Slashdot Mirror
How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk)
An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
You can't just take hundreds of man-years of Ph.D level work and dump it into the public domain.
I'm proud of him. What a great move he made.
So, what have we learned?
External dependencies are unsustainable;
JavaScript is unmaintainable;
Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable.
Kik is one letter short of being kike (a racist name for a Jewish person). How brilliant.
I know this is not a popular stance, but this is why I always include all npm package dependencies in my application's git repository. If the package goes away, it's not a problem.
Modern app appers know that only apps can app apps, so apps apped in AppScript are perfectly appy and can NEVER break, unlike LUDDITE software!
Apps!
What could possibly go wrong?
This is just hilarious. What a shit-show, from the bullshit legal threat to the developer's hissy fit to the dependence on an apparently obscure package to implement (lol) left-padding.
Reminds me of someone I knew who was wringing his hands for a few days over which license to use for his super-awesome R function library. He asked me for advice, and I told him that it's ~30 lines of syntactic boiler-plate code so get over yourself and just put it in public domain so that the two people who ever use it can do so easily. But of course, he had to deeply consider the political implications of which flavor of "freedom" he would support.
"They were pure niggers." – Noam Chomsky
Don't know who they are or what they do, but fuck them and boycott whatever it is they sell.
Those who do not learn from commit history are doomed to regress it.
Just kidding, I have no problem with Javascript. By the way, that summary was confusing as hell.
One of the beauties of JS is that it's easy to provide your own functions, so as long as it's only left-pad missing, you could provide your own, right?
function left_pad(str, min_length, pad_char){
if(str.length min_length){
str = Array(min_length - str.length).join(pad_char) + str;
}
return str;
}
(note, I did not do any sanity/error checking in the function, so do not simply copy/paste, please fill it out if you intend to use it)
Roll your own libraries. No outside dependencies, and you'll probably leave out a lot of the cruft that is there "because."
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Also, when was it made, originally?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Why would you ever build an app that assumed the perpetual existence AND availability of remote, opensource, Internet-hosted code?
the Kik application referenced has iOS, Android, and Windows Phone implementations all rely on node.js for both overt client side as well as server side processing.
Good people go to bed earlier.
Installed Babel. Strange Error messages and babel borked and unusable. Same problem popping up all over the interweb.
Sad. Wanted to start with classes in JS. :-(
Does anyone know when this gets fixed and what the plan is?
We suffer more in our imagination than in reality. - Seneca
But it illustrates a key lesson for open source. So much of the project is not just code, it's governance and culture and how to make smart decisions under pressure in a way that respects the people involved. Node failed to do that, the guy pulled his code, they learned a harsh lesson. Let's see what the post-mortem letter is like to see if they really learned what they needed to.
I've always thought this interconnected pile of stuff, linking across a bunch of domains was lazy, dangerous, and likely to be very brittle.
Sorry, but the interwebs have shown me I can't afford to trust arbitrary code from all over the place, which can change at a moments notice, and which I know nothing about.
If you've created an infrastructure where tons of stuff breaks because some asshole corporation forces some guy to say "fuck you, you can't have my code", you have a terrible mess. What happens if someone adds some malicious code?
What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?
Jenga tower indeed, it sounds like the state of the art is a bunch of brittle dependencies controlled by a few places, and subject to causing a shit top of things to happen when someone makes a change.
This reminds me of a company I worked at which had a universal build system ... everything build from scratch every day and wouldn't build if any of its dependencies didn't build. So when some guy broke a components 3 components upstream, nobody could get anything compiled because the system was too stupid to go with the last known good ... and hundreds of developers sat around all day going "but, what do you mean we can't do anything because some guy checked in shit code".
Wow, just wow.
Steaming Heaps of Innovative Technology.
Lost at C:>. Found at C.
My big question is, Is Rust vulnerable to the same kind of problem?
Rust has Cargo which is similar to NPM.
If Cargo and Rust are vulnerable to this kind of problem, why wasn't it caught earlier? Isn't Rust supposed to be an ultra-safe and ultra-secure programming language?
This is what can happen when you use Other People's Code.
The more a project says "requires" something other than the language it's written in, you're making the risks worse.
The better the programmer, the less OPC they will use.
The best programmers are known by the announcement in their projects that their code was black box and has no external project dependencies. If you must use OPC, you should be looking hard for such a statement.
Of course, today, most "programmers" aren't deserving of the name in the first place. Glorified scriptkiddies at best.
Nonsense. Laughable, even. Quality programmers can build anything. If they're wise, they will.
