How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript

An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.

Re:The guy was ripping off leftpad

[Aaden42]

I don't think this proves libraries per-se are bad, but blindly depending on out-of-house software repositories for every build or (worse) every startup/deploy is crazy.

We're a Java house (go ahead, get your ki[c]ks in...), and we use around 100 open source libraries. They're all mirrored locally in an Ivy repository we maintain. No new versions get checked in unless they've passed a reasonable level of scrutiny, and nothing gets deleted unless we delete it.