[BUG] Can't install camelcase, decamelize and other camel-related packages (#camelgate)

[TheDevMinerTV]

STATUS:

✅ Cloudflare marked it as resolved:
This issue is now resolved. - 19:42 UTC

✅ NPM marked it as resolved:
This incident has been resolved. - 19:40 UTC

👀 NPM is monitoring the situation:
A fix has been implemented and we are monitoring the results. - 17:37 UTC

👀 Cloudflare disabled the rule and is monitoring the situation:
We have disabled the rule in question, and the rate of false positives is decreasing. We are monitoring. - 17:31 UTC

✅ Seems to be working again - 17:13:17 UTC

GET BACK TO WORK, NERDS!

✅ NPM fixed:
The issue has been identified and a fix is being implemented. - 17:11 UTC

🛠️ Cloudflare is fixing:
Identified - Cloudflare has identified an issue with the managed ruleset "Apache Camel - Remote Code Execution - CVE:CVE-2025-29891" which is potentially causing false positives. Customers can disable this rule by setting Action -> Log in the Cloudflare Dashboard. Other WAF rules are unaffected. We are currently working on a fix for this issue.

👀 NPM is investigating:
We are currently investigating reports of intermittent failures when viewing and installing packages scoped to certain keywords. - 16:40 UTC

👀 First failure in our CI - 15:49:08 UTC

Caused by https://developers.cloudflare.com/waf/change-log/2025-03-11-emergency/

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Affected packages

registry.npmjs.org/camelcase
registry.npmjs.org/camelcase-keys
registry.npmjs.org/decamelize
registry.npmjs.org/camel-case
registry.npmjs.org/lodash.camelcaseregistry.npmjs.org/camelcase-css

Current Behavior

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm WARN deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
npm ERR! A complete log of this run can be found in: /root/.npm/_logs/2025-04-01T15_55_18_127Z-debug-0.log

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm WARN deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
npm ERR! A complete log of this run can be found in: /root/.npm/_logs/2025-04-01T15_44_48_105Z-debug-0.log

Expected Behavior

Those downloads should work

Steps To Reproduce

1. npm i camelize decamelize

Environment

• npm: 10.5.0
• Node.js: v21.7.1
• OS Name: linux
• System Model Name: ??
• npm config:

; node bin location = /usr/local/bin/node
; node version = v21.7.1
; npm local prefix = /
; npm version = 10.5.0
; cwd = /
; HOME = /root
; Run `npm config ls -l` to show all defaults.

[mattkindy]

I'm getting this for a few different ones:

• https://registry.npmjs.org/camelcase
• https://registry.npmjs.org/camelcase-keys/-/camelcase-keys-6.2.2.tgz
• https://registry.npmjs.org/decamelize
• https://registry.npmjs.org/camel-case
• https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz
• https://registry.npmjs.org/camelcase-css

As a result, my CI pipeline is failing and I cannot build/deploy.

First failure was at ~10:55 AM CDT

I can occasionally get the following via my browser, which I think is likely related:

[Recursing]

We get the same error for any path with "camel", e.g. https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456

Builds are failing for us as well.

Edit: this is fixed now, thank you all

[patternleaf]

Same here! Can't deploy a new build. Begun the camel wars have.

[maksym-boytsov]

I'm experiencing the same issue

[kstieverjc]

same

[Tirke]

Our builds are down because of that too

[k-walsh-gmg]

Same

[mchr3k]

Same

[wilkesreid]

did a hard refresh, and previously affected packages seem to be back up

[smithb1994]

Any search of "camel" on npm fails...

[shankars99]

i am NOT going to use the pythonic variant - bring back camels

[lehcosta]

Same

[M1113R]

Same, in my job we are with this error in build

 > [build 13/15] RUN npm install --legacy-peer-deps:
105.5 npm notice Run `npm install -g [email protected]` to update!
105.5 npm notice 
105.5 npm ERR! code E403
105.5 npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/camel-case/-/camel-case-4.1.2.tgz
105.5 npm ERR! 403 In most cases, you or one of your dependencies are requesting
105.5 npm ERR! 403 a package version that is forbidden by your security policy, or
105.5 npm ERR! 403 on a server you do not have access to.
105.5 
105.5 npm ERR! A complete log of this run can be found in:
105.5 npm ERR!     /root/.npm/_logs/2025-04-01T16_30_44_400Z-debug-0.log

[tomusher]

Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.

Guess they've been a bit over-eager on the pattern matching on that one. If your own site is affected you can change the 'Action' on this rule to 'Log' to disable it.

[akhll]

do you have any ideas on how to fix this?

[jvkf]

Facing this issue on my end as well:

ERR_PNPM_FETCH_403  GET https://registry.npmjs.org/jss-plugin-camel-case/-/jss-plugin-camel-case-10.10.0.tgz: Forbidden - 403

[KyleAMathews]

@akhll someone at NPM needs to fix this.

[KyleAMathews]

https://status.npmjs.org/ — they've updated their status page

[timbermonson]

Stackoverflow is having the same issue. Opening any question with "Camel" in the name triggers "access denied".

[ivke-99]

wow what a day to be working late

[paulbalaji]

also getting this issue - it's almost 6pm so breaking out the whisky too

[hueter]

#camelgate

[tamebadger]

wen fix

[sewalsh]

LOL. Same!

[rikikonikoff]

Any ideas when camelgate will be fixed?

[tiagomartins91]

It's working.. thanks!

[aianimation55]

Oh... bye... see you round for the next end of days moment.

[Ravi828rk]

✅

[icon2341]

Working now

[baysaa006]

At this point, if this issue had its own documentary, it’d get more views than Snow White. 🍿

[kerimamansaryyev]

GitHub should create the Camel Badge for everyone who was there

[noerbot]

Another hour down the toilet debugging an issue that was beyond my control... (－‸ლ)

[TheDevMinerTV]

The sign has been made

Actually, this is more of a Kevin Fang-kind of video idea

[krsdcbl]

Another hour down the toilet debugging an issue that was beyond my control... (－‸ლ)

one hour is "10x engineer" stuff, kudos.

[rlamarche]

At least I've deployed a npmjs mirror now ! And it started working when npmjs was repaired 😂

[d2davidtb]

It tried again and it works for me. npmjs was repaired.

[t3dotgg]

What did I miss?

[PeerRich]

i summoned theo 👀

[lakema17]

Shoutout to Cloudflare for fixing the problem

that they caused

[Stephane-Ag]

What did I miss?

everything

[OliverWales]

This explains everything 🐫🐫🐫

[milaninfy]

This appears to be fixed as per this https://status.npmjs.org/incidents/hdtkrsqp134s

Closing: If this issue persist please go to Registry support as this repository tracks npm cli issues. For registry support please go to npmjs.com/support.

[browens-amergis]

Confirmed 🐫

[leo1994]

o/