The Problem
When I visit a user profile I expect to see a list of the packages that npm user is a maintainer of.
However, when using the (default) Algolia search provider the profile page lists any package whose git repository is owned by a github/gitlab/bitbucket user or org with that same name.
It is not actually showing packages for which said npm user is a maintainer!
That's the root cause of #1882, #1888, and the source of confusion in #2057
Here is a PoC showing a spoofed package on @patak-cat's npm user profile, it's trivial to spoof packages and get them onto a user's profile page (sorry @patak-cat!)
This also results in anemic download stats on user profile pages.
- ~jdalton with 11k weekly downloads (should be ~1 Billion/week)
- my boy ~ulisesgascon w/ 794 weekly downloads (should be ~3 Billion/week)
- me with 286 weekly ~jonchurch (should be 150 million/week)
The Cause
The user profile page uses Algolia npm-search to filter to owner.name:username . Algolia's owner.name field is documented in their indexer as being the "GitHub owner or npm owner"
The indexer's getOwner checks repository.user before anything npm related:
if (repository?.user) {
if (repository.host === 'github.com') return { name: repository.user, ... }
if (repository.host === 'gitlab.com') return { name: repository.user, ... }
if (repository.host === 'bitbucket.org') return { name: repository.user, ... }
}
if (lastPublisher) return lastPublisher
return author || nullWhen you see correct data on a user's profile page, it's either because they happen to have a repo field w/ the same github username as their npm username, or there is no repo field AND said user was the last person to publish the package.
The caller's comment states the intent explicitly:
// always favor the repository owner.
The Fix
There are two different approaches IMO
option 1: code reuse
Ironically, the org page works as I'd expect the user page to. It pulls its information from npm and doesnt have the above "bug".
So the first fix would be to just reuse the org logic, which fetches from npm first and then enriches w/ algolia metadata.
Opened PR #2505 to do so
That's the one we can land today to at least fix the problem of user pages sourcing its package list from a non npm identity.
option 2: fix upstream
I live for one line fixes though and we have two we can pursue here for perhaps the "correct" fix if the intent from npmx is to use algolia over the npm api for this. That requires fixing upstream, then tweaking the query used in this codebase.
Idk how likely a fix is to land (can someone cc whatever contact yall have on the npm-search index?) but we could have owners.name be facetable so we can filter on it.
I'll let algolia folks tell me if that would be expensive in query time and or dollars for their index (likely need to reindex too? idk how algolia works). But the PR to do that is here: algolia/npm-search#1357
If that's upstreamed, its another one line change to the filter on the user profile page would fix thing:
-filters: `owner.name:${username}`
+filters: `owners.name:${username}`here and here in useAlgoliaSearch.ts
The Problem
When I visit a user profile I expect to see a list of the packages that npm user is a maintainer of.
However, when using the (default) Algolia search provider the profile page lists any package whose git repository is owned by a github/gitlab/bitbucket user or org with that same name.
It is not actually showing packages for which said npm user is a maintainer!
That's the root cause of #1882, #1888, and the source of confusion in #2057
Here is a PoC showing a spoofed package on @patak-cat's npm user profile, it's trivial to spoof packages and get them onto a user's profile page (sorry @patak-cat!)
This also results in anemic download stats on user profile pages.
The Cause
The user profile page uses Algolia npm-search to filter to
owner.name:username. Algolia'sowner.namefield is documented in their indexer as being the "GitHub owner or npm owner"The indexer's
getOwnerchecksrepository.userbefore anything npm related:When you see correct data on a user's profile page, it's either because they happen to have a repo field w/ the same github username as their npm username, or there is no repo field AND said user was the last person to publish the package.
The caller's comment states the intent explicitly:
// always favor the repository owner.The Fix
There are two different approaches IMO
option 1: code reuse
Ironically, the org page works as I'd expect the user page to. It pulls its information from npm and doesnt have the above "bug".
So the first fix would be to just reuse the org logic, which fetches from npm first and then enriches w/ algolia metadata.
Opened PR #2505 to do so
That's the one we can land today to at least fix the problem of user pages sourcing its package list from a non npm identity.
option 2: fix upstream
I live for one line fixes though and we have two we can pursue here for perhaps the "correct" fix if the intent from npmx is to use algolia over the npm api for this. That requires fixing upstream, then tweaking the query used in this codebase.
Idk how likely a fix is to land (can someone cc whatever contact yall have on the npm-search index?) but we could have
owners.namebe facetable so we can filter on it.I'll let algolia folks tell me if that would be expensive in query time and or dollars for their index (likely need to reindex too? idk how algolia works). But the PR to do that is here: algolia/npm-search#1357
If that's upstreamed, its another one line change to the filter on the user profile page would fix thing:
here and here in
useAlgoliaSearch.ts