Error 418 meme

Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package.

JavaScript developers from all over the world received the error, and not just in certain geographical regions.

Only users behind proxy servers were affected

The bug did not affect all users, but only those behind a proxy server. In spite of this, many developers were impacted because most large-scale development firms usually operate behind proxies that regulate and control internal network traffic.

The reason for the bug was that some proxy servers were appending a port value to requests destined for the NPM package registry, resulting in HTTP requests that looked like registry.npmjs.org:443, instead of registry.npmjs.org.

The additional port 443 value confused the NPM registry's servers, which then triggered the 418 error code.

The NPM team fixed the issue after seven hours during which developers were both alarmed and amused by the funny error code.

Good ol' Internet memes from 1998

The "Error 418 I'm a teapot" message is not a standard server error type. This all goes back to an April Fools' prank dating to 1998, when a group of developers jokingly proposed the Hyper Text Coffee Pot Control Protocol (HTCPCP) to the Internet Engineering Task Force (IETF), an organization that creates and manages Internet standards.

The RFC 2324 prank standard included many funny error codes, including "Error 418 I'm a teapot."

In the last two decades, the 1998 prank achieved meme status, and many development teams have implemented the "Error 418 I'm a teapot" message inside their applications as an inside joke, often using this error for bugs of unknown origins.

It's now quite apparent that the team behind the Node Package Manager (NPM) was also a fan of this meme.

UPDATE [June 1]: npm has sent over the following statement on the incident:

At peak, the 418 responses were 0.01% of traffic. npm has a great many users (over 10M), so given traffic over the time of the incident that works out to between 500 and 1000 actual users affected. Obviously, even one user bitten by a bug is more than we'd like, but relative to our scale it was not a major issue. The specific proxy configuration necessary to trigger the bug is relatively rare, so even among users behind proxies most people were not affected. Once we were alerted to the bug in our header parsing, the ops team quickly deployed the fix.

Image credits: Unknown. Image taken from Internet Archive and once displayed on the frontpage of the error418.net website.

Related Articles:

Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package

Firmware Vulnerabilities Disclosed in Supermicro Server Products

Remote Code Execution Vulnerability Disclosed in Windows JScript Component

Contractor Exposes Credentials for Universal Music Group's IT Infrastructure

Security Flaw Impacts Electron-Based Apps