DEV Community

Eugene Rojavski
Eugene Rojavski

Posted on • Originally published at checkmarx.com

NPM command confusion

Intro

Managing dependencies in JavaScript projects can quickly become a complex undertaking. Tasks include keeping track of versions, ensuring compatibility, and handling updates. npm provides a robust solution to these problems, through a centralized system for managing project dependencies. Primarily accessed through its command-line interface (CLI), npm enables developers to seamlessly install, manage, and share code dependencies.

The story

About a decade ago, the npm CLI added aliases to the commands to reduce the time spent typing the heavily used ones. For example, “npm install” was shortened to “npm i”. This feature kept evolving, trying to add all possible permutations and attempting to catch typos: add-user for npm adduser, “instal” or “insta” for npm install.

When yet another alias – “npm add” for npm install – was added, everyone overlooked the potential confusion with the existing “npm adduser” command (which already had the alias “add-user”).

When carefully reading “npm adduser” and “npm add user”, we can clearly see the difference, but when we swiftly type it, the chance of hitting a whitespace is extremely high.

In the PR that added this new alias to the documentation, the user ahasall pointed out this issue, but their warning went unnoticed.

Iadd alias added

The issue

NPM has two commands that look almost identical but do completely different things: “npm add user” and “npm adduser”.

npm adduser

The “npm add example-package” command is an alias of “npm install” and simply installs the examplepackage package, while “npm adduser” creates a new user in the specified registry.

When you set up the npm cli, you need to type “npm adduser” to log into the registry. What is the chance of typing “npm add user” instead of “adduser”? Apparently, it’s very high. According to npm-stat.com, downloads of the “user” package’ have risen dramatically, reaching nearly 12 million in total.

downloads stats

Judging by the statistics, many developers have made this typo and inadvertently installed the package. NPM reports that there are 2760 dependent packages, at least 20 of which were added in December 2024.

dependent packages

Currently the package itself is benign and is simply a hello-world app. However, future versions of it could potentially contain malicious code, leading to infection of the unsuspecting victims who will make this typing error.

Therefore, while whoever has the current benign version in their package.json is safe, those who upgrade or install it for the first time could be exposed to malware.

Conclusion

Tool designers must carefully consider all existing commands to prevent any potential confusion between them.

The package remains a ticking bomb for the thousands of developers who inadvertently installed it.

The issue has been reported to npm; the post will be updated with the response.

Image of AssemblyAI

Automatic Speech Recognition with AssemblyAI

Experience near-human accuracy, low-latency performance, and advanced Speech AI capabilities with AssemblyAI's Speech-to-Text API. Sign up today and get $50 in API credit. No credit card required.

Try the API

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay