Security News > 2022 > May > npm package with 1.4M weekly downloads ditches npmjs.com for own CDN
In a surprising move, the popular open source project, SheetJS aka "Xlsx," has dropped support for the npm registry.
The project's maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub's abrupt decision-making, and ongoing 'legal matters' between SheetJS and npm.
On April 14th, maintainer of SheetJS introduced a code change removing any npm dependencies used by the project.
These npm libraries, relied on by thousands of projects and companies, were tainted with malware in 2021 after attackers compromised the npm accounts of their maintainers.
"Due to ongoing legal matters between SheetJS LLC and npm, Inc., it did not make sense to continue using the public npm registry for distribution," states the SheetJS developer.
"Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a mention in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet," commented Clay Levering, director of product engineering at Blu Digital Group.