House of cards

Lessons learned from npm fiasco: How much harm can 11 JavaScript lines of code can do?

Gabriela Motroc
Azer Koçulu
Instability image via Shutterstock

Earlier this week, many developers suffered a disruption when Azer Koçulu unpublished a package that JavaScript projects use to install dependencies, including left-pad, an 11-line npm package which has been downloaded more than 575,000 times. Over a thousand software projects were affected.

After Babel, React and other high-profile packages on npm broke due to an unpublished npm package called left-pad, the actors involved in this saga, Azer Koçulu, Kik and NPM each published their own version of how and why 11 JavaScript lines of code managed to cause a meltdown.

What happened?

In recent weeks, developer Azer Koçulu and Kik, an instant messenger app exchanged e-mails over the use of the name ‘kik’. After failing to reach an agreement, Kik contacted npm to help them resolve the disagreement. The dispute ended abruptly when Azer unpublished his kik package along with 272 other packages, including left-pad. Thousands of projects were affected as dependent projects failed when requesting the package that was unpublished. “The duration of the disruption was 2.5 hours,” Isaac Z. Schlueter, CEO of npm wrote in a blog post.

The story according to Azer Koçulu

Azer wrote in a Medium post that a patent lawyer sent him an e-mail a few weeks ago asking him to unpublish kik module from npm. After the developer refused, the patent lawyer explained that kik is their registered brand and the company’s lawyers will be banging on Azer’s door and taking down his accounts. Kik went to npm and Schlueter “accepted to change the ownership of this module, without my permission,” Azer said. “This situation made me realize that npm is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.”

Azer announced that he had unpublished his modules and indicated that “you can either point your dependency to repo directly (azer/dependency) or if you volunteer to take ownership of any module in my GitHub, I’ll happily transfer the ownership.”

The story according to Kik

Mike Roberts, head of messenger at Kik Interactive sees the story from a different perspective. According to his Medium post, the company decided to use a different name for an upcoming package which will be published on npm “even when we were told we could have the name Kik.” Roberts published the e-mail exchange between Azer Koçulu and the company’s patent agent and pointed out that Kik tried to solve the situation amicably but the developer refused to change the name.

The story according to npm: An unprecedented step

npm praised the manner in which the community stepped in to replace left-pad; the first to do so was Cameron Westlake, who published a functionally identical version of left-pad. Errors continued to pour as Cameron’s left-pad was published as version 1.0.0, which is why npm “took the unprecedented step of re-publishing the original 0.0.3.”

Npm promised to make the following changes:

  • make it harder to un-publish a version of a package of doing so would break other packages
  • make it harder to maliciously adopt an abandoned package name
  • update its internal policies to help its team stay in sync and address community conflict more effectively.

Community reactions

After Azer Koçulu unpublished his kik package along with 272 other packages, including left-pad and problems started to appear, the community reacted in different ways. Some developers admitted that relying on other people is not always the right thing to do, others got angry and some started to panic. In the end, everybody learned something from this incident.

Gabriela Motroc
Gabriela Motroc was editor of and JAX Magazine. Before working at Software & Support Media Group, she studied International Communication Management at the Hague University of Applied Sciences.

1 Comment
Inline Feedbacks
View all comments
3 years ago

Harm is caused by NPM, not Azer Koçulu though.