@ryannhg packages renamed to @ryan-haskell

Show and Tell
1

Hey folks!

I changed my username from @ryannhg to @ryan-haskell, so I wanted to make a tiny post on Discourse for any folks using my Elm packages. Sorry for any inconvenience!

If you encounter any errors about “corrupt packages”, here’s what you can do:

  1. Remove the “ryannhg” package dependency from your elm.json
  2. Replace it with the corresponding “ryan-haskell” package below
Old Package New Package
ryannhg/date-format@2.3.0 ryan-haskell/date-format@1.0.0
ryannhg/elm-spa@6.0.4 ryan-haskell/elm-spa@1.0.0
ryannhg/graphql@2.1.0 ryan-haskell/graphql@1.0.0

The APIs are identical, so you should be all set!

Thanks for reading!
Ryan

8 Likes
2

Thanks for letting us know @RyanNHG, our project is using this dependency and I was confused at why the Corrupted package issue was being thrown. Can you please also put some note on the original package :pray:?, it’s the first place I looked for.

1 Like
3

To my understanding, I cannot update the @ryannhg packages after changing my username– this is something I wish I had thought of before changing my username.

4

For anyone wondering if they are the maintainer of a package that needs to update this dependency (or depend on one of those packages), you can see all the packages with ryannhg/* direct dependencies at https://segakcap.com/search?q=ryannhg. Very handy tool.

5 Likes
5

Thanks @dillonkearns, I think terezka/elm-charts is a really important dependency affected by this (we use it, so currently CI will still fail). @RyanNHG do you know if these package maintainers are aware of this change?

2 Likes
6

I’ve published a fork of terezka/elm-charts (at version 3.0.0) to unblock anyone that needs it quickly.

https://package.elm-lang.org/packages/mthiems/elm-charts-3/latest/

Note: This mthiems/elm-charts-3 version should be the correct one, corresponding to version 3.0.0 of terezka’s package. The previous one I mentioned here (mthiems/elm-charts), which was incorrect, is gone from github so that no one accidentally uses it. I apologize for my initial mistake.

I also had to fork terezka/intervals to remove the unnecessary dependency on ryannhg/date-format. That is published as mthiems/intervals.

7

I would suggest that instead of changing username, you create another account with the new name and leave the old one be? However, maybe Github is not so friendly to this approach, for one thing 2-factor is now required on github so you would still have to keep a valid email address and 2-factor credentials for the old account.

Thanks for the heads up anyway. :slightly_smiling_face:

8

Publishing elm-charts with the change in a few minutes :blush:

5 Likes
9

Both elm-charts and intervals are updated. Thanks!

https://package.elm-lang.org/packages/terezka/elm-charts/latest
https://package.elm-lang.org/packages/terezka/intervals/latest/

11 Likes
10

I have published a forked version of gampleman/elm-visualization to remove the dependency on the affected package:

https://package.elm-lang.org/packages/szubtsovskiy/elm-visualization/latest/

2 Likes
11

Hm I changed my github username as well but just published a last version with a note in the README and then published the package again under the new username.

Example: intl-proxy 2.0.1

This approach seems to work without breaking builds as far as I can tell.

1 Like
12

For those with supply chain paranoia, here is an excerpt from the commit message for bumping the downstream packages in our app:

It is worth stopping to think about this kind of change as a possible maneuver for abusing an established package as malware vector. Someone could impersonate Ryan on Discourse, either by making a fake account or obtaining access to only his Discourse account. They could then post a misleading notice and get downstream packages/applications to switch to a package published by a completely unconnected GitHub account.

Quick sanity checks:

  • Discourse account is not fresh (2018, with well-known posts): Profile - RyanNHG - Elm

  • New GitHub repo is rename of existing repo (expected behavior)

    > curl --head https://github.com/ryannhg/elm-date-format
HTTP/2 301
server: GitHub.com date: Thu, 14 Mar 2024 10:28:35 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
location: https://github.com/ryan-haskell/elm-date-format

  • If an attacker had obtained control over the GitHub account, they’d be better off releasing a new package version instead of renaming

  • The package contains no effectful code

Seems OK.

Thanks Ryan for making the clarifying post and to package authors for the quick bumps!

5 Likes
13

If it’s not too much to ask, could we get an update to line-charts as well? Would unblock our CI, but I’m taking this as an incentive for us to migrate to elm-charts regardless!

1 Like
14

Hi! It’s updated now. :blush:

5 Likes
15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.