Recently, I was browsing through NPM (what?) when I came across some really interesting and fascinating packages. Of course, I left the most interesting one to the last 😬.

This was the package that initiated my deep dive into the depths of NPM's 683162 packages (it's probably more by the time I post this).

As it turns out, this package does indeed return whether the argument is positive.



const isPositive = require ( ' is-positive ' ); isPositive ( 1 ); //=> true

And that's all it does. I pondered about the possible use-cases of this package, because apparently, there are many.

I discovered another hidden gem when looking through the Dependents section that NPM provides (there were 4 of them).

This package simply does the exact opposite of what is-positive does. Its description is incredibly apt.

This being JavaScript, being non-positive probably doesn't mean being negative, so a new package had to be created to check for negativity.

This package's negativity was even apparent through its weekly downloads, which are considerably less than its more radiant counterpart.

This is where the true fun begins. I stumbled across this quite by accident after entering a few other search queries like " is-wrong " and " woah ". It turns out that this is actually a port of the Unix utility true .

As with all Unix utilities, its usage was quite easy to grasp.



var t = require ( ' ./true ' ) var myTrueValue = t (); console . log ( myTrueValue === true ); // Logs 'true'

However, I felt that this package looked a bit shadier than the rest due to its use of var . Thus, I decided to take a look at some of the open issues on its GitHub. You won't believe what happened next.

I felt betrayed.

As it turns out, there was a critical vulnerability in the code, discovered by Patrick Steele-Idem, who spent hours tracing down the problem down.

It turns out that another library had contained the following code, which caused true to return false .



require . cache [ require . resolve ( ' true ' )]. exports = function () { return false ; };

Luckily, he came up with a very quick fix that solved this issue.



setInterval ( function () { if ( require ( ' true ' )() !== true ) { // Fix it! require . cache [ require . resolve ( ' true ' )]. exports = function () { return true ; }; } }, 10 );

Conclusion

Overall, (re)discovering all these wonderful packages has been a very rewarding experience for me. I will probably never do this again.