ON 17 February 2026, StepSecurity AI Package Analyst flagged a sudden flood of version releases across npm’s @types packages, including @types/mapbox__point-geometry and @types/tar. The incident centred on a single automated GitHub workflow, microsoft/DefinitelyTyped-tools → publish-packages[.]yml, which runs every 30 minutes to publish deprecated versions for packages no longer needed because their sources include their own types.
The root cause was a broken loop guard: the code passed undefined instead of the publish label “latest”, so a new version was published on every run, producing 70+ identical releases with no code changes. The fix was a one-liner and was merged via PR #1255 after issue #1254 was opened in the DefinitelyTyped-tools repository, with maintainer jakebailey quickly diagnosing the problem.
This episode underscores how automated publishing pipelines and subtle bugs can impact millions of weekly downloads across the TypeScript ecosystem, and how proactive monitoring helped reveal the issue before it could be exploited or cause erosion of trust. According to DefinitelyTyped-tools, the notNeededPackages[.]json file is used to identify packages no longer needed because their sources now bundle types.