back to article How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …

  1. Tommy Pock

    This whole debacle mirrors Gamergate

    I didn't have a bloody clue what was going on then, either.

    1. Anonymous Coward
      Anonymous Coward

      Re: This whole debacle mirrors Gamergate

      ITYM the whole debacle shows up the standard use case for javascript for what it is - a fragile conglomoration of scripts scattered about the internet which then get dragged into a web page when its loaded giving multiple points of failure. Aside from that, I can't actually think of a more lax indifferent approach towards security with a better attack vector for malware in the whole progamming world.

      "Yeah , lets just load in joescode.js from scrits-r-uz.net each time our page is loaded and hope it hasn't been broken/deleted/corrupted". What a brilliant development model!

      Javascript kids - is it really so hard to download common code onto your own website having checked it first Ok, maybe you won't get updates so fast but you won't get shafted like this either.

      1. Spacedman

        Re: This whole debacle mirrors Gamergate

        Well not really much. Developers will get the dependencies as they work (using bower or whatever the JS dep manager tool of the week is), and then build a single JS file at deployment time (using webblywobblify or the JS build tool of the week), and that goes up to the server for production. I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

        I'd only ever load something from a non-local site if it was something I regard as stable, popular, and coming from a robust CDN.

        1. Anonymous Coward
          Anonymous Coward

          Re: This whole debacle mirrors Gamergate

          "and then build a single JS file at deployment time"

          That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

          1. zarvus

            Re: This whole debacle mirrors Gamergate

            Node modules aren't loaded on page load separately, they are usually bundled into something larger. Think like Python modules or C libraries, they're part of a larger whole (except in this case they're JavaScript). I don't think that unpublishing his packages would 'break the internet', it would just stop people from updating their modules during development.

            For client side JS, competent devs compile it into a bundle anyway and load it server side. Everyone wants you to use their CDN for some reason though.

            The node package manager (npm), though, is abominable and incredibly easy to break.

            I also think it's bullshit that the npm maintainer re-published his packages - if they give him the ability to unpublish his work, they are giving him the agency to do so at his choice. Someone could publish a new left-pad that does much of what his script does instead. Then he could sue them for trademark infringement and create a constitutional crisis.

          2. Michael Wojcik Silver badge

            Re: This whole debacle mirrors Gamergate

            That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

            Yes. This is readily apparent when you run something like NoScript. Oh, look, scripts from a dozen domains are blocked on this page. Let's temporarily allow some to try to get this thing working. Great, those have remote dependencies on scripts from another dozen domains...

            ECMAScript is the C of the decade. In certain domains it's perfectly suitable, but it's widely used by people who ignore its pitfalls for purposes it is not well-suited for. It's possible to write good ECMAScript code, even for non-trivial projects, but it requires discipline - something few developers seem to care about.

            1. Anonymous Coward
              Anonymous Coward

              Re: This whole debacle mirrors Gamergate

              Define "good" ECMAScript.

              EMCAScript doesn't expose a modulus operator nor define a method of modularising applications.

              In short, it's a hack lacking in almost every meaningful way the basic utilities one takes for granted in languages invented after COBOL, it's neither portable nor well-specified, both of which gave C it's longevity.

              Being used by people who don't know any better is hardly a reason to drag's C's good name into the gutter.

        2. Anonymous Coward
          Anonymous Coward

          Re: This whole debacle mirrors Gamergate

          I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

          You're new here, right?

      2. John Brown (no body) Silver badge

        Re: This whole debacle mirrors Gamergate

        "Javascript kids - is it really so hard to download common code onto your own website having checked it first "

        Exactly! Is it any wonder that pages take so long to load when shitty little bits of code any beginner could knock up have to be dragged in as *live* dependencies from some 3rd party server? WTF are these people thinking? FFS, this left-pad thing was one of the exercises in BASIC programming in GCE "O" level Computer Studies (No kids, that wasn't a mistake, GCE predates GCSE, yes THAT long ago) back in about 1979 when I took the exam.

        For that matter, WHY are there even code snippets like that even made available for live linking? No one could possibly own any IP on such a simple and obvious technique.

        1. daemonaka

          Re: This whole debacle mirrors Gamergate

          Yeah, it's not 2005 anymore. No production webapp is built that way. If yours is, you've got some shitty Web devs on your hands. You need to give them a week to learn what a gulp plugin is, or they're fired.

          Yes, that's right, we primitive javascript "kids" have discovered these miraculous things called build tools! Anyone would think it was a real language or something. Dipshit.

          Did you not even bother to read this comment thread before adding to it? This has already been pointed out. Left-pad was not being "live linked", but pulled in as a static dependency at build-time. This did not "break the Web", it broke nightly builds.

          Get down off your high horse before you get a nose bleed.

          1. Kristian Walsh Silver badge

            "static" volatile dependencies

            So, what you're saying is that your organisation's software development process can be stopped at any time by a third-party in a different jurisdiction. I'd love to have the kind of Programme Manager who'd hear that and say "Oh, the builds are broken? Because a guy in XYistan broke a module? And he's not answering his mails? That's fine. I'll tell the client that the service won't ship until an indefinite date in the future, and you guys can all go home early.."

            The purpose of any build system is to produce repeatable outputs from your source-code, and to provide an audit trail for your releases. Repeatable is hard when you effectively do Lucky Dip dependency resolution. A build-system worthy of its name can check out any previous release of software by ID, and produce a binary-identical output product to that. A build process is language independent: you might need different tools, but using a particular language for development doesn't magically absolve you from responsibility.

            Live-downloading isn't a "static dependency". "static" means "not moving", and you cannot guarantee that from a remote resource. You can barely even guarantee that if it's your dynamically-fetched resource. (Versioning components doesn't help you; you're still relying on strangers to not change code without re-versioning...)

            So, if you're live-downloading every time you make a build, explain to me how you guarantee that those remotely-fetched dependencies don't dramatically change between the developer writing the unit tests, and your automated build system running them? There's a good way to waste development time. Also, how do you guard against someone maliciously injecting a backdoor into that crypto class you download every time you make a build.

            More to the point (and this is the real reason companies spend money on revision control and build systems): Imagine it's next year, and you're being sued for doing something nasty, and to provide evidence of your innocence, you've got to set up a server with your company's software the way it was on the day of the alleged offence. How the hell are you going to rebuild it? Wayback Machine? Well done, you've just handed their lawyer the downpayment on a yacht.

            ALL dependences used by a project must be accounted for. If you're not doing that, you're just wasting time and effort - you've got a glorified compiler/packager that offers no better consistency or auditing than just deploying straight off a developer's workstation.

          2. Anonymous Coward
            Anonymous Coward

            Re: This whole debacle mirrors Gamergate

            >Left-pad was not being "live linked", but pulled in as a static (static eh?) dependency at build-time. This did not "break the Web", it broke nightly builds.

            >Get down off your high horse before you get a nose bleed.

            Way to reinforce the original poster's overall point Mr. Web "Developer". At least your UI follows whatever web 3.0 industry design guidelines are in fashion currently with the hipster millennials eh?

          3. Anonymous Coward
            Anonymous Coward

            Re: This whole debacle mirrors Gamergate

            ". No production webapp is built that way."

            Except every one of them. I'm using NoScript and it tells me directly what domains/sites javascript is trying to access. This page alone has 6.

            Allowing all 6 creates 8 new ones. No idea what kind of 'production webapps' you use, but that's the way web pages are generated nowadays.

