Much as the delicately fluttering petals of the Japanese cherry blossom in a spring breeze epitomise the temporality of human existence, so too do massive online dramas remind us just how fragile open source ecosystems can be. In this instance, one developer managed to throw a spanner in the works for Node, Babel, and thousands of other projects, with just 11 lines of code. Which is sort of impressive, when you think about it.

The man in question, Azer Koçulu, unpublished over 250 modules from JavaScript dependency installer NPM this Tuesday, apparently as a result of legal action from teen friendly service Kik, who had taken unfavourably to one of Koçulu’s modules sharing its brand name. When Kik initially requested Koçulu take down the module, he declined, prompting the messaging app provider to go directly to NPM with their complaint. NPM promptly removed the offending ‘kik’, and in retaliation, Koçulu took down every last one of his remaining modules.

Blogging in the aftermath, Koçulu explained;

“This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People…Summary; NPM is no longer a place that I’ll share my open source work at, so, I’ve just unpublished all my modules.

Unfortunately, this particular statement of empowerment also happened to take out a lot of collateral. One of these modules included left-pad – a hugely popular dependency utilised by scores of projects to pad out the lefthand side of strings with zeroes or spaces. According to the NPM, in the past month alone, it had accrued 2,486,696 downloads. As you’d expect, when left-pad was suddenly jerked away, all the projects depending on it for their dependencies toppled over. In an attempt to stem the chaos, NPM took the unusual step of restoring the unpublished left-pad 0.0.2 required to keep these thousands of apps chugging.

Laurie Voss, CTO and cofounder of NPM, didn’t take this step lightly. Although it was an “unprecedented” action for NPM, “ given the severity and widespread nature of breakage,” Voss writes, it was judged a suitable course of action.

Given the wide scale fallout from this debacle, the open source community has been quick to voice its opinions. Some developers are placing the blame for the affair solely in the hands of Kik for being a bad open source citizen by throwing around its corporate heft on what was a trifling breach of trademark in the grand scheme of things. The average user of Kik (which has been lauded for its ground breaking One Direction collaboration), is hardly likely to confuse the app with an NPM module.

Others have been unseated by NPM’s disregard for Koçulu’s ownership of his code. Although, as Voss stated, this was a truly exceptional circumstance.

There has also been concern expressed around the security vulnerability inherent in NPM’s ability to unregister and replace packages. As one Hacker News observer comments, “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish.”  At the time of writing, almost all of the unpublished modules have been hijacked by “an anonymous, unknown actor.”

The clusterfudge of issues that have come to light today are compounded by the tangled nature of NPM itself, and its vulnerability to change across a vast number of code bases. So vulnerable, in fact, that it turns out you can break the internet with just one simple trick.

 

Kik Debacle Creates Worst NPM Mess Ever

| Modern Web| 1,050 views | 0 Comments
About The Author
- Editor of Voxxed.com, focusing on all things Java, JVM, cloud-y, methodical, future-fantastic, and everything in between. Got a piece of news, article or tutorial you'd like to share with your fellow Voxxians? Drop us a line at info@voxxed.com

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>