Dev Watch

Blog archive

npm Naming Squabble Breaks Thousands of JavaScript Builds

You know that sickening feeling when you're happily coding along and all of the sudden your project won't build and you just can't figure out why? That can lead to hours of nerve-wracking, stomach-churning troubleshooting.

Now imagine that scenario played out thousands of times over because of an npm module naming squabble that no amount of troubleshooting could remedy.

That's what happened last night when community contributor Azer Koçulu "un-published" a large number of his npm modules under threat of corporate lawyers (the lawyers ... always the lawyers). Because one JavaScript module named kik encroached upon the copyright of the company Kik, which produces a messaging app.

In the end, npm Inc. -- the organization overseeing the Node Package Manager -- took the "unprecedented" step of "un-un-publishing" one wildly popular module used in thousands of projects, to the relief of developers everywhere (except perhaps Koçulu).

That's all well and good and makes for good copy and plenty of sniping fodder on sites like Hacker News, and will lead to much agitated debate about proposed rules changes.

But I'm here to give you a taste of how things like this manifest themselves on the front lines and affect people just trying to get some work done -- even it the work in my case was just educational.

Here's how it all played out from my little corner of the dev world.

Last night, after spending all day writing about coding, I was trying to practice it, plodding through a tutorial on developing a React.js Web project.

I made a routine change involving some style formatting stuff, checked to see if the webpack dev server was running and refreshed the localhost page. Nothing. I couldn't figure it out. I took the styling out, and it worked again. I put it back in, and it broke again. I looked at this, I looked at that. Finally I logged into the Slack help channel the moderator had set up, looking to see if anyone else was running into the same thing.

They sure were.

The culprit was one of the "un-published" modules named left-pad (on GitHub here) for padding strings. NPM reports it was downloaded more than 2.5 million times in the last month.

"Im getting an odd error on npm install of the es6-for-react repo, has anyone else seen this?" asked one coder at 6:04 p.m. on the Slack channel.

"Interesting," replied Tyler, the course instructor, who immediately found and pointed to the same issue raised on GitHub that reported "npm gives me this error: No compatible version found: [email protected]."

"Left-pad gone up and bounced outta here," Tyler continued. "Not sure why... That issue was 12 minutes ago." He soon reported yet another GitHub issue: "npmjs.org tells me that left-pad is not available (404 page)."

"The world is burning," Tyler added.

There was more give and take with comments expressing thoughts like "wow" and "damn" and "wtff" and so on. You could just feel the tension and frustration mounting. Imagine that playing out all over the world, affecting many projects that developers depend on for money, not just for learning.

Thankfully, the angst was short-lived.

"It works now," reported the original dev who raised the issue, at 6:32 p.m.

We were soon enlightened as to the cause when someone pointed to a tweet by npm Inc. co-founder and CTO Laurie Voss. It read: "Hey npm users: left-pad 0.0.3 was unpublished, breaking LOTS of builds. To fix, we are un-un-publishing it at the request of the new owner."

 NPM CTO's Twitter Trail
[Click on image for larger view.] NPM CTO's Twitter Trail (source: Twitter)

Voss followed up. "Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly."

That led to a lot of Twitter debate about the propriety of such a move.

"Even within npm we're not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it," Voss tweeted, following up with, "This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many."

Koçulu explained his side of things in a Medium post titled "I've Just Liberated My Modules." Here's part of it:

When I started coding Kik, didn't know there is a company with same name. And I didn't want to let a company force me to change the name of it. After I refused them, they reached NPM's support emphasizing their lawyer power in every single e-mail CC'ing me. @izs [npm Inc. CEO] accepted to change the ownership of this module, without my permission.

This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because, Power To The People.

Summary; NPM is no longer a place that I'll share my open source work at, so, I've just unpublished all my modules.

This is not a knee-jerk action. I love open source and believe that open source community will eventually create a truly free alternative for NPM.

I'm apologize from you if your stuff just got broken due to this. You can either point your dependency to repo directly (azer/dependency) or if you volunteer to take ownership of any module in my Github, I'll happily transfer the ownership.

[Note: After this article was originally published, Kik the company has posted their side of the story.]

This is going to shake up npm-land something fierce. I can't wait to see the promised "post mortem."

In the meantime, you can amuse yourself with the debates still raging on at Hacker News, where Koçulu's post has garnered 1,278 points and more than 660 comments. Of course, Reddit is also having a go at it. And Twitter is all over it.

Me? I ended up finishing the tutorial. No harm, no foul. But what if your livelihood depended on code that suddenly broke due to circumstances beyond your control, and the situation wasn't remedied so promptly?

Something to think about.

What do you think about this whole mess? What needs to be changed? Comment here or drop me a line.

Posted by David Ramel on March 23, 2016