Sign in / up

back to article How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

    1. Pascal Monett Silver badge
      Reply Icon

      Re: Sweepstake

      Heh.

      In any case, I'm guessing we have a new student of the Streisand Effect. Kik is going to find out the hard way what it costs to stir a dev's nest.

      Who knows, might even teach a lawyer or two a lesson.

      5 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Time Zones vs. Left Pad

    Tom Scott offers YouTube advice about time zones, 'use a library'.

    But padding a string? Seriously? Any rational coder would do that inline, and far more cleverly.

    4 1 Reply
    1. BinkyTheMagicPaperclip Silver badge
      Reply Icon

      Re: Time Zones vs. Left Pad

      No you wouldn't, if using a language other than javascript. Even if it's a fairly simple function, there's the possibility the library includes an optimised version - either using a method you've not thought of, or varying assembly paths.

      2 0 Reply
      1. Paul Shirley
        Reply Icon

        Re: Time Zones vs. Left Pad

        ...said library call would be compiled into your local image, not yanked in from a remote site in most languages. However I'm not aware of many languages supporting standard libs with a leftpad function so you'd actually write your own, inline that 1 liner function or embed it in higher level string formatting.

        0 1 Reply
      2. Jason Bloomberg Silver badge
        Reply Icon

        Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

        I agree with what you are saying, but there is also the possibility a library is full of bloat and dependencies and 'who knows what' and, if an external resource as here, could disappear at any instant or change in some unexpected way which breaks things.

        It's not a binary choice of use libraries or don't, it's a more complicated matter than that.

        I was surprised how much broke for what is such a simple function which I would have in-lined myself. In this case the library could be restored, but it would have been a different matter if it could not have been.

        Hopefully this will be a wake-up call for those who slavishly use third-party libraries without ever considering the consequences of doing so.

        4 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

          Usually I write my own because it's quicker than searching. The rest of the time I write my own because the libs I do find are total crap.

          4 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

            In my case, even the ones I "supposedly wrote" can be found in "The Art of Computer Programming" [Knuth] or the literature since. I pretty much wrap it all in validation code and off I go to the next piece. I've had to create whopping two original algorithms in my life to date. I even comment in the code as to where I got something and why I'm using that particular code. To me, that's just being [1] honest and [2] letting the maintainers have a heads up if some future "better technique" should come along and where to fix it.

            I'm an engineer which means I build things with the tools and components that Computer Scientists have developed to date. Ain't any different than my approach to nuclear, or any other field of, engineering. Yeah, I really can do the theory end of things (extremely well in truth) but that is not how I want to spend my time, thank you very much.

            Given how development is done these days, I'm actually surprised there wasn't truthfully much more breakage. Dreamweaver (a tool I used to beta regularly for Macromedia way back when) was a leading indicator of where web coding was headed.

            1 0 Reply
  3. Camilla Smythe

    Right what do we call this shit messaging app?

    "Oooooo... how about KiK."

    "Sounds Kool. Where'd the name come from."

    "Oh its that Left Pad Function I've use all over the place."

    "Bastard. Infringing on our TradeMark. Send the lawyers in."

    8 0 Reply
    1. Roland6 Silver badge
      Reply Icon

      Re: Right what do we call this shit messaging app?

      "Sounds Kool. Where'd the name come from."

      I keep seeing on my travels and thought what a clever word.

      Kik.co.uk

      Kik-Kid.nl

      kik-textilien.com

      kikschools.org

      kikik.net

      kikradio.com

      ...

      I wonder if the lawyers sent all of these a threatening email...

      3 0 Reply
  4. David Roberts

    Open Source Software??

    I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore. Or suddenly decide to charge you loads of money. Not, of course, mentioning any names such as Microsoft.

    As far as I can see this developer has had a spat with the firm hosting the code, and made it very public by pulling all his code from the repository. Obviously effective from the article here.

    Just needs someone else to pick up the code and re-publish.

    As already commented, hopefully this will make developers think a bit more about where their code comes from. Then again this does make for very Agile coding.

    4 0 Reply
    1. no-one in particular
      Reply Icon

      Re: Open Source Software??

