14 DAY TRIAL // For the past day, JavaScript developers have been scrambling left and right to fix an issue that was crashing builds and affecting thousands of projects, if not even more.
You see, JavaScript in recent years has become a more stable and mature development environment. Long gone are the days when you'd manually load libraries in your code. Now, JavaScript comes with package managers and automatic build systems, just like Java, Ruby, and other more mature programming languages.
JavaScript's package manager is npm, which started as Node.js' package manager, but then expanded to cover all kinds of JavaScript projects.
17 lines of code caused worldwide panic among JS developers
Yesterday's issue that had JavaScript developers up in arms was related to a small npm module called left-pad. This tiny JavaScript library has only 17 lines of code, which are responsible for padding strings to their left with zeros or spaces.
For an unknown reason, this module was unpublished yesterday, blocking automatic builds of thousands of projects and sending developers in fervorous debug sessions.
A few hours later, the project's maintainer published an explainer on Medium, telling the world that he actually unpublished all his 250 npm modules because of a copyright infringement battle with the owners of the Kik app that went sour.
Developer felt betrayed by npm's leadership
The developer, Azer Koçulu, had also created another npm module called kik. As you'd expect, the owners of the popular mobile IM chat app Kik weren't that pleased and contacted him in private to request him to change the package's name.
While they had solid arguments to do so, like a registered trademark and the wish for developers not to be misled into thinking this was an official npm module for the app, Koçulu refused to budge, saying he won't rename his module.
Left with no alternatives, Kik went to npm's leadership, and a few hours later, npm's CEO Isaac Z. Schlueter decided to change the kik module's ownership.
Koçulu didn't react well at all, and soon after he unpublished all his npm modules, making them available only via GitHub. The most popular of those modules was left-pad, which had around 100,000 downloads per day and 2.5 million only in the past month. And so, hilarity ensued, with countless Twitter rage fests, forum discussions, GitHub issues, and avid debates on Reddit.
"This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People," Koçulu wrote yesterday.
Everything is back to normal now
The good news is that Koçulu has accepted to transfer ownership of his projects to anyone interested in taking them over, and reuploading them to npm.
It will take some time to have all his modules transferred to new owners, but in the meantime, left-pad has found a new home, and devs can breathe a sigh of relief that everything is up and running again.
As an interesting fact: by removing all his npm modules, Koçulu also liberated the namespaces of those modules. This means that anyone could have very easily registered another left-pad module and deliver malicious code in the builds of thousands of JavaScript projects.
UPDATE: We have contacted npm yesterday for more details on this topic and the company has published a blog post today about the timeline of events. Additionally, Kik has also published the email exchange they had with Mr. Koçulu and later npm. We have also removed the term "lawsuit threat" from our initial reporting, since the email exchange proved there was no such thing and Mr. Koculu might have misunderstood the original email conversations.