BT

NPM was Broken for 2.5 Hours

by Abel Avram on Mar 24, 2016 |

According to Isaac Z. Schlueter, the creator of npm, two days ago the npm registry started to report hundreds of failed builds per minute. Users worldwide could not install or build certain Node.js packages. Thousands of dependent packages were broken including Babel, Atom, Ember, React Native and many other packages depending on line-numbers. What happened?

Azer Koçulu is a software developer and author of 273 Node.js packages. Among these are kik and left-pad, the later being an 11-lines function used to pad a string on the left. A few weeks ago, Azer was contacted by Kik, a company that develops a messaging application with 270M users and having their name a registered trademark in many countries. They intended to release a package on npm with the respective name, but found there was already one. So they contacted Koçulu to find an amiable way to solve the issue but they could not reach an agreement. Then Kik contacted npmjs to settle the conflict as the Dispute Resolution specifies. npmjs sided with Kik because of their large number of users:

The policy’s overarching goal is this: provide npm users with the package they expect. This covers spam, typo-squatting, misleading package names, and also more complicated cases such as this one. Entirely on this basis, we concluded that the package name “kik” ought to be maintained by Kik, and informed both parties. …

Given two packages vying for the name kik, we believe that a substantial number of users who type npm install kik would be confused to receive code unrelated to the messaging app with over 200 million users.

So, npmjs decided to transfer the package name ownership to Kik. Koçulu did not receive the outcome well, writing:

This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because [it gives] Power To The People.

And he decided to un-publish all his modules, including kik and left-pad, a move that was completely unexpected and npmjs was not prepared for it. Because many important packages depend on left-pad via line-numbers, the builds broke. The expected move was for Koçulu to leave his package version 0.0.3 in the registry and Kik would add their own package, under the same name but a newer version, perhaps 1.0.0. And all packages that depend on 0.0.3 would work as usual.

To fix the problem as soon as possible, npmjs took the decision to republish left-pad because “left-pad is open source, and we allow anyone to use an abandoned package name as long as they don’t use the same version numbers.” Soon afterward the npm ecosystem came back to normal. To avoid such cases in the future, npmjs decided to make it harder for someone to un-publish a package in the future or to maliciously adopt an abandoned package name. But some issues remain.

Koçulu decided to stop publishing his work on npmjs and hopes the “open source community will eventually create a truly free alternative for NPM.” He also apologized to those affected by his action. Many shared his position on Twitter, Hacker News, Reddit or various websites. Some aspire to “break the Internet” some day like Koçulu did, but a few others considered his actions irresponsible. Is the JavaScript ecosystem fragile? Some consider it is, while others point out the contrary emphasizing how quickly it got fixed when a problem occurred. Some wonder if people forgot to program, depending on a package with 11 lines of code that anybody could write in a few minutes.

Also, is it safe to depend on a single centralized repository? Some have proposed a Decentralized Module Delivery system. Maybe the recent events will prompt the community to do something about this.

Rate this Article

Relevance
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

dependencies by Sebastian Jancke

why on earth do you add a dependency an a library for " an 11-lines function used to pad a string on the left"? I don't get it...

Highly misleading name to an article. by Richard Clayton

NPM was not broken. Package's that relied on Azer Koçulu's packages were.

Re: Highly misleading name to an article. by Abel Avram

"Hundreds of builds failed per minute", according to npmjs. That's thousands per hour, including some very important ones and in wide spread use. You can say safely say npm was broken.

Re: Highly misleading name to an article. by Richard Clayton

How can you claim that the technology failed? That's ridiculous. NPM functioned exactly as it was intended to do so. While hundreds of projects may have failed due to a missing dependency, the maintainer's wishes were honored by NPM resulting his software being removed from public consumption. You may not disagree with that policy, but the package manager functioned as it's creators intended.

More importantly, your article sensationalizes the notion that we cannot rely on NPM. I'd say, particularly with the fact that InfoQ is read so widely by IT professionals in positions to make decisions about the adoption of Node.js within their organizations, that you may have dealt a greater blow to the Node.js community than the unavailability of packages on NPM. Let's hope fellow readers don't skim this article and realize that your title was simply click-bait.

Re: Highly misleading name to an article. by Abel Avram

I think you are forcing the text to give it the interpretation you want. If one wanted to build a project and he could not because NPM was not providing a certain package, that means a broken build, and the problem was somewhere inside NPM. You say it was meant to behave like that. Then why did the npmjs scrambled to republish the package from a backup? They should have said: "Guys, this is how NPM behaves. If one developer takes down his package, and 10.000 packages depend on it, that's life. He can do whatever he wants with it. Write another and replace it." No, they frantically worked to put it back, in spite of the fact the its author unpublished it. Also, npmjs promised they would make sure something like this won't happen so simply in the future. So it was not as it was supposed to be.

The title is quite reasonable. Have you seen titles like "One dev broke JavaScript?" or "One guy broke the Internet?" There are dozens of articles expressing serious concern about what happened. How was it possible? What if it happens again? I just expressed concerns existing out there in the media, and I drew attention to the risk of a centralized repository (and this is not something new). And the tone was quite moderate. Just read what others had to say and how many people reacted on Twitter.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

5 Discuss
General Feedback
Bugs
Advertising
Editorial
Marketing
InfoQ.com and all content copyright © 2006-2016 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT