Npm left-pad incident explained

On March 22, 2016, software engineer Azer Koçulu took down the left-pad package that he had published to npm (a JavaScript package manager). Koçulu deleted the package following a dispute with Kik Messenger, in which the company forcibly took control of the package name kik. As a result, thousands of software projects that utilized left-pad as a dependency, including the Babel transcompiler and the React web framework, were unable to be built or installed.

Technology corporations including Meta Platforms, PayPal, Netflix and Spotify were potentially affected after the removal of left-pad as their software products utilized the package in some form. Several hours after the package was removed from npm, the company behind the platform, npm, Inc, manually restored the package due to the widespread disruption caused by the incident.

In the aftermath of the disruption, npm disabled the removal of a package if more than 24 hours have elapsed since its publishing date and at least one other project depends on it. The incident also drew widespread media attention and reactions from individuals in the software industry. The removal of left-pad has prompted discussion regarding the intentional self-sabotage of software to promote social justice and brought attention to the elevated possibility of supply chain attacks in modular programming.

Background

left-pad was a free and open-source JavaScript package published by Azer Koçulu, an independent software engineer based in Oakland, California.[1] The package repetitively prepends characters to a string using a loop.[1] left-pad has been characterized as being extremely simple, consisting of only 11 lines of code (when empty lines are discounted) in the final version authored by Koçulu.[2] [3]

Koçulu published left-pad on npm, the default package manager for Node.js, a JavaScript runtime environment.[4] [2] Despite its relative obscurity, left-pad was heavily utilized; the package was used as a dependency by thousands of other software projects and reached over 15 million downloads prior to its removal.[5] [6] Some of the projects that required left-pad to function were critical to the JavaScript ecosystem at the time. This included Babel, a transcompiler that enables backwards-compatible JavaScript code, Webpack, a module bundling system, and both React and React Native, which are frameworks widely used for the development of websites and mobile apps, respectively.[7] [8] [1]

In addition to left-pad, Koçulu also owned kik on npm, which was a tool that allowed developers to set up templates for their projects.[1] On March 11, 2016, Kik Interactive, a Canadian company owning the instant messaging platform Kik Messenger, contacted Koçulu, requesting that he relinquish control of the kik package due to the company's ownership of the "Kik" trademark.[9] Part of the correspondence included the following message from Kik:

Koçulu responded shortly after, refusing to change the name of his project, saying:

Koçulu also requested US$30,000 as compensation "for the hassle of giving up with my pet project for bunch of corporate dicks".[1] On March 18, 2016, Isaac Z. Schlueter, the chief executive officer of npm, Inc., wrote to both Kik Interactive and Koçulu, stating that the ownership of the kik package would be manually transferred to Kik Interactive.[1]

Removal

After expressing his disappointment with npm, Inc.'s decision and stating that he no longer wished to be part of the platform, Schlueter provided Koçulu with a command to delete all 273 modules that he had registered.[9] Koçulu executed the command on March 22, 2016, removing every package he had previously released.[1] left-pad was one of the packages that was "unpublished", rendering it no longer publicly accessible on npm.[5] The left-pad software project and contents remained available on GitHub.[9]

Users attempting to build or install any JavaScript project which utilized left-pad as a dependency (including dependents such as Babel or Webpack) received a 404 error which caused the process to fail.[1] Several notable software technology corporations including Meta Platforms, PayPal, Netflix and Spotify were potentially affected by the incident, as their products depended on the package.[8] Ironically, Kik Interactive's developers were also affected and faced build issues as a result of the package's removal.[1]

Aftermath

Immediate effects

A flood of complaints, reactions, and workarounds from other software developers were immediately posted on the project's Git issue tracking system in response to the package's removal from npm.[7] [1] Maintainers of open-source projects including Babel also released hotfixes to remove the dependencies that Koçulu had unpublished.[7] Several of Koçulu's other package names were quickly taken over by newly published packages.[3] An hour after the packages had been deleted, Koçulu published a post on Medium titled "I've Just Liberated My Modules" where he explained that he had unpublished all his software projects from npm as a form of protest against corporate interests in free and open-source software.[1]

To address the software issues, another developer recreated the left-pad package. However, as the developer released his package with version 1.0.0 while Koçulu published his as version 0.0.3, users continued to encounter issues.[3] Around two hours after the original left-pad package was removed, npm manually "un-un-published" the original 0.0.3 version by restoring a backup, effectively resolving the disruption.[1] Regarding the restoration of the left-pad the package, Laurie Voss, chief technology officer of npm, wrote that the company "picked the needs of the many" despite internal disagreements about whether the action was "the right call".[10]

Reactions

To further prevent a similar issue from occurring, npm also published a new policy regarding the removal of published packages to prevent deletion if more than 24 hours have elapsed since its release date and at least one other project requires it as a dependency.[11] On behalf of npm, community manager Ashley Williams apologized for the disruption caused by the incident, stating that the platform "[failed] to protect the community".[11] Kik Interactive also apologized for the incident, with the company's head of messaging Mike Roberts publishing the email chain with Koçulu on Medium and characterizing his interaction as a "polite request".[8] Roberts wrote that they had initially reached out to Koçulu because they wished to publish an open-source package on npm with the name Koçulu was using.[5] Koçulu stated that he was sorry for disrupting other's work, but he believed he did it "for the benefit of the community in long term".[2]

