Hello!
You've published a series of packages that depend on all packages in the npm registry, probably using this program: https://github.com/Ell/npm-gen-all
We’re not entirely sure what your motivations are for creating this series of packages, but we have some concerns.
First, these packages violate npm's Terms of Use. Much like a squatter package, these have no individual functionality beyond depending on other packages. As a result, we intend to remove them from the registry this afternoon.
It seems that these series of packages might be a response to the events of last week and recent changes to our unpublish policy. A few community members are concerned that series of packages like the ones you’ve created will make unpublishing packages completely impossible after the 24 hour window. This is not the case. These series of packages are not valid package dependents because they violate the npm terms of use. If your goal with these series of packages was to make unpublish impossible, know that it is not meeting its intended goal.
Last, it’s worth mentioning that these packages are not malware, but they are harmful. If an npm user tries to install one of them, it will fail, or — worse — they’ll succeed in filling up their hard drive with a lot of junk and spinning their CPU for a very long time.
We can't guarantee the safety or security of all packages in the registry, but when packages like yours are brought to our attention, we have a responsibility to act.
To summarize: please don’t create any more of these, and also don’t encourage anyone else to. We're going to remove them today, and we plan on publishing a short article that includes this letter, summarizing our actions here.
If you have any questions, please feel free to respond and ask. We really care about our community and want to work with you for the best outcome.
Thanks.
--
Isaac Z. Schlueter
isaacs@npmjs.com