      3. jnoelz

        Re: This whole debacle mirrors Gamergate

        Oh yeah, you read an article and you advising developers on how to organize their work, really? Do you have any comprehension of how the entire stack works and what was actually deleted and loads from where? yeah that webpage you made in 98.... You are are demonstrating your profanity - you have no idea of how expensive it is to produce production quality, reusable code. The reason why the open source community exists is because it is efficient and reliable.. but yeah script kids, playing jenga code.

  2. Anonymous Coward
    Go

    "This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people"

    So he moved to github lol.

    Thankfully I wrote my own padStart function as a polyfill. Eventually, in like 10 years, ES7 will add padding a string to JavaScript as standard.

    1. AMBxx Silver badge
      Boffin

      Left padding

      I don't do much JavaScript, but is this really the most efficient way to pad a string from the left? What's wrong with a repeat string function then right(lengthNeeded)? This looks like something copied from a BASIC tutorial 20 years ago.

      1. Andrew Moore

        Re: Left padding

        exactly what I was thinking- after checking ch and len were valid, it should just be a case of

        return ch.repeat(len-length(str))+str;

        1. mark jacobs
          Boffin

          Re: Left padding

          function leftpad(str,len,ch)

          {

          var s1='                                                ';

          var s2='0000000000000000000000000000000000000000';

          if (ch) if (ch=='0') return s2.substr(0,len-str.length)+str;

          return s1.substr(0,len-str.length)+str;

          }

          et voilà!

        2. Rabster

          Re: Left padding

          You kids get off my len()! Feeling old.

          1. AMBxx Silver badge
            Happy

            Re: Left padding

            Starting to feel sorry for the guy. First he's threatened by lawyers, now we're al saying his code is rubbish!

      2. Destroy All Monsters Silver badge
        Windows

        Re: Left padding

        This looks like something copied from a BASIC tutorial 20 years ago.

        I think you mean 30 years ago.

        As the Reg population ages, an "undertaker" icon will become of higher priority.

        1. AMBxx Silver badge
          Unhappy

          I think you mean 30 years ago

          You caught me out! 30 years ago, I was working with BBC B and ZX Spectrum They were both getting long in the tooth at the time.

          Feeling really old now.

          1. Hideki

            Re: I think you mean 30 years ago

            Oh please, 30 years ago was 1986, the year the Spectrum 128 and BBC Master 128 were released, they were hardly long in the tooth then, 4 years old in the case of the Speccy, 5 in the case of the Beeb.

            Still a great fan of both platforms, the Sinclairs for bringing computing to people who coudln't otherwise afford it and the BBC for creating an excellent machine with a structured basic, an understandable accessible OS and a proper assembler, in ROM.

            Still have one of each set up here (although rather modifed/expanded to make use of modern storage solutions, CF and Ethernet in the case of the Speccy, SD in the case of the BBC (Bit banged SPI using the user VIA to do SD access)), if curious see: http://kupo.be/tpics/oldsystems20160307.jpg

        2. Doctor Syntax Silver badge

          Re: Left padding

          "I think you mean 30 years ago."

          Only 30? Kids today.... Wanders off mumbling to self.

          1. Anonymous Coward
            Anonymous Coward

            Re: Left padding

            Only 30? Kids today.... Wanders off mumbling to self.

            Indeed. 30 years ago they already had these new-fangled electronic computers!

            I remember back in the day, having to rig up the pulleys and vine ropes just right, and keeping the elephants motivated was a nightmare!

        3. Tom -1

          Re: Left padding

          Actually Basic was introduced into classes at Dartmouth College 52 years ago, and I suspect that padding a string on the left was something that cropped up in class within the first couple of years of using it as as a teaching language. By the mid-70s it was used all over the place. So I think 40 years ago is more likely than 30, and it 's quite likely that it turned up in a tutorial developed at Dartmouth 50 years ago.

          1. RMycroft

            Re: Left padding

            Good old DTSS. I can't be arsed to dig out my copy of BASIC 6th edition to see if there was a built-in function that would do the job. In any event someone did it in COBOL long before to pad out money amounts with asterisks on cheques.

            RUN LEM****

      3. Brewster's Angle Grinder Silver badge

        Re: Left padding

        "What's wrong with a repeat string function then right(lengthNeeded)?"

        String.prototype.repeat didn't officially exist until last year. Yes it can be done more efficiently than repeatedly adding a single string together. (Mine takes no more than 2 × log2(N) concatenations to produce N repeats.) But typical paddings are a handful of characters, so that's probably as efficient as anything: remember we are on 64 bit machines where you can have 8 utf8 characters in a single register; concatenation is just bit shift and bitwise-or.

        1. Anonymous Coward
          Anonymous Coward

          Re: Left padding

          Get yerself a proper language. Y'know, something which doesn't require manually defined functions to left pad a string.

          s/^(.*)/$padchar x ($wantlength-length($_)+1) .$1/e;'

          If only we had something... something which had been around since 1987...

          1. captain veg Silver badge

            turning into a coding competition?

            function leftpad(str, len, ch)

            {

            var i = len - (str + "").length;

            var pad = (i > 0) ? Array(i + 1).join((ch || ch === 0) ? ch : " ") : "";

            return pad + str;

            }

            No charge.

            -A.

    2. JLV

      >Thankfully I wrote my own padStart function

      This chimes with me as well. How often, in Python/Django you see an SO question that requires 20-30 lines of code.

      With the recommendations to pip in package XYZ that does it for you. Now you have an external dependency for something super trivial.

      JS should really tweak some basic stuff though. Even the humble sprintf seems missing. I use Handlebars for that now* but it's like swatting a fly with Yamato's 18"s.

      * and mostly for templating

    3. zarvus

      His code was already on Github. Good point, though.

  3. Brian Miller

    But did Kik's website go down?

    It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

    1. Dazed and Confused

      Re: But did Kik's website go down?

      Even better if the Kik's shitesters website had imploded too. Would be great if they got a sudden lesson in intellectual property rights "Know that stuff you're using? Well it's mine and you can F*&k right off"

    2. Anonymous Coward
      Anonymous Coward

      Re: But did Kik's website go down?

      It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

      They have a website with the worst privacy policy ever (you can't examine the whole policy, you have to walk through it one chapter at a time), and despite being apparently a Canadian company (don't know this for certain - I'm really starting to dislike companies that don't put their address on their website) I would not trust them with ANY data because they appear to genuinely have no idea how to protect their users.

      Not that I would ever use them anyway as I'm quite happy with the apps I have, and I am rather unimpressed by how they took this on. Overzealous lawyers are IMHO more a corporate risk than a benefit.

  4. Duncan Macdonald
    Mushroom

    Copyright infringement ?

    Could Azer Koçulu sue NPM for copyright infringement by including his code against his wishes ?

    1. SE

      Re: Copyright infringement ?

      I hope so. I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

      Truly pathetic.

      1. djack

        Re: Copyright infringement ?

        It depends on the license of the code. If it was licensed under any 'usual' open source licence then re-publishing shouldn't be a problem.

      2. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        No, it is not. Code published on NPM is open-source and anybody can republish/fork/modify it.

        1. timcroydon

          Re: Copyright infringement ?

          No, that's wrong. Every package has its own license, which may or may not be permissive. E.g. often see GPL, MIT or Apache licenses.

          I notice that the left-pad utility in question actually has no explicit license so is covered under normal copyright laws which could raise interesting questions for users who haven't checked they've got explicit permission to use it anyway.

