Visual Studio Code 1.7 DDoS'ed NPM

Visual Studio Code is a light weight code editor from Microsoft. It is a great tool for JavaScript development and specifically development with the TypeScript language being a Microsoft Open Source effort.

The core feature that TypeScript adds to JavaScript is type support. Type Definitions are pre-set type definitions for JavaScript applications that can be downloaded from NPM. This enables distribution of strict typing information for the originally loosely typed JavaScript code.

With the 1.7 release the VS Code team added a feature that automatically downloads type definitions from NPM, the de-facto JavaScript Packet manager. The feature was popular enough to cause so much traffic to the NPM packet manager service that the team decided to roll back the release:

Unfortunately, we needed to roll back the 1.7 release of VS Code. One of the great new features in 1.7 is the automatic acquisition of typing files when writing JavaScript and TypeScript. These typings files drive the IntelliSense (code completions) experience in VS Code. The feature was so great that we started to overload the npmjs.org service. The right thing to do in the short term was to revert the release.

- Visual Studio Code 1.7 release announcement

This indicates that the feature is useful, causes a lot of traffic and verifies that TypeScript is not a niche technology by any means. The developer team at Microsoft also did the right thing in reverting the version with this feature. Very responsible action from a mature software company.

According to the NPM staff working together with the Visual Studio Code team the functionality in the editor ended up creating a lot of requests that resulted in 404s that we not cached:

CDNs don't usually cache 404s. VSCode was looking for @types packages for any and every npm package its users were using. Packages that had a type description caused no issue, but most packages don't, so we had a > 1000% spike in 404s. Our workaround before MS did the rollback was to cache 404s for @types packages specifically, and it was effective enough that the registry never really went down.

- Laurie Voss of NPM

Microsoft DDoS'ed Open Source community, that's cute...

...and would've made a great headline in the early 2000's. But it's beyond the point. So the automatic Type Definition download feature can for sure be optimised to cause less traffic to NPM in the future for the feature to return. And the team is taking this with humor:

Putting "Led the design and implementation of an infrastructure to DDoS NPM" top and center in my self-assessment this year — Ryan Cavanaugh (@SeaRyanC) November 3, 2016

The darker undertone here is that the global JavaScript community is extremely vulnerable to disruptions in availability for select key services on the internet. The NPM command is ran countless times every single day to initialize new JavaScript projects as well as deploy existing ones. NPM being unavailable could potentially lead to significant losses for businesses.

That a single code editor launch could bring the daily work of hundreds of thousands of developers is worrying. And this is not an isolated incident. Earlier in March 2016 there was havoc in the JavaScript/NPM scene due to removal of the left pad package. Both are examples of how the contemporary development methods are actually rather fragile.

In neither cases there was no malicious intent, but in case someone wanted to interfere with a large chunk of the global developer audience could be made unproductive by attacking a few key services like Github, NPM and Slack. All commercial entities that Open Source development is very dependent on.