Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.
That rule can be overridden if you're having this issue on your own site.
Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.
That rule can be overridden if you're having this issue on your own site.
Any path with the word "camel" seem to trigger this: https://www.npmjs.com/search?q=camel | https://registry.npmjs.org/camel123 | https://registry.yarnpkg.com/camel456
Some discussion here https://github.com/npm/cli/issues/8203
Edit: this is resolved now https://status.npmjs.org/incidents/hdtkrsqp134s
This is not CF WAF's first rodeo https://news.ycombinator.com/item?id=20421538
Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
The npm folks have officially acknowledged an incident now: https://status.npmjs.org/incidents/hdtkrsqp134s
Outsourcing WAF is a double-edged sword.
I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.
(NPM is owned by GitHub, and GitHub is owned by Microsoft)
This is what you get when you buy security as an add-on product
Glad you posted something, thought I was going nuts
Is this also why unpkg has been up and down all morning?