NPM fiasco even caught Brendan Eich off guard

The kerfuffle over left-pad tripped up scores of developers, including JavaScript's founder

NPM fiasco even caught Brendan Eich off guard
Credit: Thinkstock

The managers of the popular NPM registry, which houses JavaScript packages, want to assure the community that everything is OK, despite the calamity caused this week by the removal of a small package. NPM’s predicament, though, brought criticism from JavaScript founder Brendan Eich, who stressed a need to improve the module system.

Upset over a naming issue, a developer decided to unpublish his modules on the registry, including left-pad, and as a consequence shut down several dependent programs, such as the Babel compiler. The module itself consists of only 17 lines of code, but modules that relied on left-pad could no longer be installed.

Within 10 minutes of being unpublished, left-pad was repaired by a community member and a new version was published, said Laurie Voss, CTO of NPM Inc., which runs the registry. Isaac Schlueter, the creator of NPM and CEO of NPM Inc., also emphasized the speed of repairs: “Essentially, the biggest disruption that happened as a result of this, it was partially mitigated within minutes and then completely mitigated within two-and-a-half hours. So everybody whose builds broke, their builds got fixed again very quickly.”

NPM Inc. plans to take action to prevent additional ripple effects of systems failing when they are dependent on a module that suddenly disappears. “We’re going to have to address our policies and technical details around how modules get unpublished,” said Schlueter.

But Eich criticized the circumstances that led to the situation: “I think they made a mistake by allowing people to unpublish a module that is widely shared through this distributed package manager, essentially.” The loss of left-pad was an issue for his company, Brave Software, which relies on the Babel tool chain. He acknowledged NPM Inc. was working on improvements and suggested if the apps that needed the affected module could copy the few needed lines of code, they would be better off.

Eich reflected on how he, as an old Unix hacker, found that Unix was about little commands that worked well together. But the Unix world did not have a master repository in which the owner could take away critical lines of code. “Having a way to share code is great, but you shouldn’t have this brittle network dependency that could have one person affect millions,” he said.

Schlueter stressed the importance of NPM's mission and a need to review the issue at hand. He said there has not been anything before akin to the “social media storm” involving the NPM registry over this week’s incident.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.