Wednesday, March 23, 2016

How One Developer Broke Node, Babel, and Thousands of Projects

Chris Williams:

A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies.

Koçulu yanked his source code because, we’re told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name.

[…]

Unfortunately, one of those dependencies was left-pad. The code is below. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it.

Azer Koçulu (via Erik Aybar):

When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it. After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me.

[…]

I’m apologize from you if your stuff just got broken due to this. You can either point your dependency to repo directly (azer/dependency) or if you volunteer to take ownership of any module in my Github, I’ll happily transfer the ownership.

Update (2016-03-24): Mike Roberts:

We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.

[…]

The wording we used here was not perfect. We’re sorry for creating any impression that this was anything more than a polite request to use the Kik package name on NPM for an open source project we have been working on that fits the name.

David Haney (comments):

I get the impression that the NPM ecosystem participants have created a fetish for micro-packages. Rather than write any functions or code, it seems that they prefer to depend on something that someone else has written. It feels to me as if the entire job of an NPM-participating developer is writing the smallest amount of code possible to string existing library calls together in order to create something new that functions uniquely for their personal or business need.

Dave Winer:

Recently the Node community had a fairly big outage that can be traced to the fact that NPM, the code distribution system, has been taken over by VCs. When NPM became VC-backed, it was obvious that at some point this would cause problems. And it certainly doesn’t stop there. I worry about GitHub. It plays such a central role. But eventually the VCs are going to want an exit. Then what happens?

1 Comment RSS · Twitter


Independent of everybody else's behavior here, NPM first unilaterally took away a module from this guy, and then, when he decided to delete his other modules, NBM un-deleted one of them against his wishes. I understand why they did it, but this doesn't make me sympathize with them at all.

Leave a Comment