Npm Tightens Unpublishing Policy after the Internet-Disrupting Kik Fracas – InApps 2022

Last month, the Internet was disrupted with the removal of 11 lines of JavaScript code, called left-pad, from npm’s open source code repository, leaving many Web and application developers scrambling to fix their systems.

The author of those 11 lines, Azer Koçulu, removed the code from npm,  which is pretty much the default library of modules used by Node.js projects, after npm asked Koçulu to rename another module of his called Kik, a development bootstrapping tool that shared the same name as a mobile chat provider that protested to npm about trademark infringement.

Now npm, reeling from the fallout of removing, and subsequently replacement of the left-pad code with duplicate functionality, has changed its policies around how contributors can unpublish their code.

“This week, we’ve seen a lot of discussion about why unpublish exists at all. Similar discussions happen within npm, Inc.,” wrote Ashley Williams, developer community and content manager, in a blog post announcing the changes. “There are important and legitimate reasons for the feature, so we have no intention of removing it, but now we’re significantly changing how unpublish behaves and the policies that surround it.”

Eleven Lines That Broke the Internet

Originally, npm removed Kik at the behest of Kik.com, a mobile chat app. Arguing that the company was defending it Kik trademark, a Kik lawyer had first tried to appeal to Koçulu directly. Only when talks broke down between the two parties did Kik.com submit a dispute with npm, which in turn Koçulu to rename Kik.

Instead, Koçulu unpublished more than 273 of his modules from npm, including left-pad, which pads a line out the left-hand-side with strings with zeroes or spaces.

A small function to be sure, but one widely used. Thousands of projects including React.js and Babel rely on left-pad. The left-pad software was downloaded 2,486,696 times, and its removal left lots of unhappy people. Upon the loss of left-pad, thousands of automated build systems, which were scripted to draw left-pad packages from npm, began failing.

Npm quickly made the executive decision to republish the module under the same name, but with different owners, to stop to the cascade of failing builds around the world. This decision, like the one to remove the original package, was widely questioned.

“None of this puts npm as an organization or as a package manager in a good light,” one internet commenter, War President opined. “They’ll instantly cave to vague threats and willingly change ownership of a package (kik) to do the bidding of a 3rd party in contravention of their own dispute policy.

“Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it,” wrote Laurie Voss, npm chief technology officer, explaining on Twitter the rationale behind republishing the code, which was under an open source license. “This whole situation sucks. We will be carefully considering the issues raised by and publishing a post-mortem later.”

The interwebs blew up with comment threads on Reddit, Slashdot and Medium, where Koçulu first posted the announcement that he was “liberating” his code. Discussions involved the usefulness of code, how leaving one’s build dependent on calling 11 lines of code was just bad, some discussion of trademark law and calling Koçulu either a hero or a spoiled child.

Koçulu’s actions generated a lot of questions, perhaps the most pertinent of which was how could an ecosystem as large and vibrant as the Node.js community be hobbled so quickly by the sudden lack of a single package?

For npm, the ultimate issue was not trademark dispute (which kik.com had a tenuous argument to begin with), or even npm’s package name dispute resolution policy, which worked as expected, the company noted. Rather, it was the ability for contributors to “unpublish” their works without warning.

“We dropped the ball in not protecting you from a disruption caused by unrestricted unpublishing. We’re addressing this with technical and policy changes,” wrote Isaac Schlueter, npm’s “supreme emperor for life,” in a summary of the events posted on the npm blog.

Mikeal Rogers, head of community outreach for the Node.js Foundation.

On Tuesday, the company announced changed to its policy around contributors removing their packages once they are published. Going forward, contributors have the right to unpublish only within the first 24 hours of posting code. After that time, to remove the package, the author must appeal to npm, which will do so only if the package is not listed as a dependency for any other package in the repository. If it is, the author must transfer the ownership to another party, or persuade the owners of all the dependent packages to switch their dependencies.

In essence, the new rules establish that “the stability of the ecosystem is more important than the very rare need to unpublish,” said Mikeal Rogers, head of community outreach for the Node.js Foundation. He noted that this is the first time something like this has happened, even though Node.js has more than 250,000 modules.

Rogers downplayed any worries about Node.js developers being too reliant on dependencies, given the comparative wealth of benefits they bring.

“It encourages innovation in the ecosystem,” he said. “You get these very deep dependency chains, with a lot of tiny little components, but that is really good for developers. Developers want to build applications, not all the infrastructure for the application to exist.”

Feature image via Pixabay.