Damn bossy underwear!!!
For all those who had their modules broken, get a class action lawsuit and sue Kik.
They want to use their landsharks to be bullies? Well, bully them right back!
Does anyone know when this gets fixed and what the plan is?
You could try to read the article.
To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.
If you write *anything* that assumes the perpetual existence of a linked library from somewhere on the internet, you deserve what you get.
Most kids these days don't remember a time where internet access required a dial-up modem -- or it wasn't a 100% certainty it would be available.
If telephones are outlawed, then only outlaws will have telephones.
It's fucking unbelievable how much trouble JavaScript has caused for so many people.
Let's ignore how fundamentally broken it is, as a programming language, in almost every respect. That includes its fucking awful type system, its total lack of real OO (sorry, prototypes are complete shit), its ultra shitty standard library (which is why NPM and this problem exist in the first place), and similar problems.
JavaScript has allowed too many unskilled cranks to shit out way too much broken code. It was one thing when they did it client-side, where it was isolated. Now it's being done server-side, and it's a motherfucking disaster!
Worse, JavaScript has enabled the web advertising industry. JavaScript makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
JavaScript needs to go.
If you really need to use a scripting language server-side, use Lua, or Python, or even goddamn Tcl. All three of them are better than JavaScript in every way.
That's the most amatuerish piece of crap code I've seen in a while. Shame
on the JS people for tolerating such an implementation! It's about the most
inefficient solution you could contrive without simulated annealing.
This is a new interview question: "write left_pad() for me." If I get shit like
the code in dispute, NO JOB!!
It also prevents versionitis: where the package didn't go away, but was changed in such a way that it no longer works the way it used to.
Your stance may not be "popular", but it is 100% correct — and very smart.
We can still be hosed by irresponsible changes in the underlying language, and/or irresponsible changes in the underlying OS (if there is one... not always the case.)
Python and Perl have both outright broken older code that was designed to the language spec. Windows and OS X have both broken APIs that were used properly to spec. I'm sure the lists are much, much longer than that -- those are just the cases I'm personally aware of.
And we should take very seriously the idiot "X has been deprecated" warnings in a language or an OS API, because that means some lame-ass bonehead is thinking about doing that very thing to us. Javascript, c libraries, OS APIs...
I've fallen off your lawn, and I can't get up.
And you just publicly debased yourself by betraying any knowledge of "social" media.
What the f**k is that lame kik app BTW??!! Yet Another Chat App??!
I guess people should start naming open source projects using random strings...
This is so stupid...
Look at me mama! This name! "KIK" i'm so creative!!!!
Ironically, it may be Kik's attorneys that acted improperly here. Trademark law allows similar names to be reused for different fields of use, so long as there is not a possibility of confusion/loss of market. Here I seriously doubt that anyone would confuse a Javascript module with a chat application. So quite possibly this was a bogus assertion in the first place, which ended up causing serious damage to a lot of folks.
I follow the development of Signal (https://github.com/WhisperSystems/Signal-Android) and its fork SMSSecure (https://github.com/SMSSecure/SMSSecure). They had a similar problem too, where the developer of material-dialogs decided to remove all old versions of his library after an interface change, resulting in breaking builds (https://github.com/WhisperSystems/Signal-Android/issues/4138). Both projects solved it initially by hosting their own version, and then remove the library completely.
That's why I host all my dependencies myself, per project and on all my projects.
Special font? Self-hosted.
jQuery? Self-hosted.
CSS Toolkit? Self-hosted.
Massive monster webapp lib (like Googles Polymer)? Download, adjust URLs, move to project subdir, host yourself.
Some other lib? Downloaded, stashed and hosted in the project too.
Dependencies are fine, but should always have them under your control.
I'd do the same with binary code.
This is, btw., one of the big problems with many Linux programms.
We suffer more in our imagination than in reality. - Seneca
Thou shalt always mirror your dependencies. Never assume that everything will always be available. That's continuous integration 101.
Second paradigm: mirror even your dependencies source code, if you can.
Stupidity is the root of all evil.
and Azer's unpublished code, along with desiring it not be hosted @NPM on github.
uh oh.
Everybody is taking the lazy route and/or trying to save bandwidth by loading their libraries from foreign sources. Node.js , Google Hosted Libraries(jquery, angular...)
If you make yourself dependent on third parties, you'll get fucked.
He could have updated the module to delete and format the contents of every machine it was run on. I'm kind of surprised this hasn't happened before considering how many modern environments have such slapdash dependency systems. At the very least a packaging system should by default generate and use a lock file which contains a version and a hash of the dependent package. Npm supports a "shrinkwrap" flag but it should be the default.