      > I naively thought the whole point of OSS was that the developer(s) couldn't one day just

      > throw a wobbler and tell you that you couldn't use the code anymore.

      ...

      >made it very public by pulling all his code from the repository

      ...

      >Just needs someone else to pick up the code and re-publish.

      But from the bottom of the article:

      "Meanwhile, Oakland-based Koçulu has hosted his work on GitHub. "

      so it is all still published and accessible - just not from NPM. Ok, that "just" seems to lead to some fun times...

      3 0 Reply
    2. John Brown (no body) Silver badge
      Reply Icon

      Re: Open Source Software??

      "I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore."

      Open Source means exactly what it says on the tin. The Source is Open for all to see. Depending on how it's licensed, that may be all you can do with it. Look. More likely, it will be licensed in a way you can use it and even redistribute it, but there are likely other terms and conditions attached such as "paying back" your changes, or always attributing the original author, or making your own code which uses the licensed code use the same or a similar licence, or any of a million other conditions. It's quite rare for OSS to be completely free simply because in some jurisdictions that means someone else can come along and copyright/patent/trademark it and effectively legally steal it from you. If you want your code to be free for all to use then you have to release it with a licence stating that it's free to use and modify but that you retain your original rights over the original code at the very least.

      0 0 Reply
  5. Anonymous Coward
    Flame

    Not NPM's only fatal flaw

    If you search for "npm as user", one of the top results is a page I wrote in 2011. Five years later, NPM still wants to be installed as root. WTF.

    I could easily unpublish this page -- linked to by a bunch of Stackoverflow answers and so forth -- and there's not a damn thing anyone can do to get it back because it says "All rights reserved" at the bottom. And if I unpublish in protest, I *will* follow up with takedowns if anyone reposts it.

    I think I'll leave it for now. It's not exactly a ringing endorsement :)

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Not NPM's only fatal flaw

      "And if I unpublish in protest, I *will* follow up with takedowns if anyone reposts it."

      But then they'll just repost outside your jurisdiction. Ah, the beauty of turning sovereignty against you...

      0 1 Reply
  6. cloned67

    sometime, is better don't know, what code is behind your libraries :D :D :D

    ... what a $hit of code!!,

    that's really how people use to write code in Node ¿?

    0 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Proof

    This is just more evidence for why web developers are not considered real programmers. AC because my boss used to be a web developer (he is not even that good anymore).

    5 0 Reply
  8. msknight

    NPM pushed the panic button

    ...and I think they'll take a hammering for this. Seems to me that Kik deserves to go down the pan also.

    3 0 Reply
  9. Tubz Silver badge

    I'm no expert, but if author pulled all his code and then NPM republished it without permission, is this not copyright infringement of some sort and anybody that hooks in to the code is an accessory ?

    0 1 Reply
  10. Anonymous Coward
    Anonymous Coward

    KIK Germany

    There is a company in Germany called KIK (kik.de). They have nothing to do with software but I am pretty sure that they have been operating for a long time, maybe somebody should tell them that they could sue the kik.com bunch.

    0 0 Reply
  11. martinusher Silver badge

    My reaction -- "WTF"

    This piece of code is a trivial function that I'd use as part of a standard library package, its not some kind of carefully crafted software component.

    Is this what programming has degenerated into? A random collection of source code fragments, each owned and guarded by some individual (or, worse, some corporation)? Doesn't this show the inherent weakness in relying on distributed script fragments for a code distribution? Doesn't it highlight what a mess Javascript is -- its worse than BASIC because at least BASIC doesn't have pretensions towards being a properly structured language.

    2 1 Reply
    1. Ken Hagan Gold badge
      Reply Icon

      Re: My reaction -- "WTF"

      "Is this what programming has degenerated into?"

      Nope. It is what JavaScript has degenerated into and it is debatable whether it has actually degenerated. It has always been the case that if your JS program is more than a hundred lines long then you've probably chosen the wrong language. At the time JS was introduced, it was intended to let you fine-tune a web-page with a few DHTML events, but if you wanted to do any actual programming then *obviously* you'd use a proper language and Java was available.