          1. BinkyTheHorse
            Boffin

            @timcroydon

            I dunno, old status page shows the license as BSD:

            http://web.archive.org/web/20150922113035/https://www.npmjs.com/package/left-pad

            The author now updated the meta info to WTFPL, which is decidedly non-FOSS-compliant ;), but still works in this case.

            Of course the salient point is whether metainformation constitutes a valid license specification. IANAL, but I suspect NPM have a strong case in that regard (not that I condone their general behavior, as stated in the prior post).

            1. Anonymous Coward
              Mushroom

              Re: @timcroydon

              IANAL, but I don't think it's legally open-source. The only words about copyright/license in the entire commit history (at https://github.com/azer/left-pad) are these two tags in package.json:

              "author": "azer", "license": "WTFPL" [originally "BSD"]

              No BSD license text. No "Copyright 2014 (real name or alias)".

              DMCA takedown in 5... 4... 3...

              1. War President
                FAIL

                Re: @timcroydon

                None of this puts npm as an organization or as a package manager in a good light. They'll instantly cave to vague threats and willingly change ownership of a package (kik) to do the bidding of a 3rd party in contravention of their own dispute policy. If you terminate your agreement with npm, they'll keep your IP (left-pad) if it suits them, in contravention of their own terms of use. Who was it that removed the BSD license and changed it to WTFPL? If not the author or at their behest, then someone violated the license terms.

                To my mind, it also seems a little worrisome that there are so many dependencies built into these packages. You really need to add a dependency for a simple text padding function? Really?

            2. tekHedd

              Re: @timcroydon

              Actually, I was reading about WTFPL recently, and it is a valid open source license. (see the FAQ) I mean, come on, what's more open and free than "do what the f- you want"?

              1. John Brown (no body) Silver badge
                Joke

                Re: @timcroydon

                "I mean, come on, what's more open and free than "do what the f- you want"?

                Does that mean I'm free to copyright it?

                1. JBowler

                  Re: @timcroydon

                  >"I mean, come on, what's more open and free than "do what the f- you want"?

                  >Does that mean I'm free to copyright it?

                  It's a license to use something to which someone else has copyright. Copyright is the possession of the *author*.

                  Copyright can be assigned but the *license* doesn't assign the copyright (and it can't, logically; then it would be a copyright assignment, not a license.)

                  You can copyright any derivative, but if you ask a lawyer the lawyer will still want to speak to the author of the original work.

                  That's why when you go to work for someone else they ask you to sign away all your copyright rights. Oh, no, they don't actually *ask*, it just happens when they pay you (see the 'for hire stuff', and this is only in the US, which didn't adopt standard copyright laws until very late):

                  http://dearauthor.com/features/reclaiming-your-copyright-after-thirty-five-years/

                  John Bowler <jbowler@acm.org>

      3. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        If he ever published the code under a permissive license, there's nothing wrong with re-publishing.

      4. Michael Wojcik Silver badge

        Re: Copyright infringement ?

        I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

        And in the time it took them to write that PR statement, they could have written their own implementation of "left-pad" and published it under the old name and version, avoiding any legal or ethical issues around restoring the original code.

        Ah, well. Maybe this will be an object lesson for people who use NPN, and maybe it'll draw some well-deserved ire down on Kik.

    2. BinkyTheHorse
      FAIL

      Re: Copyright infringement ?

      Well, if he published it under one of the FOSS-compliant licenses (or a few of the non-compliant OS ones), as long as NPM had a copy of the package, they were free to republish without violating the license. And in general it's a Good Thing™.

      However, fail icon since the NPM folks clearly made an half-assed job PR-wise and acted shittily towards the developer - it doesn't seem likely that the trademark case would hold up in court.

    3. Voland's right hand Silver badge

      Re: Copyright infringement ?

      Come on, the code in question is trivial.

      As a few people pointed out this is like taken from a 30+ year old basic tutorial. It will probably fail the Lego test of copyright - you cannot copyright the "natural form" of something. You can patent it, but not copyright it.

      Granted, javascript is a primitive language, but none the less, even with all of its primitiveness I would have expected it to do this as a part of the base spec (*) in one line. Python and perl certainly do - * and x operators on strings respectively.

      (*) I am aware that char repetition was added to the spec last year. That is still not pattern repetition or string repetition, which Perl has been able to do for more than 20 years in a single statement and Python for more than 15.

      1. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        > Come on, the code in question is trivial.

        So? Left-pad was the canary in the coal mine. Just wait until someone unpublishes a non-trivial NPM package that never had a definitive open-source license. They're probably reading these comments right now...

  5. AustinTX

    Take Your Ball And Leave, Will Ya?

    Bwaha! We stole your ball back!

  6. Anonymous Coward
    Anonymous Coward

    Timing

    Did he first publish his kik code before kik the company were founded?

    (I've no idea how to check publish dates on NPM) :-(

    1. Shadow Systems

      Re: Timing

      Exactly. If he published his code before the company was official then he can turn the whole thing on it's head & sue them for the very thing they're claiming he's done.

      I hope he can, does, wins, & gets enough in damages/penalties to put the bastards out of business.

      Yes an application developer deserves to be paid for their hard work, but not if you're doing it by shafting the programmers that make your code possible in the first place.

      1. timcroydon

        Re: Timing

        Timing has little to do with trademark infringement, it's more about perceived good will in the brand and whether the brands could be confused, i.e. whether they cover the same 'class of goods'. Don't know what either Kik does though really so no idea if that's the case or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Timing

          "Timing has little to do with trademark infringement, it's more about perceived good will in the brand and whether the brands could be confused, i.e. whether they cover the same 'class of goods'"

          Except in the US where Intel were able to stop an HR company calling itself Gentium (!).

          The real problem is that US law has no concept of "de minimis non curat lex" which in this country would get any potential case thrown out as the risk of confusion was so obviously zero.

          (And I hope Kik the company dies painfully of negative cashflow while its executives are left to beg on the streets of Juarez, but that's just my view.)

        2. Anonymous Coward
          Facepalm

          Re: Timing

          > whether the brands could be confused, i.e. whether they cover the same 'class of goods'

          By threatening to sue, Kik implicitly asserted that that's the case. Oops... muahahah.

          1. JetSetJim
            Headmaster

            Re: Timing

            >> whether the brands could be confused, i.e. whether they cover the same 'class of goods'

            >By threatening to sue, Kik implicitly asserted that that's the case. Oops... muahahah.

            It may well depend on what classes of goods Kik have trademarked with this branding - while they may currently be known for some shoddy messaging app, they may have also trademarked "Kik" in a variety of places/contexts.

            A long time ago, there were a few articles laughing and pointing fingers at Mick Jagger for filing trademarks on his name in a variety of classes involving soap and perfume. Lawyer-type back talk was that he did this merely to prevent someone else from doing it.

            I still think Kik are behaving shittily, though

        3. Charles 9

          Re: Timing

          " it's more about perceived good will in the brand and whether the brands could be confused."

          Classic example I put up. The name "Cracker Barrel" has at least TWO non-conflicting registered trademarks (meaning the government has looked at them and agreed they're non-conflicting): one belongs to Kraft for a brand line of cheeses, the other belongs to a restaurant chain with an old-town theme appropriate for the name.

        4. Dazed and Confused

          Re: Timing

          > it's more about perceived good will in the brand and whether the brands could be confused,

          He could argue that there is no risk of confusion but now Kik can't their legal missive is proof that they believe that confuse arises so they've shafted themselves. They can't now argue that their is no confusion because they've legally stated that their is.

