Much as the delicately fluttering petals of the Japanese cherry blossom in a spring breeze epitomise the temporality of human existence, so too do massive online dramas remind us just how fragile open source ecosystems can be. In this instance, one developer managed to throw a spanner in the works for Node, Babel, and thousands of other projects, with just 11 lines of code. Which is sort of impressive, when you think about it.
Blogging in the aftermath, Koçulu explained;
“This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People…Summary; NPM is no longer a place that I’ll share my open source work at, so, I’ve just unpublished all my modules.”
Unfortunately, this particular statement of empowerment also happened to take out a lot of collateral. One of these modules included left-pad – a hugely popular dependency utilised by scores of projects to pad out the lefthand side of strings with zeroes or spaces. According to the NPM, in the past month alone, it had accrued 2,486,696 downloads. As you’d expect, when left-pad was suddenly jerked away, all the projects depending on it for their dependencies toppled over. In an attempt to stem the chaos, NPM took the unusual step of restoring the unpublished left-pad 0.0.2 required to keep these thousands of apps chugging.
Laurie Voss, CTO and cofounder of NPM, didn’t take this step lightly. Although it was an “unprecedented” action for NPM, “ given the severity and widespread nature of breakage,” Voss writes, it was judged a suitable course of action.
Given the wide scale fallout from this debacle, the open source community has been quick to voice its opinions. Some developers are placing the blame for the affair solely in the hands of Kik for being a bad open source citizen by throwing around its corporate heft on what was a trifling breach of trademark in the grand scheme of things. The average user of Kik (which has been lauded for its ground breaking One Direction collaboration), is hardly likely to confuse the app with an NPM module.
— getify (@getify) March 23, 2016
Others have been unseated by NPM’s disregard for Koçulu’s ownership of his code. Although, as Voss stated, this was a truly exceptional circumstance.
There has also been concern expressed around the security vulnerability inherent in NPM’s ability to unregister and replace packages. As one Hacker News observer comments, “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish.” At the time of writing, almost all of the unpublished modules have been hijacked by “an anonymous, unknown actor.”
Trying to understand the npm “oops we broke the internet” thing: how can so many codebases rely on things you can’t even keep local copy of?
— Iain Lobb (@iainlobb) March 23, 2016
The clusterfudge of issues that have come to light today are compounded by the tangled nature of NPM itself, and its vulnerability to change across a vast number of code bases. So vulnerable, in fact, that it turns out you can break the internet with just one simple trick.