In recent weeks, developer Azer Koçulu and Kik, an instant messenger app exchanged e-mails over the use of the name ‘kik’. After failing to reach an agreement, Kik contacted npm to help them resolve the disagreement. The dispute ended abruptly when Azer unpublished his kik package along with 272 other packages, including left-pad. Thousands of projects were affected as dependent projects failed when requesting the package that was unpublished. “The duration of the disruption was 2.5 hours,” Isaac Z. Schlueter, CEO of npm wrote in a blog post.
The story according to Azer Koçulu
Azer wrote in a Medium post that a patent lawyer sent him an e-mail a few weeks ago asking him to unpublish kik module from npm. After the developer refused, the patent lawyer explained that kik is their registered brand and the company’s lawyers will be banging on Azer’s door and taking down his accounts. Kik went to npm and Schlueter “accepted to change the ownership of this module, without my permission,” Azer said. “This situation made me realize that npm is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.”
Azer announced that he had unpublished his modules and indicated that “you can either point your dependency to repo directly (azer/dependency) or if you volunteer to take ownership of any module in my GitHub, I’ll happily transfer the ownership.”
The story according to Kik
Mike Roberts, head of messenger at Kik Interactive sees the story from a different perspective. According to his Medium post, the company decided to use a different name for an upcoming package which will be published on npm “even when we were told we could have the name Kik.” Roberts published the e-mail exchange between Azer Koçulu and the company’s patent agent and pointed out that Kik tried to solve the situation amicably but the developer refused to change the name.
The story according to npm: An unprecedented step
npm praised the manner in which the community stepped in to replace left-pad; the first to do so was Cameron Westlake, who published a functionally identical version of left-pad. Errors continued to pour as Cameron’s left-pad was published as version 1.0.0, which is why npm “took the unprecedented step of re-publishing the original 0.0.3.”
Npm promised to make the following changes:
- make it harder to un-publish a version of a package of doing so would break other packages
- make it harder to maliciously adopt an abandoned package name
- update its internal policies to help its team stay in sync and address community conflict more effectively.
After Azer Koçulu unpublished his kik package along with 272 other packages, including left-pad and problems started to appear, the community reacted in different ways. Some developers admitted that relying on other people is not always the right thing to do, others got angry and some started to panic. In the end, everybody learned something from this incident.