      2. Oh Homer
        Terminator

        Re: "published his code before the company was official"

        Sadly, in Canada (where the complainant is based) both trademarks and patents are issued on a "first to file" basis, not a "first to invent" basis.

        This means that a trademark troll can register a trademark on your existing but unregistered brand, then force you to change your brand name, provided that he actually uses his trademark for a commercial product, and that the product in question is of the same general classification as yours (e.g. software).

        Even so, these caveats have not actually dissuaded trademark trolls (such as Apple) from threatening those with similar branding for entirely unrelated classes of products.

  7. thames
    Linux

    This is one of the many things wrong with the way Node.js is used in practice. NPM is dominated by a company called NPM Inc., which basically runs a code hosting site. However, people routinely automatically pull packages from it when they have no idea what is in them or whether any changes have been made in the rat's nest of dependencies that they don't even know exists. If NPM Inc. were to do a SourceForge and start doing who knows what, loads of software systems would be stuffed as their automated develop/test/deploy systems are built around NPM Inc being there and being trustworthy.

    But if you want to use Node.js you pretty much have to get stuff direct from NPM. There's not a lot of direct support for Node.js libraries in typical Linux distros. For example, if I do a search in Ubuntu 14.04, there are only 146 Node.js associated packages. If in contrast I do a search for Python, I get 4656 results. And those 4656 results will in most cases be non-trivial items, useful, and with a reliable history behind them, because they wouldn't get into Debian (and thus Ubuntu) otherwise.

    I evaluated Node.js and Python for a project a couple of years ago. I wrote a simple server which exercised the core functionality where I expected to find the bottleneck. I couldn't find any decisive performance advantages for Node.js, as the "winner" depended upon the nature of the data being sent. Node.js's theoretical JIT advantages were negated by Python's more efficient libraries and the fact that Python has a lot of functionality built into the language syntax (where it runs as the underlying language run time machine code) instead of writing a lot of explicit byte twiddling code. Add to this the fact that a few lines of Python equal many lines of Javascript (e.g. this 11 line string padding function would be a one-liner in Python) and I find it pretty hard from a business perspective to justify writing anything using Node.js.

    P.S. - Look for a repeat of this fiasco with Docker, since Docker Inc. has applied more or less the same "walled garden full of wild toad stools and noxious weeds" business model to the container field.

    P.P.S - The "left-pad" package is at version 0.0.3? WTF? Were there 2 previous versions that had to be fixed? Was he planning on putting out a 1.0 eventually?

    1. Anonymous Coward
      Anonymous Coward

      Re: Thames

      Your clams are incorrect.

      1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.

      2. NPM does actually allow "shrinkwrapping" of dependent modules, which would safeguard your code from a module disappearing on npm.

      3. The attack on Docker is even less warranted since Docker doesn't force anybody to host images with them, rather: every responsible company using Docker in production hosts all required images themselves (software for doing so is widely available).

      4. Node.js will smoke-out any Python code in I/O-intensive operations and nobody knowledgable ever claimed Node was "faster" than Python for CPU-intensive work. Also that debate is complete out of scope for the article at hand.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thames

        Go will smoke out node.us on any I/O intensive operations.

        1. TheOtherHobbes

          Re: Thames

          >Go will smoke out node.us on any I/O intensive operations.

          Indeed. No one of clue should be using Python or Node for a web server. They're both ludicrously slow - Python more so than Node, but Node isn't exactly speedy.

          Between Django, Flask, Rails, and Node there's so much Lego Level Developer bullshit in that space it's not true.

          See e.g. some benchmarks.

          1. JLV
            Thumb Down

            Re: Thames

            >Indeed. No one of clue

            Generalizations, the hallmark of brilliance. Not.

            https://www.shoop.io/en/blog/25-of-the-most-popular-python-and-django-websites/

            There are plenty of big uns on Django. This was the first link I found and some claims seem dubious, but the fact stands.

            Or would you code a site in C++?

            Java? Please. Much as a missing lpad in JS is silly, didn't Java programmers have to wait till java 7 for a built-in File copy?

            1. Vic

              Re: Thames

              Or would you code a site in C++?

              I've coded sites in C, using apxs.

              I'm not going to claim it's suitable for everyone, but in the right set of circumstances, it gives you a very performant site for minimal coding difficulty. Sometimes, that's the right choice.

              Vic.

      2. Anonymous Coward
        Anonymous Coward

        Re: Thames

        1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.

        I call apples and oranges.

        AIUI, (and hell, I try and keep clear of all this shit) Web 2 "design" loads shit dynamically from places all over The Interwebs. So if any of that breaks, your website/app iimediately breaks.

        It hardly needs saying that RedHat/CentOS/Debian/Ubuntu package management works nothing like this.

        For starters, the packages aren't dynamically loaded. And it's all cryptographically signed by the distributor and verified on installation. Does your website demand that the browser does that with every Random Piece of Javashit that it grabs ??

        I could go on....

      3. Tomato42
        FAIL

        Re: Thames

        Red Hat does this little thing called "review" and "Quality Assurance" before the code goes anywhere near release process, let alone signing and publishing in repository.

        As does any other half-decent Linux distribution. Hell, even Apple and Google do at least cursory review of the fart apps they ship through their package managers.

        While anyone can publish anything on sites like PyPI, NPN, RubyGems... Admins/Moderators/Owners of those simply Don't Care™

      4. I am the liquor

        Re: Thames

        "1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc."

        Better package managers, like NuGet or Ruby Gems, don't allow users to delete their packages once they've been published, precisely to prevent the problem that has happened here on NPM.

        Of course even with those you still have the risk of your dependencies disappearing due to legal threats or other special circumstances. I've never really felt comfortable relying on pulling my build dependencies from a package manager, even if it is the recommended model with the likes of NuGet.

    2. Anonymous Coward
      Anonymous Coward

      My walled garden

      I specifically to keep wild toads out, so the can leave their stools in somebody else's garden.

    3. nematoad
      Thumb Up

      Good.

      "P.P.S - The "left-pad" package is at version 0.0.3? WTF? Were there 2 previous versions that had to be fixed? Was he planning on putting out a 1.0 eventually?"

      Have an upvote for the correct use of PPS!

      1. Joel 1
        Coat

        Re: Good.

        @nematode

        "Have an upvote for the correct use of PPS!"

        Parliamentary Private Secretary?

        1. Charles 9

          Re: Good.

          "Postquam Post Scriptum".

          But for the record, PSS can be valid, too (as it would mean "Post Super Scriptum").

          1. John Brown (no body) Silver badge
            Happy

            Re: Good.

            "Postquam Post Scriptum"

            Postman Pat Scripting? Or was it just me that read it that way.

    4. To Mars in Man Bras!
      Facepalm

      Sometimes It's OK to Reinvent the Wheel

      *"...Look for a repeat of this fiasco with Docker..."*

      At the risk of sounding like an old codger, I think this is symptomatic of 'the yoof" of today.

      Now I'm all for DRY and "not re-inventing the wheel" but sometimes I think we've gone too far the other way. No fecker bothers to work out how to do anything for themselves any more. They just bolt together a load of packages built by someone else and hope it works.

      I'm in no way a high-level coder, but I do freelance web developement, some JS tinkering and server config and I hand-code most of what I do.

      I've been called in on a few occasions to help web developers at design agencies who need something adding to their site, or to troubleshoot when they can't get something to work.

