Disgruntled developer breaks thousands of JavaScript, Node.js apps

A row that led a developer to delete a 17-line JavaScript module has stopped countless applications working.

javascriptistock.jpg

Thousands of Node.js programs rely on the 17-line 'left-pad' npm package to function.

Image: iStock

Thousands of applications were broken on Tuesday after a programmer unpublished a critical module in npm, a package manager for widely-used JavaScript projects.

Countless projects were left in limbo because of a three-way spat between the programmer, Azer Koçulu, the company behind npm, and messaging app Kik.

It ended up with Koçulu deleting an 17-line npm package called 'left-pad', which thousands of Node.js programs rely on to function.

Left-pad has been downloaded from npm over 575,000 times in the past week and over 2.5 million times in the past month.

Broken projects included Babel, a highly popular JavaScript transpiler used by Facebook, Netflix and Spotify among others.

What started the fight, according to Koçulu, was that Kik's lawyers challenged the name of one of his modules on npm, which was also called Kik. A Kik lawyer asked him to delete it from npm.

"My answer was 'no'," Koçulu explained.

Kik's legal team then approached npm CEO Isaac Schlueter and requested the name change. According to Koçulu, following the legal threat, Schlueter "accepted to change the ownership of this module, without my permission".

Koçulu responded by unpublishing all his packages from npm, which included the critical left-pad module.

With thousands of broken packages on its hands, npm took the unprecedented step of "un-un-publishing" a module, Laurie Voss, npm CTO and co-founder, said.

"This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many," Voss wrote.

"Even within npm, we're not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.

"In the meantime, several thousand open-source projects have been repaired, and I'm sleeping fine tonight."

As coder Steve Klabnik explained on Reddit, npm didn't technically republish Koçulu's left-pad module. Koçulu offered to transfer any of his modules if anyone volunteers to take ownership of them in GitHub.

"TL;DR: they allowed a new maintainer to publish an old version identical to a deleted one," wrote Klabnik.

More on software development

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All