Death By (Any Of) A Few Thousand NPM Dependencies

You see a lot of weird things on the Internet, this one wasn’t the weirdest, but it’s worth talking about.

A very tiny Npm package, called left-pad (and yes, as you can imagine, just pads strings), caused both Ember, React Native, and Babel Npm installations to fail, also breaking any CI that depends on fresh Npm installs.

It All Started With A Kik

The packages were broken as the author of the left-pad package unpublished (removed) it from the Npm registry. The author explains why here. Allow me to quote a few parts:

A few weeks ago a patent lawyer sent me an e-mail asking me to unpublish “kik” module from NPM

Yes, another package the author published called Kik. Nothing about left-pad yet.

When I started coding Kik, didn’t know there is a company with same name.

This part is important. If you use a trademark name as a name of your public IP, whether you know it or not, you still use a trademark name.

After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me.

@izs accepted to change the ownership of this module, without my permission.

So, being a company, with some trademark name and legal team, they contacted the authority of the Npm registry to get the change enforced.

After that, the author decided to un-publish all his packages from the NPM registry, and let-pad happened to be one of them.

Oh No, NPM Is Evil (Or, Is It Really?)

So, based on the author’s side of the story, the company went to Npm with a trademark claim. The author does not deny the claim or mention an effort to avoid it when he chose the package name.

Then, Npm acts based on on the claim, and accepts it.

Which reminds us of a very interesting fact. While Npm tooling itself allows working distributedly, either via multiple registries or even git, the official Npm registry has an official authority!

Too bad for freedom, you might think. But does it ring a bell?

For me, it does. Github and Git.

Git is distributed by default. But see what happens when Github goes offline…

Welcome to the real world of 2016!
(Not that I’m suggesting this might not change)

What Was An Official Entity Supposed To Do In This Situation?

I don’t know for sure, but I wouldn’t expect Github, Google, Amazon, Microsoft, or any other hosting company to act differently.

Whether specified in T&Cs explicitly or not, no reputable host will allow customers (free or commercial) to use their services for anything illegal.

If they are convinced the trademark claim is valid. What are they supposed to do really?

Of course there is a bit of a grey area in here. Some might argue that other companies would only act if they get a letter from court or something like that.

But you do not suppose the company would protect the offender of a trademark offense, if they are convinced it is, right? Whether before or after court.

Even if you do not agree, it’s not that Npm is trying to do anything intentionally evil here, just acting the way they think safer, legally.

But There Is A New Risk Exposed In This Story

The fact that Npm is a company should not be that new to us. We already got introduced to similar facts with Github and others. That’s not the most interesting piece here.

When Node and Npm came out, many people raised their concerns about how a really small task in Node would often require you to pull down a huge number of Npm dependencies.

Some argued that small tasks require having very large repositories because of these dependencies. Some made (less compelling?) arguments that you don’t understand all the dependencies you have in your code.

That didn’t stop the ecosystem from being VERY successfully though.

But today, we have a new concern, that is also directly related to the number of dependencies we often have in Node projects.

Packages Might Just Disappear, And That’s Worse Than You Might Think!

If your project, or your Npm package, depend on many other packages, this means your CI process, if it starts with a clean environment and an npm install command, will fail badly when any of these packages just suddenly disappear.

We never thought of what could happen if packages like “connect”, “request”, or “lodash” just disappear some day. We never thought that this scenario could happen ever.

Today we learn that a massive impact can be caused by even a very simple ELEVEN LINES Npm package.

Of course, with the publicity the author is getting, and several developers agreeing with his view, we might also see more packages “just disappear”.

We’ll only hope they do it in less destructive manner (and I will not say “more responsible” manner), via a deprecation story or whatever. It will still be painful to witness.

The Future Is Unclear

Of course the obvious question is: Where will this take us going forward?

I wish I could predict the future. I’m horrible at even forecasting it.

But, we didn’t stop using Github just because it went down a few times, or had its internal culture questioned in a couple of occasions. I don’t know if we are going to use Npm less or not though.

One interesting observation about the specific let-pad package case, is that since the package is licensed under MIT, this might allow anyone else to republish it without license / legal worry. Or wouldn’t that be enough? Well, commenting on this can be a whole new post.

There will likely be more public Npm registries created. Maybe they’ll die slowly, or one of them will be the next big thing. Maybe the next big thing will be a completely different package manager, like JSPM, or a new one yet-to-be-created.

Let’s wait and see, for now, we just know it’s not the same in the Node world anymore. We learned how the dependencies graph is just a house of cards, where one card can break the whole thing. It won’t be 100% forgotten.

Update: The Story Details

For all the details you need, here’s all sides of the story:

Since writing this post, and especially after reading Kik’s side of the story (basically a copy of the entire email communication), I had a few extra thoughts:

  • Azer (the author) was right when he mentioned Kik’s poor communication. Not that his communication was much better, but theirs was really bad.
    They get a lot of heat for describing this as “polite request” before admitting their poor communication in the same post.

  • Kik is actually a registered trademark. I was thinking it might be. That is something I guess.

  • NPM mentioned that their decision was based on the confusion more than the trademark. On one side, this weakens their position in my opinion, a lot.
    On another, after learning that it is a registered trademark and seeing the emails, I’m not buying that this wasn’t a big factor anyway.

  • There is still the whole other problem of ownership of open source with permissive licenses like MIT, whether a single developer should really have such power in the NPM ecosystem.
    I learned also that NuGet for example (.NET package manager) does not allow unpublishing packages, only unlisting them. Makes total sense to me.

    There’s a good argument for a start that I also found.

Share With Friends:

P.S. Please help me out by checking this offer, then look below for a small Thank You.

How did I learn that?

As a bonus for coming here, I'm giving away a free newsletter for web developers that you can sign up for from here.
It's not an anything-and-everything link list. It's thoughtfully collected picks of articles and tools, that focus on Angular 2, ASP.NET 5, and other fullstack developer goodies.

  • Name

    It is nice that people share their work under a permissive license. But it is very sad that other people take that for granted. And even get upset at the person who’s work they have used for free.

  • random9frog

    Through unpublishing all npm packages could be called reckless, I think it was a important think to do. This time only a package (kik) with “just” ~40 downloads in the last week (see npm) was hit by a claim,

    but what if a name collision with a package as often used as left-pad occurs?

    Given the number of companies, projects and other “entities” witch can claim a name, I would guess such a collision is far from being unlikely. And, I mean, even unpublishing and republishing a project under a different name would break everything. (through you might be able to move it, maybe ;) )