back to article How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …

Page:

    1. Anonymous Coward
      Anonymous Coward

      Re: But did Kik's website go down?

      It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

      They have a website with the worst privacy policy ever (you can't examine the whole policy, you have to walk through it one chapter at a time), and despite being apparently a Canadian company (don't know this for certain - I'm really starting to dislike companies that don't put their address on their website) I would not trust them with ANY data because they appear to genuinely have no idea how to protect their users.

      Not that I would ever use them anyway as I'm quite happy with the apps I have, and I am rather unimpressed by how they took this on. Overzealous lawyers are IMHO more a corporate risk than a benefit.

  1. Duncan Macdonald Silver badge
    Mushroom

    Copyright infringement ?

    Could Azer Koçulu sue NPM for copyright infringement by including his code against his wishes ?

    1. SE

      Re: Copyright infringement ?

      I hope so. I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

      Truly pathetic.

      1. djack

        Re: Copyright infringement ?

        It depends on the license of the code. If it was licensed under any 'usual' open source licence then re-publishing shouldn't be a problem.

      2. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        No, it is not. Code published on NPM is open-source and anybody can republish/fork/modify it.

        1. timcroydon

          Re: Copyright infringement ?

          No, that's wrong. Every package has its own license, which may or may not be permissive. E.g. often see GPL, MIT or Apache licenses.

          I notice that the left-pad utility in question actually has no explicit license so is covered under normal copyright laws which could raise interesting questions for users who haven't checked they've got explicit permission to use it anyway.

          1. BinkyTheHorse
            Boffin

            @timcroydon

            I dunno, old status page shows the license as BSD:

            http://web.archive.org/web/20150922113035/https://www.npmjs.com/package/left-pad

            The author now updated the meta info to WTFPL, which is decidedly non-FOSS-compliant ;), but still works in this case.

            Of course the salient point is whether metainformation constitutes a valid license specification. IANAL, but I suspect NPM have a strong case in that regard (not that I condone their general behavior, as stated in the prior post).

            1. Anonymous Coward
              Mushroom

              Re: @timcroydon

              IANAL, but I don't think it's legally open-source. The only words about copyright/license in the entire commit history (at https://github.com/azer/left-pad) are these two tags in package.json:

              "author": "azer", "license": "WTFPL" [originally "BSD"]

              No BSD license text. No "Copyright 2014 (real name or alias)".

              DMCA takedown in 5... 4... 3...

              1. War President
                FAIL

                Re: @timcroydon

                None of this puts npm as an organization or as a package manager in a good light. They'll instantly cave to vague threats and willingly change ownership of a package (kik) to do the bidding of a 3rd party in contravention of their own dispute policy. If you terminate your agreement with npm, they'll keep your IP (left-pad) if it suits them, in contravention of their own terms of use. Who was it that removed the BSD license and changed it to WTFPL? If not the author or at their behest, then someone violated the license terms.

                To my mind, it also seems a little worrisome that there are so many dependencies built into these packages. You really need to add a dependency for a simple text padding function? Really?

            2. tekHedd

              Re: @timcroydon

              Actually, I was reading about WTFPL recently, and it is a valid open source license. (see the FAQ) I mean, come on, what's more open and free than "do what the f- you want"?

              1. John Brown (no body) Silver badge
                Joke

                Re: @timcroydon

                "I mean, come on, what's more open and free than "do what the f- you want"?

                Does that mean I'm free to copyright it?

                1. JBowler

                  Re: @timcroydon

                  >"I mean, come on, what's more open and free than "do what the f- you want"?

                  >Does that mean I'm free to copyright it?

                  It's a license to use something to which someone else has copyright. Copyright is the possession of the *author*.

                  Copyright can be assigned but the *license* doesn't assign the copyright (and it can't, logically; then it would be a copyright assignment, not a license.)

                  You can copyright any derivative, but if you ask a lawyer the lawyer will still want to speak to the author of the original work.

                  That's why when you go to work for someone else they ask you to sign away all your copyright rights. Oh, no, they don't actually *ask*, it just happens when they pay you (see the 'for hire stuff', and this is only in the US, which didn't adopt standard copyright laws until very late):

                  http://dearauthor.com/features/reclaiming-your-copyright-after-thirty-five-years/

                  John Bowler <jbowler@acm.org>

      3. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        If he ever published the code under a permissive license, there's nothing wrong with re-publishing.

      4. Michael Wojcik Silver badge

        Re: Copyright infringement ?

        I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

        And in the time it took them to write that PR statement, they could have written their own implementation of "left-pad" and published it under the old name and version, avoiding any legal or ethical issues around restoring the original code.

        Ah, well. Maybe this will be an object lesson for people who use NPN, and maybe it'll draw some well-deserved ire down on Kik.

    2. BinkyTheHorse
      FAIL

      Re: Copyright infringement ?

      Well, if he published it under one of the FOSS-compliant licenses (or a few of the non-compliant OS ones), as long as NPM had a copy of the package, they were free to republish without violating the license. And in general it's a Good Thing™.

      However, fail icon since the NPM folks clearly made an half-assed job PR-wise and acted shittily towards the developer - it doesn't seem likely that the trademark case would hold up in court.

    3. Voland's right hand Silver badge

      Re: Copyright infringement ?

      Come on, the code in question is trivial.

      As a few people pointed out this is like taken from a 30+ year old basic tutorial. It will probably fail the Lego test of copyright - you cannot copyright the "natural form" of something. You can patent it, but not copyright it.