      A lot of the time I find they've no idea what's going on in their own code because they either build the sites in some WYSIWYG app like Dreamweaver without ever looking at the HTML which is being output or –if they're feeling really adventurous, they "Hand Code". By which they mean download Twitter Bootstrap and embed jQuery in it –again, without having any idea what any of the code is doing. I've seen jQuery used on websites, solely to provide some minor functionality that a single line of JavaScript could do.

      Seems to me NPM and [since you mentioned it] Docker are just more examples of this. Only Docker is bringing the practice to server management.

      Instead of actually doing a bit of `apt-get` and setting a few config options, just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't] –congratulations! You are now a "Server Administrator and Back-End Developer"

      1. John Brown (no body) Silver badge
        Facepalm

        Re: Sometimes It's OK to Reinvent the Wheel

        "They just bolt together a load of packages built by someone else and hope it works."

        'round here we call them Lego Coders. Like most three year olds, they recognise the pretty coloured blocks and can make them fit together in some random, occasionally useful, way.

        just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't]

        And this brings us back to the old SF story referenced in another article's comment section the other day, E. M, Forsters 1909 short story "The Machine Stops, or for those who prefer not to read, the BBC Out Of The Unknown episodes, a 100+year old story of how tech developers don't know how their tech works and can't fix it when it breaks.

  8. Daedalus

    Waaa !!!

    Mr K doesn't just act like a child, he codes like one.

    1. Destroy All Monsters Silver badge

      Re: Waaa !!!

      Hush!

  9. Daniel Voyce

    There is zero need to include an entire package dependency for 11 lines of Javascript!

    Also you have to wonder what was in versions 0.01->0.03?

    1. Anonymous Coward
      Anonymous Coward

      The change log in full

      The change log:

      0.01 - first implementation of leftpad(). Left pad to fixed length of 64 chars. Pad with the fixed string 'banana'. Send padded string to Microsoft telemetry server.

      0.02 - correct logic to left pad rather than right pad. Allow setting of both length and pad character, following user requests.

      0.03 - don't go into an infinite loop if pad string is ''. No longer send padded string to Microsoft. First stable version.

  10. GidaBrasti

    Who is the thief?

    So NPM.js not only re-published the left-pad package against the original author's intentions, it assigned a new maintainer on top of that effectively taking ownership of the module.

    If that isn't stealing, I don't know what is.

    Is this Open Source?

    1. Tom 38

      Re: Who is the thief?

      Yeah, that's basically the definition of open source.

  11. Anonymous Coward
    FAIL

    Bug in leftpad

    If ch isn't a single character, then the len param makes no sense. Calling leftpad with ch set to 'fondue' and len set to 100 won't result in a 100 character string.

    I can see v0.04 being required pretty soon. I could of course submit a patch. But I don't care enough about left padding strings in JS.

  12. Mark Allread

    1. Why is actual serious commercial software being written in a language where you have to include and external component just to left pad a string?

    2. Why is actual serious commercial software being written using components that are themselves written by unpaid bedroom coders and chancers who have no liability, no SLA etc.. Who are the idiot project managers who allow this?

    1. Anonymous Coward
      Anonymous Coward

      1. Because everyone knows Javascript is cool, so software written in it must be cool too.

      2a. See 1.

      2b. The less an IT project manager knows about actual IT, the smarter they think they are. "I'm not an IT guy, I'm an PM, so I've planned in your task to take 3 weeks assuming you started in December. So why isn't it done?"

      1. Prst. V.Jeltz Silver badge

        i company i walked from have just taken on a manager who knows nothing of the subject at hand (I.T) because "then he wont get bogged down in the details"

        1. allthecoolshortnamesweretaken

          "We need managers who don't know what can't be done!"*

          *Yes, there is a Dilbert cartoon to that effect. But now that I have told you the punchline, you can just imagine it.

        2. Anonymous Coward
          Anonymous Coward

          It's your job to see he's paralysed by unwanted information as soon as possible.

    2. Anonymous Blowhard

      @ Mark Allread

      1. Why is actual serious commercial software being written in a language where you have to include and external component just to left pad a string?

      Because JavaScript is the only option if you want your application to run in a browser; and lots of people want that because it means applications that don't have to be installed on a client machine, so you don't need to distribute a version for every operating system and then hope the users can install it themselves. JavaScript, like every other language, doesn't have every possible feature, so you have to make it yourself.

      2. Why is actual serious commercial software being written using components that are themselves written by unpaid bedroom coders and chancers who have no liability, no SLA etc.. Who are the idiot project managers who allow this?

      Lots of serious commercial software uses open source software, the advantages to the project manager are cost and the ability to fix or tailor it yourself if you need to. Unless you've never written a significant commercial system, you've probably been doing this yourself, but you just didn't know.

      1. Anonymous Coward
        Anonymous Coward

        Re: @ Mark Allread

        1. Javascript is now being used outside the browser. Node.js is one of such runtimes. Having to rely on such large number of incoherent dependencies is a very bad way to design and write code.

        2. Serious commercial software developer likes professionally written libraries. If source code is available, that's a plus. Just, not only open source code is available. I use several closed source commercial libraries for which source code is available. Of course, you pay for it, but the cost is offset by the ability to debug or modify it if needed. If you use open source just because it's cheap, believe me, you have a problem...

        1. Destroy All Monsters Silver badge

          Re: @ Mark Allread

          Javascript is now being used outside the browser. Node.js is one of such runtimes.

          And not a single justification was ever heard for this cancerous growth.

  13. John Smith 19 Gold badge
    Unhappy

    Developer discovers for profit company will bow to lawyers.

    In other shock news....

    You want to be open source you have to look at all the links in the chain between you and everyone else.

  14. Mage Silver badge

    Bloody stupid!

    "Left-pad was fetched 2,486,696 downloads in just the last month"

    There are LOADS of reasons why the current dependence on 3rd party sites & domains of websites is stupid, not just this example.

    Privacy

    Security (not serving malware if someone hijacks a domain)

    What's wrong with actually storing everything your webpage /site needs on your own server? If a site with a lot of transactions you can even cache whatever it is in RAM, or even on another server.

    This is an example of what's wrong with programming and website development. As for people using google's content to make their site go ... Well just stupid and a poke in the eye privacy wise of their users.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bloody stupid!

      That. Have 10,000 upvotes.

    2. Spacedman

      Re: Bloody stupid!

      Unless you're a real idiot developer and deserve to have a broken site you *wont* be loading your JS from lots of random sites. You'll use bower to download the dependencies into your project where they will live quite happily. You then push your site to the server. And the site will work even if the original dependency developer throws their toys out from the package archive.

      What will then break is the build process. The site wont. Nobody has <script src="http://npm.org/left-pad.js"> in their site - alongside the other 2000 script tags you need it would take forever to load.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bloody stupid!

        But what happens when a copied module has a security hole, the original gets updates, and you're left in ignorant bliss? See, it can cut both ways.

      2. John Brown (no body) Silver badge

        Re: Bloody stupid!

        "Unless you're a real idiot developer "

        Unfortunately, there's a lot of them about as evidenced by over 2 million downloads in one month of left-pad.

    3. DaLo

      Re: Bloody stupid!

      It's done so that large libraries will not need to be downloaded by each visitor to your site as many will already have the library cached from another site.

      Therefore, especially for mobile devices, having the various versions of jquery already cached on your device (from visiting a different site which uses the same resource from a central repository) means a much quicker download of your webpage. It can also reduce latency as the CDN is likely to be closer to your users for global queries, reduces bandwidth from your server and helps avoid any browser (or server) limits with parallel requests.

