How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript
Code pulled from NPM – which everyone was using
Updated Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript.
A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies.
Koçulu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name.
According to Koçulu, Kik's briefs told him to rename the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. "This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People," Koçulu blogged.
Unfortunately, one of those dependencies was left-pad. The code is below. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it.
With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over during development and deployment. Thousands, worldwide. Left-pad was fetched 2,486,696 times in just the last month, according to NPM. It was that popular.
module.exports = leftpad;
function leftpad (str, len, ch) {
str = String(str);
var i = -1;
if (!ch && ch !== 0) ch = ' ';
len = len - str.length;
while (++i < len) {
str = ch + str;
}
return str;
}
You can witness some of the fallout here, here, here and here.
To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.
"Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly," Voss explained about an hour ago.
"This action puts the wider interests of the community of NPM users at odds with the wishes of one author; we picked the needs of the many. This whole situation sucks. We will be carefully considering the issues raised by and publishing a post-mortem later.
"In the meantime, several thousand open source projects have been repaired, and I'm sleeping fine tonight."
A new maintainer, who stepped forward to look after left-pad on NPM, requested the restoration of version 0.0.3. Meanwhile, Oakland-based Koçulu has hosted his work on GitHub. If your code still won't build after the left-pad revival, try running npm cache clear to catch up with the changes.
And that's how JavaScript app development works in 2016. ®
Updated to add at 1138 PT (1838 UTC) on March 23
A spokesperson for Kik has been in touch to point us toward a blog post by Mike Roberts, the head of messenger at Kik, setting out its side of the story. It was published about 30 minutes ago.
Essentially, the instant-messaging biz says it was going to publish some open-source code including an NPM module also named Kik. That collided with Koçulu's Kik module, which is why the developer was asked to rename his software. As we know, Koçulu refused, and that led to Tuesday's cluster-fsck.
Referring to the emails sent by Kik's lawyer to Koçulu, Roberts said: "The wording we used here was not perfect. We’re sorry for creating any impression that this was anything more than a polite request to use the Kik package name on NPM for an open source project we have been working on that fits the name."