WTF!
The coder did what was totally normal for a coder. Just enforce is moral rights. The stuff every authors should defend because that is why our income are that high compared to manual laborers!
Everyone out of JS told them that there was a problem with DEPENDENCY hell.
They said no. The problem is unsound technical practices where basically the assumption that all will go well is made to build everything.
The removal of a module was expectable like a lot of other things still bound to happen. But JS community did not cared to protect for such a small potential problem.
The problem is never someone doing what he is entitled to. It is people using code without understanding licenses and taking stupid risks.
It's fucking unbelievable how much trouble plumbing has caused for so many people.
Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with toxic lead, its total lack of real modularity (sorry, reservoirs are complete shit), its ultra shitty set of mutually incompatible pipe sizes, materials, and connections (which is this problem exist in the first place), and similar problems.
Plumbing has allowed too many unskilled cranks to shit out way too many leaky pipes. It was one thing when they did it in Ancient Rome, where it was isolated to a fountain in the town square. Now it's being done in people's houses, and it's a motherfucking disaster!
Worse, plumbing has enabled the for-profit water supply industry. Plumbing makes it trivial for them to track every drop of water you use. If you don't want to fall victim to it, then you have to waste your time turning off a bunch of valves, and digging wells everywhere.
Plumbing needs to go.
If you really need to use a water delivery technology, use a river, or a pond, or even a goddamn barrel . All three of them are better than plumbing in every way.
Serious question, guys. Why do people use NPM or other dependency managers in the first place? Each and every language seems to have their own different dependency manager with its own quirks and problems, such as the one described in TFA. In my company, we just use git with submodules for dependencies. This allows us to easily pull in dependencies regardless of programming language used, or which online git repository their in,our own or open source. Since we're already using git to manage our own source code, this just made perfect sense from day-one, using a single tool to manage all of the source code. So, seriously, what's so great about fragmenting to multiple tools that all do the same job, only for different programming languages, when there is already a centralized tool that we're already using (git) along with these other tools (NPM or otherwise)? Why not just drop these other tools entirely, and avoid the issues mentioned?
Your comment is a superb specimen of the Hipster False Switcheroo fallacy!
It has all of the main characteristics.
Firstly, it involves a topic that hipsters hold dear: JavaScript.
Secondly, you've taken what was a sane, reasonable argument, and switched the words around to turn it into a failed, off-topic, irrelevant "argument" that's factually wrong.
Thirdly, you're oblivious to how your "argument" is failed, off-topic, and irrelevant.
Fourthly, you got wrongfully upmodded by some other hipster fool here.
What a fine specimen, indeed! It's almost like you went through a checklist to finely craft it.
Wait, that's a newly-discovered fifth characteristic!
Fifthly, you've put more effort into creating your failed, off-topic, and irrelevant "argument" than you've put into the artisanal bread you attempt to bake.
Wait, what? A package manager has a CTO? Why is there a SPF in the Javascript world? In the Java world, you would just add an additional repository to your Maven pom.xml and move on. (Or even better, you would already have had your own Artifactory listed, with all your required libraries mirrored there.)
Just one more reason to hate dumbshit "hip" project names instead of actual descriptive names.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Number one rule of programming is you never rely on external libraries being hosted somewhere else. You can't rely on those libraries being available for the lifetime of the project. It is the same using for example Maven to rely on external libraries. This is something you should never do. Always have the libraries local.
the laziness of dev who can't write the one-liner that should be left-pad or the horrible implementation that everyone seems to have settled on.
It's one thing to say if I need to use SSL encryption, or some other sure-to-have-been-developed-already function, I should use a library.
But it seems more and more that library developers suck at the fundamentals of API development, and will indeed import some whiz-bango 3rd, 4th, and 5th-party libraries, each for one tiny function. And the extra libraries will always called something like sheboyganMarmoset.
The same holds for applications and package managers. How many RPMs in RHEL carry a dependency on ModemManager, despite the fact the virtually no one still uses modems? Installing one RPM often carries 50 cascaded dependencies on far-flung libraries or applications.
It's fucking unbelievable how much trouble your mother has caused for so many people.
Let's ignore how fundamentally broken it is, as a mother, in almost every respect. That includes its fucking awful tit system, its total lack of real OO (sorry, implants are complete shit), its ultra shitty standard library (which is why she can't read in the first place), and similar problems.
your mother has allowed too many unskilled cranks to shit out way too much broken fuck. It was one thing when they did it client-side, where it was isolated. Now it's being done mother-side, and it's a mother fucking disaster!