      Sites that do this should use fall back of course to serve locally if the CDN is not available. However, as for privacy most sites are using Google analytics any way and for all their worth Google servers are pretty secure (at least from randomers).

      There is tradeoffs of course an in an ideal world people would just use specific functions they require written in a pure scripting language (or even just a markup language) and not use libraries at all to minimise bloat etc. However this is the real world and browsers are optimised to run libraries fast and developers are expected to belt out solutions at a high rate of knots.

  15. nick soph

    Sweepstake

    So can we guess a date for Kik's demise by password theft or DoS attack?

    Im picking April 3rd.

    1. Pascal Monett Silver badge

      Re: Sweepstake

      Heh.

      In any case, I'm guessing we have a new student of the Streisand Effect. Kik is going to find out the hard way what it costs to stir a dev's nest.

      Who knows, might even teach a lawyer or two a lesson.

  16. Anonymous Coward
    Anonymous Coward

    Time Zones vs. Left Pad

    Tom Scott offers YouTube advice about time zones, 'use a library'.

    But padding a string? Seriously? Any rational coder would do that inline, and far more cleverly.

    1. BinkyTheMagicPaperclip Silver badge

      Re: Time Zones vs. Left Pad

      No you wouldn't, if using a language other than javascript. Even if it's a fairly simple function, there's the possibility the library includes an optimised version - either using a method you've not thought of, or varying assembly paths.

      1. Paul Shirley

        Re: Time Zones vs. Left Pad

        ...said library call would be compiled into your local image, not yanked in from a remote site in most languages. However I'm not aware of many languages supporting standard libs with a leftpad function so you'd actually write your own, inline that 1 liner function or embed it in higher level string formatting.

      2. Jason Bloomberg Silver badge

        Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

        I agree with what you are saying, but there is also the possibility a library is full of bloat and dependencies and 'who knows what' and, if an external resource as here, could disappear at any instant or change in some unexpected way which breaks things.

        It's not a binary choice of use libraries or don't, it's a more complicated matter than that.

        I was surprised how much broke for what is such a simple function which I would have in-lined myself. In this case the library could be restored, but it would have been a different matter if it could not have been.

        Hopefully this will be a wake-up call for those who slavishly use third-party libraries without ever considering the consequences of doing so.

        1. Anonymous Coward
          Anonymous Coward

          Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

          Usually I write my own because it's quicker than searching. The rest of the time I write my own because the libs I do find are total crap.

          1. Anonymous Coward
            Anonymous Coward

            Re: Time Zones vs. Left Pad @ BinkyTheMagicPaperclip

            In my case, even the ones I "supposedly wrote" can be found in "The Art of Computer Programming" [Knuth] or the literature since. I pretty much wrap it all in validation code and off I go to the next piece. I've had to create whopping two original algorithms in my life to date. I even comment in the code as to where I got something and why I'm using that particular code. To me, that's just being [1] honest and [2] letting the maintainers have a heads up if some future "better technique" should come along and where to fix it.

            I'm an engineer which means I build things with the tools and components that Computer Scientists have developed to date. Ain't any different than my approach to nuclear, or any other field of, engineering. Yeah, I really can do the theory end of things (extremely well in truth) but that is not how I want to spend my time, thank you very much.

            Given how development is done these days, I'm actually surprised there wasn't truthfully much more breakage. Dreamweaver (a tool I used to beta regularly for Macromedia way back when) was a leading indicator of where web coding was headed.

  17. Camilla Smythe

    Right what do we call this shit messaging app?

    "Oooooo... how about KiK."

    "Sounds Kool. Where'd the name come from."

    "Oh its that Left Pad Function I've use all over the place."

    "Bastard. Infringing on our TradeMark. Send the lawyers in."

    1. Roland6 Silver badge

      Re: Right what do we call this shit messaging app?

      "Sounds Kool. Where'd the name come from."

      I keep seeing on my travels and thought what a clever word.

      Kik.co.uk

      Kik-Kid.nl

      kik-textilien.com

      kikschools.org

      kikik.net

      kikradio.com

      ...

      I wonder if the lawyers sent all of these a threatening email...

  18. David Roberts

    Open Source Software??

    I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore. Or suddenly decide to charge you loads of money. Not, of course, mentioning any names such as Microsoft.

    As far as I can see this developer has had a spat with the firm hosting the code, and made it very public by pulling all his code from the repository. Obviously effective from the article here.

    Just needs someone else to pick up the code and re-publish.

    As already commented, hopefully this will make developers think a bit more about where their code comes from. Then again this does make for very Agile coding.

    1. no-one in particular

      Re: Open Source Software??

      > I naively thought the whole point of OSS was that the developer(s) couldn't one day just

      > throw a wobbler and tell you that you couldn't use the code anymore.

      ...

      >made it very public by pulling all his code from the repository

      ...

      >Just needs someone else to pick up the code and re-publish.

      But from the bottom of the article:

      "Meanwhile, Oakland-based Koçulu has hosted his work on GitHub. "

      so it is all still published and accessible - just not from NPM. Ok, that "just" seems to lead to some fun times...

    2. John Brown (no body) Silver badge

      Re: Open Source Software??

      "I naively thought the whole point of OSS was that the developer(s) couldn't one day just throw a wobbler and tell you that you couldn't use the code anymore."

      Open Source means exactly what it says on the tin. The Source is Open for all to see. Depending on how it's licensed, that may be all you can do with it. Look. More likely, it will be licensed in a way you can use it and even redistribute it, but there are likely other terms and conditions attached such as "paying back" your changes, or always attributing the original author, or making your own code which uses the licensed code use the same or a similar licence, or any of a million other conditions. It's quite rare for OSS to be completely free simply because in some jurisdictions that means someone else can come along and copyright/patent/trademark it and effectively legally steal it from you. If you want your code to be free for all to use then you have to release it with a licence stating that it's free to use and modify but that you retain your original rights over the original code at the very least.

  19. Anonymous Coward
    Flame

    Not NPM's only fatal flaw

    If you search for "npm as user", one of the top results is a page I wrote in 2011. Five years later, NPM still wants to be installed as root. WTF.

    I could easily unpublish this page -- linked to by a bunch of Stackoverflow answers and so forth -- and there's not a damn thing anyone can do to get it back because it says "All rights reserved" at the bottom. And if I unpublish in protest, I *will* follow up with takedowns if anyone reposts it.

    I think I'll leave it for now. It's not exactly a ringing endorsement :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Not NPM's only fatal flaw

      "And if I unpublish in protest, I *will* follow up with takedowns if anyone reposts it."

      But then they'll just repost outside your jurisdiction. Ah, the beauty of turning sovereignty against you...

  20. cloned67

    sometime, is better don't know, what code is behind your libraries :D :D :D

    ... what a $hit of code!!,

    that's really how people use to write code in Node ¿?

  21. Anonymous Coward
    Anonymous Coward

    Proof

    This is just more evidence for why web developers are not considered real programmers. AC because my boss used to be a web developer (he is not even that good anymore).

  22. msknight

    NPM pushed the panic button

    ...and I think they'll take a hammering for this. Seems to me that Kik deserves to go down the pan also.

  23. Tubz Silver badge

    I'm no expert, but if author pulled all his code and then NPM republished it without permission, is this not copyright infringement of some sort and anybody that hooks in to the code is an accessory ?

