EDIT: Back online?!
NPM discussion: https://github.com/npm/cli/issues/8203
NPM incident: https://status.npmjs.org/incidents/hdtkrsqp134s
Cloudflare messaging: https://www.cloudflarestatus.com/incidents/gshczn1wxh74
GitHub issue: https://github.com/sindresorhus/camelcase/issues/114
Anyone experiencing npm outage that’s more than just the referenced camelcase package?
8 Comments
Recursing
Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456
Some discussion here https://github.com/npm/cli/issues/8203
Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s
tom_usher
Seems to be a change in Cloudflare's managed WAF ruleset – any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel – Remote Code Execution – CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.
That rule can be overridden if you're having this issue on your own site.
nwalters512
The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
mplanchard
Glad you posted something, thought I was going nuts
klysm
This is what you get when you buy security as an add-on product
drusepth
Is this also why unpkg has been up and down all morning?
pvg
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538
Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
miyuru
Outsourcing WAF is a double-edged sword.
I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.
(NPM is owned by GitHub, and GitHub is owned by Microsoft)