Increased load due to badges on cnpmjs.org #141
Comments
|
TAONPM now using packagephobia badge on package page |
|
Well that is really cool 😄 But it seems like the second one is not a package in npm 🤔 |
|
That's nice 👍 While some package looks like scams:
I've raise an issue at https://github.com/cnpm/registry.cnpmjs.org/issues/10 |
|
Thanks for creating the issue! I hope the authors will get in contact because they have increased my data storage by 10x (went from 5,000 keys to 50,000 keys in a week).
Maybe @fengmk2 (the author of cnpm) can comment here 😄 |
|
@styfle Are those requests from normal badge or broken badge? |
|
Someone familiar with cnpm team told me that (packages missing on npm) might be the cache of cnpm. The original package is deleted on npm, but cnpm hasn't prune the cache for them. In this case, I think the bad requests should only consume small part of traffic 🤔 |
|
cnpm is disable sync unpublished package from npmjs.org. So the un exists packages still exists on cnpmjs.org. 😢 |
|
@styfle should I remove the install badge from https://npm.taobao.org/? |
|
@amio The chart I posted is showing the redis data storage so it’s for packages that exist. I’m not sure if zeit now has a good way to count logs but I can see that the redis cache hit ratio dropped from 60% to 40% so that’s likely from all of the removed packages. |
|
@fengmk2 I wasn’t aware that you were going to add the badge to the website. It would have been nice to know ahead of time. That being said, my long term goal was to get this data added on the true npmjs.com website so this is a great start. I’m a bit concerned about how much I’ll pay out of my own pocket for data storage, especially since there are several feature requests (#87 and #124) which would track even more data points. Can you change the badge logic on cnpm so it only displays if the package has more than 1000 downloads per month? (This could greatly reduce the load on my servers and also prevent the fake packages from even hitting the server at all) |
|
@styfle Sure! |
styfle
changed the title
|
@fengmk2 I'm still seeing fake npm packages such as the following: How can these packages be getting more than 1000 downloads per month if they do not exist? Can you avoid making the http request to package phobia if the npm package doesn't exist? |
|
@fengmk2 We might need a better strategy for cleaning up deleted packages on cnpm. |
|
I had hide the badge if downloads < 1000 now https://cnpmjs.org/package/hack-cats-crash-arena-turbo-stars-cheat-coins-unlimited-2018 |
|
@fengmk2 Thanks! I checked the logs for the last hour and I still see many more non-existent package requests. Why are these still coming through? Can you remove? |
remove now. |
|
I am still seeting hits from Here's some more.. |
|
@fengmk2 Maybe these malware packages have over 1000 downloads. Can you change it to only hide the badge if total downloads < 50000? |
|
@fengmk2 Can you update |
Today I noticed some slowness and some intermittent connection issues.
I thought maybe zeit was down but it turns out, the server load has increased quite a bit.
A lot of that is coming from Chinese mirrors.
npm.taobao.org
cnpmjs.org
But these packages don't look real.
strange logs
So should I attempt to block these based on referrer or maybe add an API key so I know where traffic is coming from?
The text was updated successfully, but these errors were encountered: