Just outside of the last 7 days of March 2016, a crazy thing happened with JavaScript. A package manager tool called npm used by a majority of JavaScript developers for developing, testing and releasing their code stopped working. Oddly enough, the source of this broken tool was a tiny little function in GitHub called “left-pad” used for padding strings on the left side with other characters. This little component was a short 11 line file, so when the developer took it off GitHub, npm began to fail to work across the globe.
What’s GitHub?
GitHub is a popular web-based source control management (SCM) and version distribution tool. Since 2008 the platform has provided a place for developers across the planet to store source code for their applications, with support for all programming languages and additional features like issue tracking (bug reporting/management), application wikis, email notifications, Photoshop (PSD) storage and version comparison, project documentation storage and presentation and commit history. Users can request a “pull” from a project in order to split off open source projects to add their own code updates to the repository.
About npm
npm is the default package manager for Node.js, a popular JavaScript runtime environment.
Because npm is the packagers’ packager, and it is intended to encourage reuse of other software, the developers made use of the left-pad source code. As explained in this article over at the Verge, functions like left-pad are typically provided by the language authors, companies like Microsoft with C# and its full Visual Studio environment, and Apple with Objective-C and Swift, so the reliance on a simple string padding function from an individual is an oddity.
As npm has been widely adopted by developers everywhere because of the convenience it provides. Any user can publish their work via npm and you can add that work to your own apps. Likewise, if you write a clever routine and want to share it, all you do is upload to GitHub and publish it on npm for anyone else to include in their own projects.
What Happened
According to the Verge article, more than 2.5 million installs of left-pad occurred in the previous month! Developer Azer Koçulu of left-pad has written and published many sets of code to npm, which allows name allocation on a first-come, first-served basis. One project, named Kik, attracted attention recently when a lawyer for the company Kik (or a patent - troll? - agent according to that company) contacted Azer requesting the Kik package be removed immediately. When Azer failed to comply, Kik’s representatives reached out to npm and npm transferred ownership of the package name “Kik” to the Kik company.
Due to this, Azer decided he was not going to use npm any longer. Azer tells the story of “liberating” his modules in this post on Medium. In his post he states that he had to take a stand, removing all of his packages from npm, and that in the long run there will be an alternative developed by the open source community that doesn’t bend immediately to requests like what happened with his Kik package. He apologies to users of his code and tells them where to repoint their projects so they will run again.
With over 250 packages, Azer’s removal of the code will surely impact many developers (and users); however, it has already made a huge impact because of npm and a package called Babel, currently the most popular way to write in the language ES6 (the version of JavaScript created in 2015) to run on most of the latest browsers. Otherwise, the incomplete nature of browsers’ implementations of JavaScript would make using the newest features of JavaScript a difficult if not nearly impossible task.
Learn more at the Verge article and comment below - what do you think of this situation and how it shook the open source community in just a few hours?