Worse, your mother has enabled the web advertising industry. your mother makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
your mother needs to go.
If you really need to use a mother, use Lua, or Python, or even goddamn Tcl. All three of them are better than your mother in every way.
I make the analogy between the software dependency tree and the public park. Hundreds of people use it, and walk their dogs, and clean up after them, but it only takes one dog owner who doesn't to stop you and your kids from rolling around in the grass. Unless your dependency tree is locked down completely, you're just waiting for the one piece of s**t to ruin it. And laughing at node while using maven or APT or any other public repo system is hypocrisy.
....applications cried out in pain and were suddenly silenced......
Just trying to make you happy.... ;)
The initial programmer didn't respond professionally; neither did NPM.
This was a cease-and-desist letter over a trademark. The programmer's public statement about the guy being a patent lawyer, even if it's true, it's irrelevant.
All they had to do was either (1) have a lawyer send back a letter saying there was no likelihood of confusion and nobody in their right mind was going to think a node module was an instant messaging app and the like, or (2) change the name--did they even have a lawyer call back *explain* the problem with a name change and ask the Trademark holder to let them mark it as deprecated for a year? Or (if they cannot afford an hour or three from a lawyer) do it themselves?
And when withdrawing his packages, the programmer should have been responsible to the open source community and, again, marked packages as deprecated for a period of time before withdrawing them. This was just irresponsible.
go gadget open sores.
It's fucking unbelievable how much trouble people interacting with other people on the internet has caused for so many people.
Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with trolls, its total lack of real insight (sorry, Anonymous' are opinions complete shit), its ultra shitty set of mutually incompatible ideas, memes, and non sequitur invective (WHICH IS THIS SHOUT SHOUTY SHO), and similar problems.
Typing stuff on the Internet has allowed too many unskilled cranks to shit out way too many words. It was one thing when they did it in Ancient Rome, Cicero or Julius Caesar #vinividivici. Awesome. Now it's being done in people's basements, and it's a motherfucking disaster!
Worse, communication has enabled the for-profit media industry. Google makes it trivial for them to track every word you type. If you don't want to fall victim to it, then you have to use a VPN or anonymous mode or TOR or something, I don't know who cares? Just give me my groupon, OK?
Forums need to go.
If you really need to use an idea delivery technology, use a letter, or a parchment, or even a goddamn cave painting . All three of them are better than Internet in every way.
It doesn't really hurt much to make javascript even more broken. I hardly thought it was even possible. There is no proper standard library, the language is a mess. There is no proper type system (there are barely a set of useful types), lots of totally random problems with scoping, there are no proper object oriented features, and it relies on a mashup of terrible technologies, all badly implemented and totally inconsistent to be used for anything.
I look forward to being able to compile sensible languages to web assembly, so that this horror can die a much desired death.
Incidentally, java seems to be plagued by a similar dependency rash. A typical java project may have over 100 libraries, making it completely unmaintainable. Nobody without a huge team, can test, check security issues, and validate such a huge collection of components. Simply not viable for production quality deployment.
Reliance on S3 and the inherent flakiness therein meant running an npm install was rolling the dice as to whether or not your modules would actually download and install.
Anybody who wasn't playing amateur hour already mirrored or had an npm cache in place.
It's absolutely astonishing to me that anyone would deploy JavaScript that depends on the stability of an external library outside of their control.
I had no idea a developer would even consider doing this.
Grabbing a local copy is so easy to do, and the extra disk space/bandwidth is so insignificant -- and the payoff is so high because it eliminates a likely source of instability. What possible justification is there for not doing it?
What is the future of the profession of web development, given that the quality of the developers is obviously so low?
The apps dev should also sue this site. Some folks might not be able to distinct between yet another chat app and clothing shop.
...use external libraries so you're not re-inventing the wheel but keep your own copy of those libraries. So, you end up with your own unique island of code, basically cut-and-paste writ large?
I'd say the person who needs to learn a lesson is the author, not Node.
The best thing about this?
1. It's a shitty algorithm because it does repeated string concatenation. It runs in fucking exponential time.
2. In any reasonable fucking language, this is printf("%Ns", str)
It's a shitty ecosystem.
