npm has "use-invariant" pointing to "use-http" — is this malicious?

[evanrs]

Issue

The package is intentionally misleading having no overlap with in its name or functionality with what is expected of use-invariant

An invariant is defined as:

a function, quantity, or property which remains unchanged when a specified transformation is applied

It is commonly understood as a validity test against some assertion. With the most well known example being Facebook's own invariant method — and of course its clone on npm "invariant".

It would be fair that someone installing use-invariant to expect a tool that follows this nomenclature.

If this is not name squatting than I believe it is malicious in that it performs work over the network when all convention would imply its a React hook for assertions.

Resolution

Request npm remove the use-invariant package for misleading the community.

[ZebulanStanphill]

Pinging @alex-cory. This is still an issue: https://www.npmjs.com/package/use-invariant

It's particularly odd because the version of the package under that name is 2 years out-of-date.

[alex-cory]

Not malicious by any means. I was creating a package for this at the time. I still might.