Getting errors when trying to install Angular today because of problems with the stylus package.
The stylus library is used by Vite, and Vite is part of Angular’s dependencies. Earlier today the stylus package got flagged as malicious and was pulled from npm completely.
It looks like this might be a false positive. The security alert mentioned a Chrome extension called stylus that comes pre-installed on some Lenovo Chromebooks. Also heard that one of the maintainers had their account compromised and pushed bad code to other projects, but stylus wasn’t affected.
The package version 0.64.0 that was available before removal seems clean based on the GitHub repository. One maintainer still has access and the code looks fine, but there’s no npm package available right now.
Has anyone else run into this issue with their builds failing? Would be good to discuss how we can prevent these kinds of dependency chain failures in the future, especially when packages get incorrectly flagged by automated systems.
Yeah, hit this same issue this morning. Builds randomly started failing - what a fun way to start the day. Stylus team’s already working with npm to get it back up since it was flagged by mistake. I’m using yarn with a cached version for now. Really makes you want backup registries though - can’t have prod deployments crashing because some bot screwed up.
Hit this same issue in our CI pipeline today. Builds randomly started failing with dependency errors. Really annoying how one hacked maintainer account can break everything downstream. We rolled back to npm shrinkwrap files from last week’s working build to fix it. The stylus removal feels like npm’s security scanner went overboard - the package wasn’t even compromised from what I’ve seen. This mess shows why you need dependency pinning and regular security audits. Probably time to look into Renovate or Dependabot so we catch this stuff before it hits prod.
Hit this same issue setting up a new project today. Perfect timing since we were supposed to start a fresh Angular build. I temporarily switched to an older Angular CLI version that doesn’t use the broken Vite version - not ideal long-term though. Checked the stylus GitHub and it looks legit - maintainer posted they’re working with npm support to get the package back up. Going forward, I’m thinking about locking packages and scanning dependencies before major updates. If you’re in a corporate environment, might be worth setting up private npm mirrors for critical dependencies so you don’t get burned by these sudden outages.