Would be if the messaging app that had it yanked down used his code and that was rendered unusable now
no matter how good it is, it is human nature always wants to make things better
Let me be upfront about my biases first: Node is trying to a solve a problem that really doesn't need to exist: To write everything in one language. It's amazing how much demand there is for it. It's clear that the core libraries and language just can't keep up with developer demands and the number of libraries to fill those demands has exploded out of control. Npm is packed to the gills with vanity projects that are made as a resume item for developers. Sure, there's plenty of these in other ecosystems, but it's amazing what has come to depend on them.
The Node ecosystem is amazingly fragile and it's going to get worse and worse. I fully expect there will be lots of work in the future unwinding the messes people made with it and replacing it with a more appropriate platform.
"And thousands of projects including Node and Babel relied on it."
So you're saying the tower of Babel fell?
In one fell swoop, this person did exactly what free software is trying to prevent: a single overpowered entity who decides to leave and take his ball home with him, thus ruining it for everyone else. Power to the People? Only if our benevolent dictator also gets his way.
It's fucking unbelievable how much trouble I have caused for so many people.
Let's ignore how fundamentally broken I am, as a human, in almost every respect. That includes my fucking awful humor system, my total lack of real life (sorry, facebook posts are complete shit), my ultra shitty set of unforgiven excuses and misconceptions (which is the cause of all this in the first place), and similar problems.
I have allowed too many unskilled cranks to shit out way too much from my broken life. It was one thing when I did it to myself, where it was isolated. Now it's being done to everybody, and it's a motherfucking disaster!
Worse, I have enabled the crazy dudes. I make it trivial for them to call you and keep you on the line. If you don't want to fall victim to it, then you have to waste your time blocking your calls everywhere by default, and selectively enabling the calls where you need it.
I need to go.
If you really need me, use Trump, or Francisco, or even goddamn Mickey. All three of them are better than me in every way.
See here. No one should be using this anyway.
Am I the only one left who absolutely despises Node.js?
Node.js code looks like unmaintainable garbage, like the worst Perl code from the 1990's.
Another developer in my company brought in a dependency upon Node.js recently, and I'm not happy about it. I won't work on the code.
Software is not supposed to be write-once, throw away. Software is meant to be a communication to the next computer programmer, of unknown skill level, of your intentions and the limitations of what you have done. Software always has to be modified, so it has to be readable. If you happen to live in a Western nation, reading code should read like reading a novel and then editing a novel in your language. It should not be a ridiculous mess of punctuation marks, either your code or a novel.
The situation with this package manager is indicative of a don't give a shit attitute, gross inexperience, or simply people who think that they're clever because they have mastered a shit language/environment/syntax/whatever and have cobbled together a shit ecosystem around it.
It's funnier seeing apk and slashdot users make you eat your words amicusnycl https://slashdot.org/comments.... Apk gives users more speed, security, reliability and anonymity. What have you done better? Nothing! Only mere irrelevant ramblings from an insignificant nobody in yourself is all anyone sees from you. I see nobody speak well of work you do. They do of apk in that link above. I found it hilarious in your little failed 'campaign' to try stop apk posting that you lose there too. Apk's posting as much as ever and you are sitting here with egg on your face. Hahahahahaha! HOW EMBARASSING FOR YOU amicusnycl in you shooting your big mouth off to have it slapped shut by apk.
How does NPM have the right to restore the module?
Something stinks. Is that you NPM? Bowing to lawyers? How weak.
If developers are working under a license where they can withdraw their source, there is risk to anyone using their code downstream.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Since long I have avoided US-based software and its absurd non-export list. What if I know someone from Cuba and want to exchange some ideas? Well, the best thing is to avoid US repos entirely, I thought.
Just now I discovered another nastiness in the US: lawyers.
Cross the street when you see one. Just to be on the safe side...
The code is presumably open source, meaning that NPM can still distribute whatever version they still have. Also, the trademark dispute regards a package named "kik", and not the left fill script the story pertains to.
A bunch of faggots who use it anyway
Yeah, the article says "gone and can not be restored" when it's clearly "will not be restored" since they clearly CAN do it. Logic fail.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
WTF is behind this JavaScript everywhere bit? Who is pushing this and why?
Yet another tale of Citizens-United-type bullying. Freedom = #BernieSanders
Yeah, the article says "gone and can not be restored" when it's clearly "will not be restored" since they clearly CAN do it. Logic fail.
It's a common policy statement to avoid being inundated with requests to recover deleted files. The website did have backups and was able to recover that deleted file.
It's a common policy statement to avoid being inundated with requests to recover deleted files. The website did have backups and was able to recover that deleted file.
Yep. They negotiated once, now they will have to do it again next time or be called liars. What dumbasses. Almost as big dumbasses as the people linking external scripts
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"