  24. Anonymous Coward
    Anonymous Coward

    KIK Germany

    There is a company in Germany called KIK (kik.de). They have nothing to do with software but I am pretty sure that they have been operating for a long time, maybe somebody should tell them that they could sue the kik.com bunch.

  25. martinusher Silver badge

    My reaction -- "WTF"

    This piece of code is a trivial function that I'd use as part of a standard library package, its not some kind of carefully crafted software component.

    Is this what programming has degenerated into? A random collection of source code fragments, each owned and guarded by some individual (or, worse, some corporation)? Doesn't this show the inherent weakness in relying on distributed script fragments for a code distribution? Doesn't it highlight what a mess Javascript is -- its worse than BASIC because at least BASIC doesn't have pretensions towards being a properly structured language.

    1. Ken Hagan Gold badge

      Re: My reaction -- "WTF"

      "Is this what programming has degenerated into?"

      Nope. It is what JavaScript has degenerated into and it is debatable whether it has actually degenerated. It has always been the case that if your JS program is more than a hundred lines long then you've probably chosen the wrong language. At the time JS was introduced, it was intended to let you fine-tune a web-page with a few DHTML events, but if you wanted to do any actual programming then *obviously* you'd use a proper language and Java was available.

      Sun and Oracle between them have more or less killed off Java in the browser (with years of consistently shit implementations and legal barriers to third parties doing something better), so *now* we have no other language for this platform except JS. The fact that no-one is sufficiently worried to fix this problem means either that nothing important is actually done using browser-side code or that everyone involved is an idiot. You choose.

      Edit: For the avoidance of doubt, I should say that I *like* JS. It's typeless nature makes it really good for really small tweaks, which was its intended domain. I'm just aware that the same characteristics make it really bad for anything really large.

      1. energystar

        Quite historically precise,

        Your assertion.

      2. energystar

        WWW never was intended as an execution environment...

        Not even as a documentation env., but just a humble indexing and hyper-linking one.

      3. Ken Hagan Gold badge

        Re: My reaction -- "WTF"

        Had this turned up yesterday, I'd probably have cited it.

      4. fajensen
        Angel

        Re: My reaction -- "WTF"

        .... either that nothing important is actually done using browser-side code or that everyone involved is an idiot. You choose.

        Why can't we have BOTH?

  26. energystar

    No additional comments.

    "JavaScript is a trademark of Oracle Corporation."

  27. bombastic bob Silver badge

    lazy J.S. code authors created this problem

    this problem was created by lazy J.S. code authors.

    Think about it: how hard _IS_ it to write your OWN 'left script' function? Well, if you KNOW how to CODE, it's trivial.

    But you see all of these javascript 'things' out there depending on other 'things', which depend on other 'things', apparently TRIVIAL things, because nobody knows how to CODE any more [except for a handful of 'thing' authors].

    Everyone ELSE is just chaining up a bunch of 3rd party schtuff into an "app" and calling THAT 'coding'.

    This has grown into a kind of 'DLL Hell' for Javascript. Personally, I'm *GLAD* to see this happen, because I'm *SICK* and *TIRED* of the *ABUSE* of scripting on the web.

    For safety, I surf with the NoScript plugin BLOCKING it, unless I see some compelling reason to ENABLE scripting, and on a site by site basis. Example, I have to enable SOME of the scripting [and temporarily unblock cookies] to post HERE.

    As a result, my pathetic-bandwidth connection isn't hauling gigabytes of CRUFT behind every web site I visit, with that CRUFT being MOSTLY due to embedded TRACKING and ADS anyway. (who wants THAT downloaded, especially if it causes 'overages' in your bandwidth cap)

    CDN's are equally *EVIL*, like enablers of script addicts. It's hard to say WHAT gets enabled if you unblock one of them.

    Often it makes a *LOT* more sense to host the script YOURSELF, on YOUR web server, and maintain it YOURSELF, and trim out everything you DO NOT NEED, instead of relying on CDNs to refresh that MONOLITHIC MONSTROSITY library every time someone adds a comment or changes spelling in some text thing, forcing *THE* *WORLD* to waste MORE bandwidth re-downloading the "package" because it's not smart enough to only refresh 'small changes'. Or whatever.

    [OK some of this is exaggerated to make a point]

    But, if it's possible that "3rd party thing" can BREAK YOUR WEB SITE, you should WAKE UP NOW and FIX this problem (host script on YOUR server), instead of waking up at 0-dark-30 in the middle of a hangover when your cell phone won't stop ringing, and it's work calling, and YOU have to fix it (and it's not YOUR fault - except that you used "that library").

    1. Anonymous Coward
      Anonymous Coward

      Re: lazy J.S. code authors created this problem

      STOP SHOUTING!!!

  28. energystar

    On a correlated tragedy:

    Have you noted how dismal is the 'Open' licensing landscape?

    https://en.wikipedia.org/wiki/List_of_open-source_programming_languages

    Going back to bash/gawk...

  29. To Mars in Man Bras!
    FAIL

    KIK Back

    Kik's head of messenger has posted his version of the story on Medium:

    https://medium.com/@mproberts/a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d#.lblcg37oa

    With liberal sprinklings of my favourite twattisms; "awesome" and "reaching out", it's only helped reinforce my impression that KIK are the dicks of this piece of drama.

    1. Roland6 Silver badge

      Re: KIK Back

      Definitely there are a lot of dicks: Kik.com/KIK Interactive (and patent agent) are the really big one's throwing their weight around for little real reason, NPM in the way they handled their end of the matter and 'Azer' who's responses don't do much to encourage people to support his case...

      A quick look at the EU trademark database ( https://euipo.europa.eu/eSearch/#basic/1+1+1+1/50+50+50+50/KIK ) shows that they aren't the only company to have 'KIK' as a trademark and the others have been registered for longer...

      A further search gives a total of 10 trademarks registered in the name of Kik Interactive/Kik.com

      ( https://euipo.europa.eu/eSearch/#details/owners/470259 ) - these include: KICK, KEEK and K...

    2. Anonymous Coward
      Thumb Up

      Re: KIK Back

      ROFL. As earlier commentards hoped, Kik indeed kicked itself in the arse:

      I found out about this problem like a lot of you, when our builds started failing because we use the extremely helpful JSCS

      1. msknight

        Re: KIK Back

        Best summed up by this post, I believe....

        Will Fife

        20 hrs ago

        Kik -> Azer: We want your name.

        Azer -> Kik: Nope, already have an open source project

        Kik -> Azer: We’ll sue you and make your life a living hell… but really we are nice people.

        Azer -> Kik: Go AWAY

        Kik -> NPM: Halp, developer mean :(

        NPM -> Azer: Company nice… help us make friends with company.

        Azer -> Kik: Fine… 30k and I’ll do whatever you want… everyone has a price.

        Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! But really we are nice.

        Kik -> NPM Developer mean :(

        Kik -> NPM: LAAAAAWWWYYYEEERRRSSS!!!! Developer mean :(

        NPM -> Azer/Kik: Sorry bro… Company nice.. company have lots of users.. sucks2bu. Kik.. tell me where to send the stolen goods.

        Kik -> NPM: Thanks.

        Azer -> NPM: Fine… I’ll take my ball and go home.

        So, no it wasn’t just a polite request, once you threaten with Lawyers, its not polite anymore and its not a request. Your app has been uninstalled, and I hope all the bad press you receive destroys your brand completely.

  30. Cheshire Cat
    Facepalm

    Looks like everyone is being a dick

    Well, from reading the email exchanges made public and so on, it looks like everyone involved is coming off as a dick.

