Maybe You Should Think Twice Before Installing That NPM Module?

NPM modules from the NPM repository offer a lot of functionality, but should be used sparingly.

It has been just over five years since the event known as ‘Left-Pad Apocalypse’. In March of 2016, an NPM user removed their module ‘Left-pad’ from the NPM repository, resulting in the breaking of any Node.js application which had that dependency.

It was a wake-up call for the Node.js community and some changes were implemented to NPM after this incident to prevent this from happening again.

What exactly happened

A company called Kik with a messenger app wanted to use the same module named ‘kik’ as another user, Azer Koçulu, on NPM. They sent Mr. Koçulu an e-mail from a patent attorney asking him to relinquish the module named ‘kik’. Mr. Koçulu declined to give up the module name. Kik then went to NPM with a trademark request to give them access to the module, which they eventually did.

Mr. Koçulu after losing the module name decided to un-publish all 250 of his other modules from NPM. One of those modules was a module that was used in thousands of projects including Babel.js. When he un-published ‘left-pad’, it essentially broke the internet. This is because so many projects rely on NPM, not to mention that modules also have their dependencies. You wind up with these giant tree structures of dependencies sometimes 10 levels deep. If you want to visualize this, simply run npm list in your modules directory.

This was caused by a module at the time that was only 11 lines long.

module.exports = leftpad;

function leftpad (str, len, ch) {
  str = String(str);

  var i = -1;

  if (!ch && ch !== 0) ch = ' ';

  len = len - str.length;

  while (++i < len) {
    str = ch + str;
  }

  return str;
}

Laurie Voss, who was the CTO of NPM at the time took the unprecedented step of un-un-publishing a module. NPM as a company was still fairly young and had not run into this scenario before. They made a change to their system that would prevent users from un-publishing a module if there were dependencies on that module to prevent a repeat of this incident.

#npm #programming #javascript #nodejs #software-development

What is GEEK

Buddha Community

Maybe You Should Think Twice Before Installing That NPM Module?

Modesto Bailey

1596739800

NPM Install and NPM CI: In What Aspect They Differ

Nodejs web development has achieved such a huge acclamation all over the world just because of its large ecosystem of libraries known as NPM modules. It is the largest software package library in the world, with over 500,000+ packages. Each time a Command Line Interface (CLI) for npm comes as an add-on with Nodejs installation which allows developers to connect with packages locally on their machine.

The idea of npm modules had come with some technical advancement in package management like reusable components, with easy installation via an online repository, with version and dependency management.

In general,NPM is a default package manager for every Nodejs development project. Npm eases the installing and updating dependencies processes. A dependency list on npmjs even provides you with the installation command, so that you can simply copy and paste in the terminal to initiate installation procedures.

All npm users have an advantage of a new install command called “npm ci(i.e. npm continuous integration)”. These commands provide enormous improvements to both the performance and reliability of default builds for continuous integration processes. In turn, it enables a consistent and fast experience for developers using continuous integration in their workflow.

In npm install, it reads the package.json to generate a list of dependencies and uses package-lock.json to know the exact version of these dependencies to install. If the dependency is found in package-lock.jso, it will be added by npm install.

Whereas here, the npm ci (continuous integration) installs dependencies from package-lock.json directly and use up package.json just to verify that there are no mismatched versions exists. If any dependencies mismatching versions, it will show an error.

#npm-install #npm-ci #npm #node-package-manager

Desmond Gerber

1622805180

Maybe You Should Think Twice Before Installing That NPM Module?

NPM modules from the NPM repository offer a lot of functionality, but should be used sparingly.

It has been just over five years since the event known as ‘Left-Pad Apocalypse’. In March of 2016, an NPM user removed their module ‘Left-pad’ from the NPM repository, resulting in the breaking of any Node.js application which had that dependency.

It was a wake-up call for the Node.js community and some changes were implemented to NPM after this incident to prevent this from happening again.

What exactly happened

A company called Kik with a messenger app wanted to use the same module named ‘kik’ as another user, Azer Koçulu, on NPM. They sent Mr. Koçulu an e-mail from a patent attorney asking him to relinquish the module named ‘kik’. Mr. Koçulu declined to give up the module name. Kik then went to NPM with a trademark request to give them access to the module, which they eventually did.

Mr. Koçulu after losing the module name decided to un-publish all 250 of his other modules from NPM. One of those modules was a module that was used in thousands of projects including Babel.js. When he un-published ‘left-pad’, it essentially broke the internet. This is because so many projects rely on NPM, not to mention that modules also have their dependencies. You wind up with these giant tree structures of dependencies sometimes 10 levels deep. If you want to visualize this, simply run npm list in your modules directory.

This was caused by a module at the time that was only 11 lines long.

module.exports = leftpad;

function leftpad (str, len, ch) {
  str = String(str);

  var i = -1;

  if (!ch && ch !== 0) ch = ' ';

  len = len - str.length;

  while (++i < len) {
    str = ch + str;
  }

  return str;
}

Laurie Voss, who was the CTO of NPM at the time took the unprecedented step of un-un-publishing a module. NPM as a company was still fairly young and had not run into this scenario before. They made a change to their system that would prevent users from un-publishing a module if there were dependencies on that module to prevent a repeat of this incident.

#npm #programming #javascript #nodejs #software-development

Sadie Cassin

1598255400

#7: What exactly is NPM module? - Mastering NPM

Let’s learn more about NPM and how it works. All tutorials:
https://www.youtube.com/playlist?list=PLYxzS__5yYQmf-iF_9MTZmx7TxnmwnKIk

#npm #npm module #all tutorials:

Jerel Mann

1590477840

Publish Your Own npm Module: Creating a Local Module (1 of 2)

How many NPM modules have you used? 20? 50? We use third-party modules every day, but now it’s time to learn how to create our own.

In this mini-course, you’ll go through all the steps necessary to write, test, and publish your own NPM module. By the end, you’ll have a package that you or anyone else can install and use.

Let’s get started!

#npm #npm module

Jerel Mann

1590488760

Publish Your Own npm Module: Creating a Global Module (2 of 2)

How many NPM modules have you used? 20? 50? We use third-party modules every day, but now it’s time to learn how to create our own.

In this mini-course, you’ll go through all the steps necessary to write, test, and publish your own NPM module. By the end, you’ll have a package that you or anyone else can install and use.

Let’s get started!

#npm #npm module