The code included a package called left-pad, which pads out strings with zeroes or spaces and had been downloaded by developers from the NPM repository more than 2 million times in the past month. Its removal caused a chain reaction among apps with dependencies on left-pad built in.
In a postmortem on the incident, published on its blog Wednesday, NPM admitted it “dropped the ball in not protecting [developers] from a disruption caused by unrestricted unpublishing.”
“We’ve hit an inflection point in the size of the community and how critical npm has become to the Node and front-end development communities,” says NPM, adding that going forward, the company “will make it harder to un-publish a version of a package if doing so would break other packages.”
The blog post also addressed the dust-up that led the incident, in which Koçulu was contacted by the social network Kik about a module he’d published on NPM, also named Kik. Kik asked Koçulu to rename the module and, when he refused, went to NPM for a resolution. NPM gave Kik ownership of the package name and a peeved Koçulu reacted by unpublishing his code.
“This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People,” Koçulu wrote on Medium.
“What concerns me here is that so many packages took on a dependency for a simple left padding string function, rather than taking 2 minutes to write such a basic function themselves,” developer David Haney wrote in a blog post titled “Have We Forgotten How to Program?”
“In my opinion, if you cannot write a left-pad, is-positive-integer, or isArray function in 5 minutes flat (including the time you spend Googling), then you don’t actually know how to code.”