    Koçulu seems to be less than professional and not particularly polite in his responses. The Kik people seem to have opened by threats of legal action if they didnt get what they wanted. When they offered compensation, Koçulu asked for $30K, and there was no negotiation on either side.

    It would have been easier for Kik to have opened with "we'd like to take over the name, because trademark, and offer $10k in compensation". Even paying the asked $30k would have been so much easier and amicable all round. And, Koçulu should have responded a bit more professionally to the initial contacts, and not throw his toys out of the pram so soon - though I doubt anyone could have predicted how much would break from his removing the code.

    1. calmeilles

      Re: Looks like everyone is being a dick

      > Koçulu seems to be less than professional and not particularly polite in his responses.

      That.

      Not impressed with Kik and not entirely convinced by NPM either.

      But frankly when interacting with a community there's a minimum degree of politeness required and interacting with a business a minimum degree of professionalism.

      Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.

      1. Number6

        Re: Looks like everyone is being a dick

        Koçulu displayed neither and stamping his feet and taking his toys elsewhere just reinforced that impression.

        He's probably done the rest of the world a favour though, assuming the world wakes up and takes notice. At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server. If the licence doesn't let you host your own copy then don't use it, because you are vulnerable to it going away or being replaced by something dodgy.

        1. Ken Hagan Gold badge

          Re: Looks like everyone is being a dick

          "At least the pitfalls of using something hosted elsewhere have been highlighted. If you want it, it should be on your own server."

          I think it was demonstrated about 5 seconds after the web was invented that if you depend on an image from a third-party site then the site can replace your image with something defamatory. Translating that experience to "code from a third-party site" doesn't seem a very big leap IMHO.

          On the other hand, I suspect that if web browsers started refusing to load images from third-party sites, we'd discover that people hadn't learned this lesson at all. (There must be a Firefox extension that flags up cases where this is being done, but it probably counts as a terrorism tool now.)

          So my guess is that *we* already knew that third-party code was a rubbish idea, just as *we* know about source code version control systems. But I'm sure there are a lot of people out there whose web-sites were hit by this and who told their bosses in all honesty that it wasn't a problem with *their* web-site. It was a problem elsewhere and could (and did) have happened to anyone.

          1. fajensen

            Re: Looks like everyone is being a dick

            I suspect that if web browsers started refusing to load images from third-party sites,

            We get THIS ;-)

            """

            Here’s The Thing With Ad Blockers

            We get it: Ads aren’t what you’re here for. But ads help us keep the lights on.

            So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.

            """

      2. Anonymous Coward
        Anonymous Coward

        Re: Looks like everyone is being a dick

        "But frankly when interacting with a community t"

        Community yes. Kik isn't part of that and throwing lawyers around is a declaration of war.

  31. energystar

    "The wording we used here was not perfect..."

    Where's the new one? Sure this is not pure PR.

  32. More Jam

    Kik is deeply sorry that "our lawyers gonna be banging on your door" was interpreted as anything but a polite request.

  33. Richard Lloyd

    Name clashes aren't uncommon - I have one

    I got name-clashed by MySQL (and now MariaDB too) no less - they include a binary called "replace" (despite almost all their binaries having a "mysql" prefix), which was first shipped years after the "replace" utility I wrote was released. A polite request from me asking them to rename it to "mysqlreplace" was ignored, which is annoying because MySQL's replace command is not good to say the least...

  34. thames
    Happy

    Some People Can't Stop Laughing at This

    To show that some people can see the humour in all this, someone has just added a joke Python version of left-pad to Pypi. https://pypi.python.org/pypi/left-pad/

    However he also says: "Make sure to add left-pad to your dependencies in your next project. Or, if you want to reinvent the wheel, go ahead and try to do it with the standard library. s.rjust(len(s) + 2, '+')"

    I had a look at the source, and it's just a one line function wrapper around the standard "rjust" string method.

    One of the really WTF issues with this whole thing is that such a trivial feature has been such a popular third party Node.js module.

    Apache Java StringUtils has a leftPad which bears a lot of resemblance to the Node.js version. I suspect the Node.js Javascript version was inspired by the Apache Java version.

  35. matheuscosta

    I hate when people think that older = smarter.

    Why do you need to link javascript with "kids".

    As someone mentioned, get down off your high horses.

    Be humble, learn from the youngers, from the older.

    Life is made of experiences, not of how long you have lived doing nothing, watching TV or stuck in your bubble of old-days tech and languages.

    The more you talk about all this stuff from the past, trying to look smarter or the knowledge king, more you look like a kid, trying to get acceptance and reward in the world that you wrongly think you don't fit anymore.

    1. thegroucho

      High horses and stuff

      Age is no guarantee for knowledge, technology proficiency nor coolness.

      You could have made your point in slightly different manner but instead you come across in a very patronizing manner.

      I can see the spurs on your boots - ergo, get off *your* high horse.

    2. Anonymous Coward
      Anonymous Coward

      Rightly or Wrongly us old fuckers have made a few more mistakes than the "kids", and if you're not okay with that, wait a few years, see how you feel then about learning from the youngers, try learning from the people who "invented" it, rather than poorly misrepresented it.

    3. Anonymous Coward
      Anonymous Coward

      "I hate when people think that older = smarter.

      Why do you need to link javascript with "kids"."

      False. Older = More experience, so they don't do stupid stuff like this.

      Because no-one older than 30 is using javascript (with 2 year experience, on average), it's literally for youngsters. From my point of view these people are kids.

  36. Anonymous Coward
    Anonymous Coward

    wrote to their chatbot, maybe she has a heart

    https://twitter.com/andrejlr/status/712887779185831936?s=08

  37. SeanC4S

    If you are not being paid I don't see why you can't play games making information appear and disappear from the web. You have a perfect right to do that if you like.

  38. cantankerous swineherd

    npm now obsolete

    https://gist.github.com/rauchg/5b032c2c2166e4e36713

  39. cantankerous swineherd

    kik have a patent agent on the case with their open source software?

  40. Anonymous Coward
    Anonymous Coward

    Straw Man genocide in progress

    ... this thread.

  41. joeybladb

    Wait. What?!??!

    So one day you have the source code, and the next day you DON'T have the source code?!?!? Why oh why?!?!? Is this some kind of Web Developer thing? Didn't anyone think letting others control what goes into your project might be a BAD idea? I'm at a loss here.

    Hopefully a lesson or two was learned this week!

  42. zylstra

    Roberts said: "The wording..."

    Roberts said: "The wording..." What a jackass.

  43. Pwnball

    this can be simplified alot...

    First off.. whats with all the "z n ch" etc variables? its 2017 for crying out loud, IDE's have been taking care of us for years.. there is zeros (pun intended) reason to shorten variables like that.

    function padLeft(originalValue: string, width: number, character: string) {

    character = character || '0';

    return originalValue.length >= width ? originalValue : new Array(width - originalValue.length + 1).join(character ) + originalValue;

    }

  44. Hans Acker

    kik package still unused after nearly 3 years

    Great article which I am stumbling across nearly 3 years later. It's interesting to note that Kik never did publish a package under the name that started the whole fiasco. What ever happened to the "open source project" they were working on?

    In fact, npm says this about the kik package: "This package name is not currently in use, but was formerly occupied by a popular package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it."

    It'd be interesting to see an editorial follow up as to what happened to the parties involved.

  45. Not Yb Bronze badge

    Why is ANYONE still bothering to left-pad strings in javascript, when there's an entire browser's worth of formatting code already there to be used?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like