How a developer broke the internet by un-publishing his package containing 11 lines of code

chaitanyasuvarna

chaitanya.dev

Posted on November 22, 2020

How a developer broke the internet by un-publishing his package containing 11 lines of code

All Javascript developers might have used npm at some point in their lifetime. npm is the default package manager for node.js. For those who don’t know what npm is, npm – short for Node Package Manager is a package manager for the JavaScript programming language. npm, Inc. is a subsidiary of GitHub. npm can manage packages that are dependencies of a particular project, allowing users to reuse modules or pieces of code that are already distributed and present in npm’s remote registry. A package, that your project depends on, can itself have a dependency on another package, which has a dependency on another package and so on.. But the good thing is, with npm you don’t have to worry about the other dependencies, npm handles it for you and does all of it for free.

Now that we know what npm is and how it works, let’s see what happened on 22nd March 2016 that caused highly used packages like React, Node, Babel etc to break with multiple JavaScript programmers around the world receiving a strange error message when they tried to run their code.

Background

Azer Koçulu is an open-source developer who had been publishing and maintaining his packages on npm for other developers to use and include in their packages. Out of his ~270 packages on npm, one of them was called kik, which helped programmers set up templates for their projects.
Kik also happens to be the name of a freeware instant messaging mobile app available on both android and iOS, from the company Kik interactive based in Ontario, Canada.

The E-mail

One fine day, Koçulu received an email from one of Kik’s patent agents, asking him to rename his package called kik as they were planning to publish a package on npm and Koçulu’s NPM package could have caused a confusion. The entire e-mail thread can be found here but to give you the gist, Azer declined Kik’s request. Bob Stratton, Kik’s patent agent, put forward Kik’s request for the name kik to NPM team, again citing the company’s trademark and potential confusion.
NPM decided to side with Kik and took kik away from Azer, handing the name over to the company.

The Liberation of Modules

On finding out that NPM had sided with the corporate, Koçulu wrote to NPM saying that he wanted all of the packages he had published on npm taken down, or they should let him know how he can take them all down quickly. Two days after Koçulu sent this email, on Tuesday 22nd March, Programmers all over the world were left staring at broken builds and failed installations. Out of the multiple lines of errors, one of the lines read as :

npm ERR! 404 'left-pad' is not in the npm registry.
Enter fullscreen mode Exit fullscreen mode

What this error means is that, the code that you’re trying to build/run requires a package called left-pad that does not exist in the npm registry (the one that we talked about at the start of this post) . Where did this package named ‘left-pad’ go?
It seems Koçulu did exactly what he had written in his email, he unpublished all his packages from npm and left-pad was one of the packages published by Koçulu. He wrote a blog post explaining why he had unpublished all his modules. “This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People,” Koçulu said in his blog.

Un-Un-publishing left-pad

To fix all the failing projects and packages around the world, on 23rd March Laurie Voss, CTO and cofounder of NPM, decided to do something unconventional and restore the unpublished left-pad 0.0.3 that apps required on NPM. His tweet read “Un-un-publishing is an unprecedented action that we’re taking given the severity and widespread nature of breakage, and isn’t done lightly.”
With that, all the failing packages started building and running successfully thus fixing the internet. Laurie also said “Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.” while I agree with him on this, it also made me wonder and think about a couple of things that we are gonna talk about next.

What was left-pad ?

Let’s have a look at the contents of left-pad and try to figure out why were so many projects all over the world making use of this package.
left-pad, as the name suggests, pads the lefthand-side of strings with characters or spaces and the entire package contains only 11 lines of code. 11 lines . This is left-pad in it’s entirety.

module.exports = leftpad; 
function leftpad (str, len, ch) {
   str = String(str);
   var i = -1;
   if (!ch && ch !== 0) ch = ' ';
   len = len - str.length;
   while (++i < len) {
     str = ch + str;
   }
   return str;
}
Enter fullscreen mode Exit fullscreen mode

Why did this cause so many packages on NPM to break?

React, Babel, and a bunch of other high-profile packages on NPM broke on March 22nd 2016 because all these packages and projects took on a dependency for a simple left padding string function on the package left-pad. Most programmers, who were facing these build errors, might not have even heard the name left-pad but their code was breaking because their apps were dependent on some packages, which in turn were dependent on some packages and down the line, one of the dependencies might have been left-pad.
Ideally programmers don’t have to worry about all these dependencies as NPM takes care of this for them and has always been reliable in doing so. In this case though, the package was unpublished, and there was no way npm could find this dependency, thus causing these unforeseen errors.

Why did so many packages depend on left-pad to, well, left pad?

With only 11 lines of code, left-pad is just a function exported as a module that so many packages took a dependency on rather than the developers of those packages writing a basic function to left pad by themselves. It would hardly take a few minutes for a well versed programmer to write such a function and yet they decided to depend on another developer for this. Tying together multiple third-party dependencies or packages and developing a project with minimal code should not be considered ideal. Any issues with the third-party dependency would cause your code to break and you’ll be dependent on another developer to fix their work so that you can get your project to start functioning properly again. This has to be considered a serious issue when web services like Facebook, for example, become indirectly dependent on code written by other programmers that don’t even know the impact their code might be having down the line.

How many dependencies are too many dependencies?

Have we become so lazy that we require a package to check if an object isArray? The package contains one line of code and is downloaded 39,001,468 times weekly as I write this post. Do we really need to publish packages containing just one function? And should we be creating dependencies on packages for few lines of code that we can easily write?
I think this method of software development needs to change and dependencies should be created on ‘libraries‘ that provide an array of interrelated complex functionalities. Why would you import a package to add, subtract, multiply instead of importing a package that provides all Math functionalities?
Ease of writing code by adding dependency after dependency for minimal functionality, leads to difficulties in maintaining code when you don’t have control on third-party packages and increases the points of failure.
There should be least amount of dependencies and only on well-known libraries that offer many complex functionalities that would be hard/time consuming to write by oneself so that the risk of errors are worth it.

To all programmers, all I say is that in the near future if there is a small and simple functionality that you need to use in your project, choose to write a few lines yourself rather than add a dependency on an unknown package. Take the frustrated programmers as an example who chose to directly or indirectly depend on 11 lines of code instead of writing it themselves.

I have not written this blog to discuss the ethics/legality of the actions taken by Kik, NPM or Azer as I am no expert in that area and my opinions on that would not be valid.

I have written this blog to discuss how the methodology of depending on so many small APIs( should 1-liner functions classify as API? ) can be disastrous and to re-think this way of programming.
I’d also suggest you to go through this reddit post to see what other programmer’s opinions are on this event.

All of this blog’s content comes from google search, reading articles etc and I may have been wrong in some places, please reach out to me if I have missed something.

Note: The featured image is by xkcd and all credits go to the artist.

I hope you enjoyed reading this post!
Thank you.

💖 💪 🙅 🚩
chaitanyasuvarna
chaitanya.dev

Posted on November 22, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related