A Ripple in the Node Universe

What does it take to damage an established eco-system? A pissed package author and web of (removable) dependencies.

This has been quite an interesting week. Interesting enough to publish a blog post about it. This week the whole node.js / npm infrastructure was shaking quite badly. What caused this eruption? A removal of packages! But let's back up for a moment.

Node.js is built around the concept of modules. Small, reusable units. Embeddable. Basically all the promises of classes fulfilled. Usually larger than classes but smaller than libraries. Ideal to follow the good old Unix concept of small units that do only one thing and one thing really well.

The key ingredient to this infrastructure is a package manager. This program is responsible for resolving packages including their dependencies and taking care of the versioning hell. It is a console application that uses a service available online. In npm the node.js community trusts. This trust had been betrayed.

Npm, which was supposed to be independent as possible (even though owned and maintained by a company) interfered with the intellectual property of one of its contributors. It changed the name of a package. The incident was forced by the lawyers of a small company called kik (apparently not the German textile company). The author refused to rename the package (which is alright in my opinion) causing the lawyers to approach some npm administrators.

A proper reaction to this betrayal is difficult to find. The author choose to react radically. He removed all his packages from the npm repositories. Overall he had over 500 (!) packages online. Some of these packages have been quite popular.

The incident was noticed by nearly every developer using node.js. Some of the most popular modules like react could not resolve their dependencies any more. Most of them relied on a simple module called left-pad, which is nothing more than a string padding function (left padded, right is not even considered). How can it be that such a trivial function (and module) can do so much damage?

As a consequence of this we see multiple problems with npm. The company owning npm has too much power. Furthermore, it should not be possible to remove full packages. Also the same name can be taken after removal, which opens the door for malicious packages coming with the same API, but containing evil code to be executed. Finally, while the Unix philosophy is alright, the dependencies and provided functionality of some packages is doubtful. It seems that the taken approach is slightly to radical.

The actions already spawned several funny projects. It also revived interested in some existing ones. A good laugh is the golden classic five package, which essentially only prints 5 in many variants. It is an is an ode to over-engineering. Another good laugh is left-pad as a service. Finally, the idea to use twitter for modules is also very enjoyable. It's just 140 characters, but at least it's immutable.

Created . Last updated .

References

Sharing is caring!