The incident drew varied reactions from users on Twitter, GitHub, Reddit and Hacker News, with many claiming that it briefly "broke the Internet".[2] [8] [9] [1] Many commented on the "move fast and break things" culture of JavaScript development, the unpredictable nature of open-source software, and a perceived over-reliance on modular programming.[2] [8] [3] Users also expressed disappointment regarding npm's decision to forcefully transfer Koçulu's package to Kik Interactive over a legal threat.[1]

Impact

The potential for the disruption of a npm package to lead to a supply chain attack was also highlighted from this incident. In addition to the widely publicized left-pad incident, a number of individuals had immediately hijacked Koçulu's other packages with unknown code after they were removed.[7] npm released a new policy to prevent malicious takeovers in similar disputes,[3] but the left-pad incident is still cited as an example of over-reliance on external contributors leading to an increased attack surface for software products.[12] Koçulu's intentional self-sabotage of left-pad to highlight a social issue has also been described as a precursor to incidences of protestware being published on platforms like npm.[6]

The kik package

Despite the effort to secure the name kik, this package soon became abandoned and now sits empty. The kik organization on NPM also published a namespaced package @kikinteractive/kik; however, it has not received any updates since 2017, and there are very few downloads as of 2024.[13] [14]

Addition to the standard library

During a TC39 meeting on May 25, 2016, all the present members voted 'yes' to the proposal to permanently add the function provided by the package to the JavaScript specification as .[15] The first browser to support this function was Firefox 48, which was released on August 2 of the same year.[16]

See also

Notes and References

  1. Web site: How one programmer broke the internet by deleting a tiny piece of code. Collins. Keith. March 27, 2016. Quartz. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511142121/https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code. live.
  2. Web site: Weinberger . Matt . One programmer almost broke the internet by deleting 11 lines of code . March 23, 2016. Business Insider . 11 May 2024 . 11 May 2024 . https://web.archive.org/web/20240511182241/https://www.businessinsider.com/npm-left-pad-controversy-explained-2016-3 . live .
  3. Web site: One Man Deleted 11 Lines of Code From the Internet and Broke Hundreds of Apps. Brian. Feldman. March 24, 2016. Intelligencer. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511152254/https://nymag.com/intelligencer/2016/03/how-11-lines-of-code-broke-tons-sites.html. live.
  4. Web site: NPM is Not Particularly Magnanimous? Staff fired after trying to unionize – complaints. Thomas. Claburn. April 22, 2019. The Register. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511150602/https://www.theregister.com/2019/04/22/npm_fired_staff_union_complaints/. live.
  5. Web site: How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript. Chris. Williams. March 23, 2016. The Register. May 11, 2024. October 16, 2023. https://web.archive.org/web/20231016134656/https://www.theregister.com/2016/03/23/npm_left_pad_chaos/. live.
  6. Web site: Protestware on the rise: Why developers are sabotaging their own code. Ax. Sharma. July 27, 2022. TechCrunch. May 11, 2024. February 29, 2024. https://web.archive.org/web/20240229175547/https://techcrunch.com/2022/07/27/protestware-code-sabotage/. live.
  7. Web site: Mazaika. Ken. How 17 Lines of Code Took Down Silicon Valley's Hottest Startups. March 24, 2016. HuffPost. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511161012/https://www.huffpost.com/entry/how-17-lines-of-code-took_b_9532846. live.
  8. Web site: How an irate developer briefly broke JavaScript. Paul. Miller. March 24, 2016. The Verge. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511151328/https://www.theverge.com/2016/3/24/11300840/how-an-irate-developer-briefly-broke-javascript. live.
  9. Web site: Rage-quit: Coder unpublished 17 lines of JavaScript and "broke the Internet". Sean. Gallagher. March 25, 2016. Ars Technica. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511153334/https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/. live.
  10. Web site: Tung. Liam. Disgruntled developer breaks thousands of JavaScript, Node.js apps. March 23, 2016. ZDNET. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511162239/https://www.zdnet.com/article/disgruntled-developer-breaks-thousands-of-javascript-node-js-apps/. live.
  11. Web site: 'No regrets' says chap who felled JavaScript's Jenga tower – as devs ask: Have we forgotten how to code?. Chris. Williams. March 29, 2016. The Register. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511162239/https://www.theregister.com/2016/03/29/npmgate_followup/. live.
  12. Web site: Malware-infected npm packages more common than you may fear. Thomas. Claburn. February 3, 2022. The Register. May 11, 2024. May 11, 2024. https://web.archive.org/web/20240511164936/https://www.theregister.com/2022/02/03/npm_malware_report/. live.
  13. Web site: kik on NPM. July 7, 2024.
  14. Web site: @kikinteractive/kik on NPM. July 7, 2024.
  15. Web site: May 25, 2016 . String.prototype.pad (JHD) . July 10, 2024 . GitHub.
  16. Web site: August 9, 2023 . String.prototype.padStart . July 10, 2024 . MDN Web Docs.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Npm left-pad incident".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.