      Sun and Oracle between them have more or less killed off Java in the browser (with years of consistently shit implementations and legal barriers to third parties doing something better), so *now* we have no other language for this platform except JS. The fact that no-one is sufficiently worried to fix this problem means either that nothing important is actually done using browser-side code or that everyone involved is an idiot. You choose.

      Edit: For the avoidance of doubt, I should say that I *like* JS. It's typeless nature makes it really good for really small tweaks, which was its intended domain. I'm just aware that the same characteristics make it really bad for anything really large.

      3 0 Reply
      1. energystar
        Reply Icon

        Quite historically precise,

        Your assertion.

        0 0 Reply
      2. energystar
        Reply Icon

        WWW never was intended as an execution environment...

        Not even as a documentation env., but just a humble indexing and hyper-linking one.

        2 0 Reply
      3. Ken Hagan Gold badge
        Reply Icon

        Re: My reaction -- "WTF"

        Had this turned up yesterday, I'd probably have cited it.

        0 0 Reply
      4. fajensen
        Reply Icon
        Angel

        Re: My reaction -- "WTF"

        .... either that nothing important is actually done using browser-side code or that everyone involved is an idiot. You choose.

        Why can't we have BOTH?

        2 0 Reply
  12. energystar

    No additional comments.

    "JavaScript is a trademark of Oracle Corporation."

    0 0 Reply
  13. bombastic bob Silver badge

    lazy J.S. code authors created this problem

    this problem was created by lazy J.S. code authors.

    Think about it: how hard _IS_ it to write your OWN 'left script' function? Well, if you KNOW how to CODE, it's trivial.

    But you see all of these javascript 'things' out there depending on other 'things', which depend on other 'things', apparently TRIVIAL things, because nobody knows how to CODE any more [except for a handful of 'thing' authors].

    Everyone ELSE is just chaining up a bunch of 3rd party schtuff into an "app" and calling THAT 'coding'.

    This has grown into a kind of 'DLL Hell' for Javascript. Personally, I'm *GLAD* to see this happen, because I'm *SICK* and *TIRED* of the *ABUSE* of scripting on the web.

    For safety, I surf with the NoScript plugin BLOCKING it, unless I see some compelling reason to ENABLE scripting, and on a site by site basis. Example, I have to enable SOME of the scripting [and temporarily unblock cookies] to post HERE.

    As a result, my pathetic-bandwidth connection isn't hauling gigabytes of CRUFT behind every web site I visit, with that CRUFT being MOSTLY due to embedded TRACKING and ADS anyway. (who wants THAT downloaded, especially if it causes 'overages' in your bandwidth cap)

    CDN's are equally *EVIL*, like enablers of script addicts. It's hard to say WHAT gets enabled if you unblock one of them.

    Often it makes a *LOT* more sense to host the script YOURSELF, on YOUR web server, and maintain it YOURSELF, and trim out everything you DO NOT NEED, instead of relying on CDNs to refresh that MONOLITHIC MONSTROSITY library every time someone adds a comment or changes spelling in some text thing, forcing *THE* *WORLD* to waste MORE bandwidth re-downloading the "package" because it's not smart enough to only refresh 'small changes'. Or whatever.

    [OK some of this is exaggerated to make a point]

    But, if it's possible that "3rd party thing" can BREAK YOUR WEB SITE, you should WAKE UP NOW and FIX this problem (host script on YOUR server), instead of waking up at 0-dark-30 in the middle of a hangover when your cell phone won't stop ringing, and it's work calling, and YOU have to fix it (and it's not YOUR fault - except that you used "that library").

    8 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: lazy J.S. code authors created this problem

      STOP SHOUTING!!!

      0 0 Reply
  14. energystar

    On a correlated tragedy:

    Have you noted how dismal is the 'Open' licensing landscape?

    https://en.wikipedia.org/wiki/List_of_open-source_programming_languages

    Going back to bash/gawk...

    0 0 Reply
  15. To Mars in Man Bras!
    FAIL

    KIK Back

    Kik's head of messenger has posted his version of the story on Medium:

    https://medium.com/@mproberts/a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d#.lblcg37oa

    With liberal sprinklings of my favourite twattisms; "awesome" and "reaching out", it's only helped reinforce my impression that KIK are the dicks of this piece of drama.

