publish the package.
In my specific situation though, I was able to merge the PR to master. But had no PyPI access to publish the package.