Morioh
Login
Desmond Gerber

Desmond Gerber

2 years ago

NPM modules from the NPM repository offer a lot of functionality, but should be used sparingly.

It has been just over five years since the event known as ‘Left-Pad Apocalypse’. In March of 2016, an NPM user removed their module ‘Left-pad’ from the NPM repository, resulting in the breaking of any  Node.js application which had that dependency.

It was a wake-up call for the Node.js community and some changes were implemented to  NPM after this incident to prevent this from happening again.

What exactly happened

A company called  Kik with a messenger app wanted to use the same module named ‘kik’ as another user,  Azer Koçulu, on NPM. They sent Mr. Koçulu an e-mail from a patent attorney asking him to relinquish the module named ‘kik’. Mr. Koçulu declined to give up the module name. Kik then went to NPM with a trademark request to give them access to the module, which they eventually did.

Mr. Koçulu after losing the module name decided to un-publish all 250 of his other modules from NPM. One of those modules was a module that was used in thousands of projects including  Babel.js. When he un-published ‘left-pad’, it essentially broke the internet. This is because so many projects rely on NPM, not to mention that modules also have their dependencies. You wind up with these giant tree structures of dependencies sometimes 10 levels deep. If you want to visualize this, simply run npm list in your modules directory.

This was caused by a module at the time that was only 11 lines long.

module.exports = leftpad;

function leftpad (str, len, ch) {
  str = String(str);

  var i = -1;

  if (!ch && ch !== 0) ch = ' ';

  len = len - str.length;

  while (++i < len) {
    str = ch + str;
  }

  return str;
}

Laurie Voss, who was the CTO of NPM at the time took the unprecedented step of un-un-publishing a module. NPM as a company was still fairly young and had not run into this scenario before. They made a change to their system that would prevent users from un-publishing a module if there were dependencies on that module to prevent a repeat of this incident.

#npm #programming #javascript #nodejs #software-development

Maybe You Should Think Twice Before Installing That NPM Module?

javascript.plainenglish.io

Maybe You Should Think Twice Before Installing That NPM Module?

Rethinking NPM modules. One of the great things about Node can also be a weakness, the ability to npm i any functionality at a whim. Maybe You Should Think Twice Before Installing That NPM Module? NPM modules from the NPM repository offer a lot of functionality, but should be used sparingly.

1.60 GEEK