clock menu more-arrow no yes

Filed under:

How an irate developer briefly broke JavaScript

Unpublishing 11 lines of code brought down an open source house of cards

Othree via Flickr

At around 5:30PM ET on Tuesday, JavaScript broke. More specifically, npm, the package manager used by most JavaScript developers to source, test, and prepare their code for release, began failing. For thousands of developers all over the world, the most essential tool in their workflow wouldn't work.

Soon after, a new issue, titled "npmjs.org tells me that left-pad is not available (404 page)," was opened on a little-known GitHub repository: azer/left-pad. Dozens of developers quickly piled into the issue, and within minutes they'd identified the issue: azer had "unpublished" his "left-pad" code from npm.

Left-pad is a minor bit of code, a sparse 11 lines. Basically, it's a JavaScript function which takes a string of characters and adds a "padding" string of your choice to the left.

The most essential tool in their workflow wouldn't work

Npm is all about packages built on other packages, which is how left-pad ended up everywhere. According to npm stats, left-pad has been installed 2,550,569 times in the last month — mostly as part of a package called "line-numbers," which adds line numbers to text. In addition to many other projects, line-numbers was included in the "Babel" package, which in turn broke thousands of JavaScript projects relying on Babel.

All Azer Koçulu had to do was push the first domino. And, in the words of GitHub user laurelnaiad (who has received 63 party hats, 27 thumbs up, 4 smiles, 3 thumbs down, and 3 hearts for her comment):

"This kind of just broke the internet."

What's an npm?

In many ways, JavaScript has always been the Wild West of the software world. Just like its sibling web technologies, CSS and HTML, JavaScript has been subject to the whims of the browser vendors, which has trained developers to code defensively. Without a single source of "truth" about JavaScript, developers traditionally rely on third-party libraries to smooth over the differences between browsers.

JavaScript libraries also fill another void for the language: the lack of a standard library. Traditionally, functions like "left-pad" are provided by the language author — languages supported by big companies, like Microsoft's C#, Google's Go, Mozilla's Rust, and Apple's Swift, all have big fancy standard libraries full of commonly used functions so developers don't have to write everything from scratch. JavaScript developers never had any easy-to-access repository of code to rely on... until npm came along.

Npm allows developers to easily import blobs of code into their project. Like, if I want to left-pad something, I can just type

npm install left-pad

into the command line, and now I can left-pad to my heart's content.

In turn, if I think I've written a bit of JavaScript that other people might find useful, I can stick it up on GitHub and publish it on npm so now other people can use it easily in their own projects.

Talk about Babel

Babel is one of the most famous npm packages of recent years. By npm installing it on your development machine, you can write ES6 (also known as as ES2015) — the latest and greatest version of JavaScript that's only partially supported by current browsers — and have it transformed into compatible, run-anywhere ES5. Babel was written by Sebastian McKenzie, who was a bored high schooler in Australia when he started the project. He now works for Facebook.

Babel has been installed 749,195 times in the past month, and has also been built into the core of React Native, Facebook's new framework for building mobile apps with JavaScript, so it's safe to say Babel and its incarnations are primarily responsible for the wild popularity of line-numbers and left-pad.

According to Babel's own website, Babel is used basically everywhere: Facebook, Netflix, PayPal, Yahoo, Spotify, Reddit, Slack, LinkedIn, GoDaddy, Squarespace... it's very popular.

With left-pad gone, Babel can’t be installed

I’m not even sure what Babel uses the line-numbers function for, but that’s not really important. What’s important is that the Babel package has declared the line-numbers package as a "dependency," which has declared left-pad as a dependency. With left-pad gone, Babel can’t be installed.

So when this little 11-line package broke Babel, and Babel kind of broke everything, people noticed.

The author of left-pad

Azer Koçulu is a prolific author of open source software, most of it in the vein of left-pad: small, single-serving npm packages that provide a simple JavaScript function. Npm gives package names to authors on a first-come-first-served basis, and Azer has a bunch of them — 273, to be exact. Just to mention a few: "rnd," a random number generator; "strip," a function which strips out HTML tags; and "random-color," which generates random RGB colors and, naturally, relies on rnd.

He also inconspicuously owned the name "Kik," for a more elaborate open source project he was building to help developers start new projects simply and easily from the command line.

And that's where all this drama began. You can read Azer's side of the story here. Basically, the messaging app company called Kik contacted Azer through a lawyer (Kik says it was actually a patent agent), telling him to remove his Kik package from npm. He refused, and the company proceeded to contact npm, which complied with the request and transferred ownership of the "Kik" package name. While npm is an open source project, it's primarily developed and maintained by a private company: npm, Inc.

Azer writes on Medium (emphasis his):

This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.

Azer's response was to unpublish (or, "liberate") all his modules from npm.

The aftermath

It was only 11 lines, after all. The same Wild West-ness of open source JavaScript that gave Azer's act of unpublishing such wide implications allowed other developers to swoop in and fix the problem in hours. You can follow the action yourself in the very GitHub thread that first raised the issue. Babel removed its dependency on line-numbers and published an updated version, and npm ended up republishing the left-pad code in the same slot Azer was occupying. Npm is also camping all of Azer's other npm module names to make sure no one can upload malicious code to them.

If the Reddit and Hacker News comments are any indication, Azer's actions have a lot of people questioning current JavaScript best practices. The classic follow-up to the Silicon Valley mantra of "move fast and break things" is "slow down and fix your shit."

"Slow down and fix your shit."

Ironically, Kik's own software-build process was impacted by the unpublishing of left-pad, which Kik's Head of Messenger, Mike Roberts, explained the following day in his own Medium post. Mike attempted to give the Kik side of the story, and published the entire email chain between Azer, Kik, and npm. Mike calls it a "polite request" to get the Kik name on npm in order to publish an open source project Kik has been working on, but the emails he published do threaten lawyers.

Npm has also published its own blog post on the fiasco. It stands by its decision to transfer the Kik name, since its name dispute policy prioritizes predictability for users. It's also looking into ways to make it harder to unpublish a package if it will break other packages. The comments on npm’s post aren’t favorable, however. Most developers seem to feel Azer was thrown under the bus, and many of them are already talking about finding an npm alternative.

Throughout this saga Azer, Kik, and npm, Inc. proclaim a deep commitment to open source and JavaScript. They just each have a slightly different way of showing it.