NPM was Broken for 2.5 Hours

| by Abel Avram Follow 11 Followers on Mar 24, 2016. Estimated reading time: 3 minutes |

According to Isaac Z. Schlueter, the creator of npm, two days ago the npm registry started to report hundreds of failed builds per minute. Users worldwide could not install or build certain Node.js packages. Thousands of dependent packages were broken including Babel, Atom, Ember, React Native and many other packages depending on line-numbers. What happened?

Azer Koçulu is a software developer and author of 273 Node.js packages. Among these are kik and left-pad, the later being an 11-lines function used to pad a string on the left. A few weeks ago, Azer was contacted by Kik, a company that develops a messaging application with 270M users and having their name a registered trademark in many countries. They intended to release a package on npm with the respective name, but found there was already one. So they contacted Koçulu to find an amiable way to solve the issue but they could not reach an agreement. Then Kik contacted npmjs to settle the conflict as the Dispute Resolution specifies. npmjs sided with Kik because of their large number of users:

The policy’s overarching goal is this: provide npm users with the package they expect. This covers spam, typo-squatting, misleading package names, and also more complicated cases such as this one. Entirely on this basis, we concluded that the package name “kik” ought to be maintained by Kik, and informed both parties. …

Given two packages vying for the name kik, we believe that a substantial number of users who type npm install kik would be confused to receive code unrelated to the messaging app with over 200 million users.

So, npmjs decided to transfer the package name ownership to Kik. Koçulu did not receive the outcome well, writing:

This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because [it gives] Power To The People.

And he decided to un-publish all his modules, including kik and left-pad, a move that was completely unexpected and npmjs was not prepared for it. Because many important packages depend on left-pad via line-numbers, the builds broke. The expected move was for Koçulu to leave his package version 0.0.3 in the registry and Kik would add their own package, under the same name but a newer version, perhaps 1.0.0. And all packages that depend on 0.0.3 would work as usual.

To fix the problem as soon as possible, npmjs took the decision to republish left-pad because “left-pad is open source, and we allow anyone to use an abandoned package name as long as they don’t use the same version numbers.” Soon afterward the npm ecosystem came back to normal. To avoid such cases in the future, npmjs decided to make it harder for someone to un-publish a package in the future or to maliciously adopt an abandoned package name. But some issues remain.

Koçulu decided to stop publishing his work on npmjs and hopes the “open source community will eventually create a truly free alternative for NPM.” He also apologized to those affected by his action. Many shared his position on Twitter, Hacker News, Reddit or various websites. Some aspire to “break the Internet” some day like Koçulu did, but a few others considered his actions irresponsible. Is the JavaScript ecosystem fragile? Some consider it is, while others point out the contrary emphasizing how quickly it got fixed when a problem occurred. Some wonder if people forgot to program, depending on a package with 11 lines of code that anybody could write in a few minutes.

Also, is it safe to depend on a single centralized repository? Some have proposed a Decentralized Module Delivery system. Maybe the recent events will prompt the community to do something about this.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

dependencies by Sebastian Jancke

why on earth do you add a dependency an a library for " an 11-lines function used to pad a string on the left"? I don't get it...

Highly misleading name to an article. by Richard Clayton

NPM was not broken. Package's that relied on Azer Koçulu's packages were.

Re: Highly misleading name to an article. by Abel Avram

"Hundreds of builds failed per minute", according to npmjs. That's thousands per hour, including some very important ones and in wide spread use. You can say safely say npm was broken.

Re: Highly misleading name to an article. by Richard Clayton

How can you claim that the technology failed? That's ridiculous. NPM functioned exactly as it was intended to do so. While hundreds of projects may have failed due to a missing dependency, the maintainer's wishes were honored by NPM resulting his software being removed from public consumption. You may not disagree with that policy, but the package manager functioned as it's creators intended.

More importantly, your article sensationalizes the notion that we cannot rely on NPM. I'd say, particularly with the fact that InfoQ is read so widely by IT professionals in positions to make decisions about the adoption of Node.js within their organizations, that you may have dealt a greater blow to the Node.js community than the unavailability of packages on NPM. Let's hope fellow readers don't skim this article and realize that your title was simply click-bait.

Re: Highly misleading name to an article. by Abel Avram

I think you are forcing the text to give it the interpretation you want. If one wanted to build a project and he could not because NPM was not providing a certain package, that means a broken build, and the problem was somewhere inside NPM. You say it was meant to behave like that. Then why did the npmjs scrambled to republish the package from a backup? They should have said: "Guys, this is how NPM behaves. If one developer takes down his package, and 10.000 packages depend on it, that's life. He can do whatever he wants with it. Write another and replace it." No, they frantically worked to put it back, in spite of the fact the its author unpublished it. Also, npmjs promised they would make sure something like this won't happen so simply in the future. So it was not as it was supposed to be.

The title is quite reasonable. Have you seen titles like "One dev broke JavaScript?" or "One guy broke the Internet?" There are dozens of articles expressing serious concern about what happened. How was it possible? What if it happens again? I just expressed concerns existing out there in the media, and I drew attention to the risk of a centralized repository (and this is not something new). And the tone was quite moderate. Just read what others had to say and how many people reacted on Twitter.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

5 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you