According to Isaac Z. Schlueter, the creator of npm, two days ago the npm registry started to report hundreds of failed builds per minute. Users worldwide could not install or build certain Node.js packages. Thousands of dependent packages were broken including Babel, Atom, Ember, React Native and many other packages depending on line-numbers. What happened?
Azer Koçulu is a software developer and author of 273 Node.js packages. Among these are kik and left-pad, the later being an 11-lines function used to pad a string on the left. A few weeks ago, Azer was contacted by Kik, a company that develops a messaging application with 270M users and having their name a registered trademark in many countries. They intended to release a package on npm with the respective name, but found there was already one. So they contacted Koçulu to find an amiable way to solve the issue but they could not reach an agreement. Then Kik contacted npmjs to settle the conflict as the Dispute Resolution specifies. npmjs sided with Kik because of their large number of users:
The policy’s overarching goal is this: provide npm users with the package they expect. This covers spam, typo-squatting, misleading package names, and also more complicated cases such as this one. Entirely on this basis, we concluded that the package name “kik” ought to be maintained by Kik, and informed both parties. …
Given two packages vying for the name
kik, we believe that a substantial number of users who typenpm install kikwould be confused to receive code unrelated to the messaging app with over 200 million users.
So, npmjs decided to transfer the package name ownership to Kik. Koçulu did not receive the outcome well, writing:
This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because [it gives] Power To The People.
And he decided to un-publish all his modules, including kik and left-pad, a move that was completely unexpected and npmjs was not prepared for it. Because many important packages depend on left-pad via line-numbers, the builds broke. The expected move was for Koçulu to leave his package version 0.0.3 in the registry and Kik would add their own package, under the same name but a newer version, perhaps 1.0.0. And all packages that depend on 0.0.3 would work as usual.
To fix the problem as soon as possible, npmjs took the decision to republish left-pad because “left-pad is open source, and we allow anyone to use an abandoned package name as long as they don’t use the same version numbers.” Soon afterward the npm ecosystem came back to normal. To avoid such cases in the future, npmjs decided to make it harder for someone to un-publish a package in the future or to maliciously adopt an abandoned package name. But some issues remain.
Koçulu decided to stop publishing his work on npmjs and hopes the “open source community will eventually create a truly free alternative for NPM.” He also apologized to those affected by his action. Many shared his position on Twitter, Hacker News, Reddit or various websites. Some aspire to “break the Internet” some day like Koçulu did, but a few others considered his actions irresponsible. Is the JavaScript ecosystem fragile? Some consider it is, while others point out the contrary emphasizing how quickly it got fixed when a problem occurred. Some wonder if people forgot to program, depending on a package with 11 lines of code that anybody could write in a few minutes.
Also, is it safe to depend on a single centralized repository? Some have proposed a Decentralized Module Delivery system. Maybe the recent events will prompt the community to do something about this.