This week, one angry programmer broke a whole mess of the software the Internet runs on with the simple deletion of one simple program consisting of eleven lines of code.
Everything is ok now. But it’s a strange case that involves copyright lawyers, a petulant developer, and a behind-the-scenes look into how tech titans like Facebook, Spotify, and Netflix make the sausage.
It all starts with a developer named Azer Koçulu, who wrote an otherwise unremarkable piece of code called “Kik,” an extension for the popular programming language Node.js. Koçulu put his Kik module up on NPM, essentially an App Store for Node.js programmers, as a free download for developers to work into their apps at their leisure.
The other Kik
Kik, the popular social network of the same name, took notice and sent Koçulu an email requesting he change the name of his module. By Koçulu’s own admission in a blog post, Kik’s initial request was reasonable. Still, Koçulu wouldn’t budge.
“When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it,” Koçulu writes.
Given that Kik did have copyright on its side, Koçulu says that NPM CEO Isaac Schlueter took away his ownership of the module in question without asking. Upset, Koçulu removed Kik from NPM — as well as all of his other code.
It’s likely that nobody would have noticed — except that Koçulu is also the person who created a very silly, very basic, but very popular NPM module called “npm left-pad.” It’s eleven lines long and doesn’t actually do anything complicated but it’s been downloaded over 575,000 times.
A house of cards
This is where things get sticky.
A module like “npm left-pad” is basically a shortcut so a developer doesn’t have to write a whole bunch of basic code from scratch. If a developer calls on an NPM module, it’s basically shorthand for “put this code in later,” and a software compiler will just download the code when the time is right.
Most of the time, this works just fine. But sometimes, software ends up relying on what’s essentially a house of cards: One Node.js module calls on another, calls on another, calls on another. Again, usually it works fine — right up until “npm left-pad” is taken offline.
Boom, down went the house of cards. Popular software projects like Babel, which helps Facebook, Netflix, and Spotify, run code faster, and React, which helps developers build better interfaces, were suddenly broken and no more work could be done with them.
Fixing the problem would require that programmers sift through all of those dependencies, making sure that absolutely nothing relied on that one silly eleven-line bit of code.
And so, after a mass outcry from developers all over the world, NPM was forced to “un-un-publish” the code in question, handing it over to a new owner.
In a series of Twitter posts, NPM CTO Laurie Voss explains that the company wasn’t totally comfortable handing over what’s still Koçulu’s intellectual property, but much of the software industry had ground to a halt over the issue.
Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.
— Laurie Voss (@seldo) March 22, 2016
All told, the storm is over, and “npm left-pad” is back online. But the wounds are still deeply felt: “Have We Forgotten How To Program,” asks one blog entry urging developers to rethink how they build their apps.
NPM did not immediately respond to a request for comment.