NPM Will Make it Harder to Unpublish Code After Left-Pad Fiasco

NPM, the JavaScript package manager, says it will update its policies after one developer’s removal of 11 lines of code crashed a chunk of the internet earlier this week.

Thousands of software projects, including the popular Babel and React, broke down when developer Azer Koçulu yanked all his code from NPM following a dispute with the company.

The code included a package called left-pad, which pads out strings with zeroes or spaces and had been downloaded by developers from the NPM repository more than 2 million times in the past month. Its removal caused a chain reaction among apps with dependencies on left-pad built in.

In a postmortem on the incident, published on its blog Wednesday, NPM admitted it “dropped the ball in not protecting [developers] from a disruption caused by unrestricted unpublishing.”

“We’ve hit an inflection point in the size of the community and how critical npm has become to the Node and front-end development communities,” says NPM, adding that going forward, the company “will make it harder to un-publish a version of a package if doing so would break other packages.”

The blog post also addressed the dust-up that led the incident, in which Koçulu was contacted by the social network Kik about a module he’d published on NPM, also named Kik. Kik asked Koçulu to rename the module and, when he refused, went to NPM for a resolution. NPM gave Kik ownership of the package name and a peeved Koçulu reacted by unpublishing his code.

“This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People,” Koçulu wrote on Medium.

NPM countered that it stands by its dispute resolution policy but will be looking at how to better address conflict within the community and “reduce friction in the lives of JavaScript developers.”

In the meantime, the company essentially fixed the problem by re-publishing the module from a backup. But the disruption has sparked discussion about whether JavaScript developers are relying on too many dependencies in their apps rather than just writing their own code.

“What concerns me here is that so many packages took on a dependency for a simple left padding string function, rather than taking 2 minutes to write such a basic function themselves,” developer David Haney wrote in a blog post titled “Have We Forgotten How to Program?”

“In my opinion, if you cannot write a left-pad, is-positive-integer, or isArray function in 5 minutes flat (including the time you spend Googling), then you don’t actually know how to code.”