Software

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Code pulled from NPM – which everyone was using

168 Got Tips?

Updated Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript.

A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies.

Koçulu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name.

According to Koçulu, Kik's briefs told him to rename the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. "This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People," Koçulu blogged.

Unfortunately, one of those dependencies was left-pad. The code is below. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it.

With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over during development and deployment. Thousands, worldwide. Left-pad was fetched 2,486,696 times in just the last month, according to NPM. It was that popular.

module.exports = leftpad;

function leftpad (str, len, ch) {
  str = String(str);

  var i = -1;

  if (!ch && ch !== 0) ch = ' ';

  len = len - str.length;

  while (++i < len) {
    str = ch + str;
  }

  return str;
}

You can witness some of the fallout here, here, here and here.

To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.

"Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly," Voss explained about an hour ago.

"This action puts the wider interests of the community of NPM users at odds with the wishes of one author; we picked the needs of the many. This whole situation sucks. We will be carefully considering the issues raised by and publishing a post-mortem later.

"In the meantime, several thousand open source projects have been repaired, and I'm sleeping fine tonight."

A new maintainer, who stepped forward to look after left-pad on NPM, requested the restoration of version 0.0.3. Meanwhile, Oakland-based Koçulu has hosted his work on GitHub. If your code still won't build after the left-pad revival, try running npm cache clear to catch up with the changes.

And that's how JavaScript app development works in 2016. ®

Updated to add at 1138 PT (1838 UTC) on March 23

A spokesperson for Kik has been in touch to point us toward a blog post by Mike Roberts, the head of messenger at Kik, setting out its side of the story. It was published about 30 minutes ago.

Essentially, the instant-messaging biz says it was going to publish some open-source code including an NPM module also named Kik. That collided with Koçulu's Kik module, which is why the developer was asked to rename his software. As we know, Koçulu refused, and that led to Tuesday's cluster-fsck.

Referring to the emails sent by Kik's lawyer to Koçulu, Roberts said: "The wording we used here was not perfect. We’re sorry for creating any impression that this was anything more than a polite request to use the Kik package name on NPM for an open source project we have been working on that fits the name."

Sign up to our NewsletterGet IT in your inbox daily

168 Comments

Keep Reading

Microsoft looks to React Native as a way to tackle the cross-platform development puzzle

Ignite Windows and Office teams shun Xamarin in favour of JavaScript/C++ solution

TLS termination, Teams toys – and holy 5G, Batman, Microsoft buys UK network software biz Metaswitch

Roundup Also: 'Twas the night before Buildmas

Canary-build Microsoft browser blocks Microsoft extension from inflicting Microsoft search engine

Virtue is its own reward

AppSheet. Gesundheit! Oh, we see – it's Google pulling no-code development into a cloudy embrace

We'll 'empower millions of citizen developers' says Google. Now where have we heard that before?

Taiwan aims to trump China with new display tech industry development plan

Just comes right out and says it will leverage twin crises of trade tension and pandemic

Microsoft brings WinUI to desktop apps: It's a landmark for Windows development, but it has taken far too long

Hands On The look and feel of UWP without all the baggage

Another sign of the End Times: Free software guru Richard Stallman speaks at Microsoft HQ

Photo Firebrand in town to give Redmond a GNU lease of life

Shopify goes all in on React Native for mobile development 3 years after Airbnb dropped it like 3rd-grade French

Commerce platform should have a better time, right?

Microsoft slaps the Edge name on SQL, unveils the HoloLens 2 Development Edition

Got $3,500 to spare? No? How about $99 a month instead?

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

Tech Resources

A Step-by-Step Guide to Shifting Left and Embracing a True DevSecOps Mentality

There is a major shift happening right now. It’s not just affecting security teams, but IT operations and development teams, too.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

Managing Threat Intelligence Playbook

Understanding threat intelligence and implementing a solution to enhance your cybersecurity strategy should not be an intimidating process.

10 Examples of Smarter Alerting

A guide for SRE, Dev and Ops teams who need to be proactive in finding problems before service is affected, without debilitating alert noise.