    1 0 Reply
    1. Roland6 Silver badge
      Reply Icon

      Re: KIK Back

      Definitely there are a lot of dicks: Kik.com/KIK Interactive (and patent agent) are the really big one's throwing their weight around for little real reason, NPM in the way they handled their end of the matter and 'Azer' who's responses don't do much to encourage people to support his case...

      A quick look at the EU trademark database ( https://euipo.europa.eu/eSearch/#basic/1+1+1+1/50+50+50+50/KIK ) shows that they aren't the only company to have 'KIK' as a trademark and the others have been registered for longer...

      A further search gives a total of 10 trademarks registered in the name of Kik Interactive/Kik.com

      ( https://euipo.europa.eu/eSearch/#details/owners/470259 ) - these include: KICK, KEEK and K...

      1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Thumb Up

      Re: KIK Back

      ROFL. As earlier commentards hoped, Kik indeed kicked itself in the arse:

      I found out about this problem like a lot of you, when our builds started failing because we use the extremely helpful JSCS

      3 0 Reply
      1. msknight
        Reply Icon

        Re: KIK Back

        Best summed up by this post, I believe....

        Will Fife

        20 hrs ago

        Kik -> Azer: We want your name.

        Azer -> Kik: Nope, already have an open source project

        Kik -> Azer: We’ll sue you and make your life a living hell… but really we are nice people.

        Azer -> Kik: Go AWAY

        Kik -> NPM: Halp, developer mean :(

        NPM -> Azer: Company nice… help us make friends with company.

        Azer -> Kik: Fine… 30k and I’ll do whatever you want… everyone has a price.

        Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! But really we are nice.

        Kik -> NPM Developer mean :(

        Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! Developer mean :(

        NPM -> Azer/Kik: Sorry bro… Company nice.. company have lots of users.. sucks2bu. Kik.. tell me where to send the stolen goods.

        Kik -> NPM: Thanks.

        Azer -> NPM: Fine… I’ll take my ball and go home.

        So, no it wasn’t just a polite request, once you threaten with Lawyers, its not polite anymore and its not a request. Your app has been uninstalled, and I hope all the bad press you receive destroys your brand completely.

        3 0 Reply
  16. Cheshire Cat
    Facepalm

    Looks like everyone is being a dick

    Well, from reading the email exchanges made public and so on, it looks like everyone involved is coming off as a dick.

    Koçulu seems to be less than professional and not particularly polite in his responses. The Kik people seem to have opened by threats of legal action if they didnt get what they wanted. When they offered compensation, Koçulu asked for $30K, and there was no negotiation on either side.

    It would have been easier for Kik to have opened with "we'd like to take over the name, because trademark, and offer $10k in compensation". Even paying the asked $30k would have been so much easier and amicable all round. And, Koçulu should have responded a bit more professionally to the initial contacts, and not throw his toys out of the pram so soon - though I doubt anyone could have predicted how much would break from his removing the code.

    0 0 Reply
    1. calmeilles
      Reply Icon

      Re: Looks like everyone is being a dick

      > Koçulu seems to be less than professional and not particularly polite in his responses.

      That.

      Not impressed with Kik and not entirely convinced by NPM either.

      But frankly when interacting with a community there's a minimum degree of politeness required and interacting with a business a minimum degree of professionalism.

      Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.

      0 1 Reply
      1. Number6
        Reply Icon

        Re: Looks like everyone is being a dick

        Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.

        He's probably done the rest of the world a favour though, assuming the world wakes up and takes notice. At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server. If the licence doesn't let you host your own copy then don't use it, because you are vulnerable to it going away or being replaced by something dodgy.

        3 0 Reply
        1. Ken Hagan Gold badge
          Reply Icon

          Re: Looks like everyone is being a dick

          "At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server."

          I think it was demonstrated about 5 seconds after the web was invented that if you depend on an image from a third-party site then the site can replace your image with something defamatory. Translating that experience to "code from a third-party site" doesn't seem a very big leap IMHO.

          On the other hand, I suspect that if web browsers started refusing to load images from third-party sites, we'd discover that people hadn't learned this lesson at all. (There must be a Firefox extension that flags up cases where this is being done, but it probably counts as a terrorism tool now.)

