One of the developers of JavaScript packages experimented with creating and placing in the NPM repository the “everything” package, which covers all existing packages in the repository with dependencies. To implement this feature, the “everything” package has direct dependencies with five “@everything-registry/chunk-N” packages, which in turn have dependencies on more than 3000 “sub-chunk-N” packages, each of which binds to 800 existing packages in the repository.
Placing "everything" in NPM had two interesting effects. Firstly, the “everything” package has become a kind of tool for performing DoS attacks, since an attempt to install it leads to downloading millions of packages hosted in NPM and exhausting the available disk space or stopping the execution of build processes. According to NPM statistics, the package was downloaded about 250 times, but no one bothers to add it as a dependency to another package after the developer's account was hacked to commit sabotage. In addition, some services and tools that monitor and check new packages hosted by NPM were unwittingly exposed to attack.
Secondly, publishing the “everything” package effectively blocked the ability to remove any packages in NPM that ended up in its list of dependencies. A package from NPM can be removed by the author only if it is not already used in the dependencies of other packages, but after the publication of “everything” the dependencies turned out to cover all packages in the repository. It is noteworthy that the removal of the “everything” package itself was also blocked, since 9 years ago a test package “everything-else” was posted in the repository, which included the string “everything” in the list of dependencies. Thus, after publication, the “everything” package ended up being dependent on another package.
Source: opennet.ru