          So my guess is that *we* already knew that third-party code was a rubbish idea, just as *we* know about source code version control systems. But I'm sure there are a lot of people out there whose web-sites were hit by this and who told their bosses in all honesty that it wasn't a problem with *their* web-site. It was a problem elsewhere and could (and did) have happened to anyone.

          0 0 Reply
          1. fajensen
            Reply Icon

            Re: Looks like everyone is being a dick

            I suspect that if web browsers started refusing to load images from third-party sites,

            We get THIS ;-)

            """

            Here’s The Thing With Ad Blockers

            We get it: Ads aren’t what you’re here for. But ads help us keep the lights on.

            So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.

            """

            0 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Looks like everyone is being a dick

        "But frankly when interacting with a community t"

        Community yes. Kik isn't part of that and throwing lawyers around is a declaration of war.

        0 0 Reply
  17. energystar

    "The wording we used here was not perfect..."

    Where's the new one? Sure this is not pure PR.

    0 0 Reply
  18. More Jam

    Kik is deeply sorry that "our lawyers gonna be banging on your door" was interpreted as anything but a polite request.

    2 0 Reply
  19. Richard Lloyd

    Name clashes aren't uncommon - I have one

    I got name-clashed by MySQL (and now MariaDB too) no less - they include a binary called "replace" (despite almost all their binaries having a "mysql" prefix), which was first shipped years after the "replace" utility I wrote was released. A polite request from me asking them to rename it to "mysqlreplace" was ignored, which is annoying because MySQL's replace command is not good to say the least...

    1 0 Reply
  20. thames
    Happy

    Some People Can't Stop Laughing at This

    To show that some people can see the humour in all this, someone has just added a joke Python version of left-pad to Pypi. https://pypi.python.org/pypi/left-pad/

    However he also says: "Make sure to add left-pad to your dependencies in your next project. Or, if you want to reinvent the wheel, go ahead and try to do it with the standard library. s.rjust(len(s) + 2, '+')"

    I had a look at the source, and it's just a one line function wrapper around the standard "rjust" string method.

    One of the really WTF issues with this whole thing is that such a trivial feature has been such a popular third party Node.js module.

    Apache Java StringUtils has a leftPad which bears a lot of resemblance to the Node.js version. I suspect the Node.js Javascript version was inspired by the Apache Java version.

    2 0 Reply
  21. matheuscosta

    I hate when people think that older = smarter.

    Why do you need to link javascript with "kids".

    As someone mentioned, get down off your high horses.

    Be humble, learn from the youngers, from the older.

    Life is made of experiences, not of how long you have lived doing nothing, watching TV or stuck in your bubble of old-days tech and languages.

    The more you talk about all this stuff from the past, trying to look smarter or the knowledge king, more you look like a kid, trying to get acceptance and reward in the world that you wrongly think you don't fit anymore.

    1 8 Reply
    1. thegroucho
      Reply Icon

      High horses and stuff

      Age is no guarantee for knowledge, technology proficiency nor coolness.

      You could have made your point in slightly different manner but instead you come across in a very patronizing manner.

      I can see the spurs on your boots - ergo, get off *your* high horse.

      2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Rightly or Wrongly us old fuckers have made a few more mistakes than the "kids", and if you're not okay with that, wait a few years, see how you feel then about learning from the youngers, try learning from the people who "invented" it, rather than poorly misrepresented it.

      4 1 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      "I hate when people think that older = smarter.

      Why do you need to link javascript with "kids"."

      False. Older = More experience, so they don't do stupid stuff like this.

      Because no-one older than 30 is using javascript (with 2 year experience, on average), it's literally for youngsters. From my point of view these people are kids.

      1 0 Reply
  22. Anonymous Coward
    Anonymous Coward

    wrote to their chatbot, maybe she has a heart

    https://twitter.com/andrejlr/status/712887779185831936?s=08

    0 0 Reply
  23. SeanC4S

    If you are not being paid I don't see why you can't play games making information appear and disappear from the web. You have a perfect right to do that if you like.

    0 0 Reply
  24. cantankerous swineherd

    npm now obsolete

    https://gist.github.com/rauchg/5b032c2c2166e4e36713

    0 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like