      Granted, javascript is a primitive language, but none the less, even with all of its primitiveness I would have expected it to do this as a part of the base spec (*) in one line. Python and perl certainly do - * and x operators on strings respectively.

      (*) I am aware that char repetition was added to the spec last year. That is still not pattern repetition or string repetition, which Perl has been able to do for more than 20 years in a single statement and Python for more than 15.

      1. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        > Come on, the code in question is trivial.

        So? Left-pad was the canary in the coal mine. Just wait until someone unpublishes a non-trivial NPM package that never had a definitive open-source license. They're probably reading these comments right now...

  2. AustinTX

    Take Your Ball And Leave, Will Ya?

    Bwaha! We stole your ball back!

  3. 2+2=5 Silver badge

    Timing

    Did he first publish his kik code before kik the company were founded?

    (I've no idea how to check publish dates on NPM) :-(

    1. Shadow Systems Silver badge

      Re: Timing

      Exactly. If he published his code before the company was official then he can turn the whole thing on it's head & sue them for the very thing they're claiming he's done.

      I hope he can, does, wins, & gets enough in damages/penalties to put the bastards out of business.

      Yes an application developer deserves to be paid for their hard work, but not if you're doing it by shafting the programmers that make your code possible in the first place.

      1. timcroydon

        Re: Timing

        Timing has little to do with trademark infringement, it's more about perceived good will in the brand and whether the brands could be confused, i.e. whether they cover the same 'class of goods'. Don't know what either Kik does though really so no idea if that's the case or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Timing

          "Timing has little to do with trademark infringement, it's more about perceived good will in the brand and whether the brands could be confused, i.e. whether they cover the same 'class of goods'"

          Except in the US where Intel were able to stop an HR company calling itself Gentium (!).

          The real problem is that US law has no concept of "de minimis non curat lex" which in this country would get any potential case thrown out as the risk of confusion was so obviously zero.

          (And I hope Kik the company dies painfully of negative cashflow while its executives are left to beg on the streets of Juarez, but that's just my view.)

        2. Anonymous Coward
          Facepalm

          Re: Timing

          > whether the brands could be confused, i.e. whether they cover the same 'class of goods'

          By threatening to sue, Kik implicitly asserted that that's the case. Oops... muahahah.

          1. JetSetJim Silver badge
            Headmaster

            Re: Timing

            >> whether the brands could be confused, i.e. whether they cover the same 'class of goods'

            >By threatening to sue, Kik implicitly asserted that that's the case. Oops... muahahah.

            It may well depend on what classes of goods Kik have trademarked with this branding - while they may currently be known for some shoddy messaging app, they may have also trademarked "Kik" in a variety of places/contexts.

            A long time ago, there were a few articles laughing and pointing fingers at Mick Jagger for filing trademarks on his name in a variety of classes involving soap and perfume. Lawyer-type back talk was that he did this merely to prevent someone else from doing it.

            I still think Kik are behaving shittily, though

        3. Charles 9 Silver badge

          Re: Timing

          " it's more about perceived good will in the brand and whether the brands could be confused."

          Classic example I put up. The name "Cracker Barrel" has at least TWO non-conflicting registered trademarks (meaning the government has looked at them and agreed they're non-conflicting): one belongs to Kraft for a brand line of cheeses, the other belongs to a restaurant chain with an old-town theme appropriate for the name.

        4. Dazed and Confused

          Re: Timing

          > it's more about perceived good will in the brand and whether the brands could be confused,

          He could argue that there is no risk of confusion but now Kik can't their legal missive is proof that they believe that confuse arises so they've shafted themselves. They can't now argue that their is no confusion because they've legally stated that their is.

      2. Oh Homer
        Terminator

        Re: "published his code before the company was official"

        Sadly, in Canada (where the complainant is based) both trademarks and patents are issued on a "first to file" basis, not a "first to invent" basis.

        This means that a trademark troll can register a trademark on your existing but unregistered brand, then force you to change your brand name, provided that he actually uses his trademark for a commercial product, and that the product in question is of the same general classification as yours (e.g. software).

        Even so, these caveats have not actually dissuaded trademark trolls (such as Apple) from threatening those with similar branding for entirely unrelated classes of products.

  4. thames
    Linux

    This is one of the many things wrong with the way Node.js is used in practice. NPM is dominated by a company called NPM Inc., which basically runs a code hosting site. However, people routinely automatically pull packages from it when they have no idea what is in them or whether any changes have been made in the rat's nest of dependencies that they don't even know exists. If NPM Inc. were to do a SourceForge and start doing who knows what, loads of software systems would be stuffed as their automated develop/test/deploy systems are built around NPM Inc being there and being trustworthy.

    But if you want to use Node.js you pretty much have to get stuff direct from NPM. There's not a lot of direct support for Node.js libraries in typical Linux distros. For example, if I do a search in Ubuntu 14.04, there are only 146 Node.js associated packages. If in contrast I do a search for Python, I get 4656 results. And those 4656 results will in most cases be non-trivial items, useful, and with a reliable history behind them, because they wouldn't get into Debian (and thus Ubuntu) otherwise.

    I evaluated Node.js and Python for a project a couple of years ago. I wrote a simple server which exercised the core functionality where I expected to find the bottleneck. I couldn't find any decisive performance advantages for Node.js, as the "winner" depended upon the nature of the data being sent. Node.js's theoretical JIT advantages were negated by Python's more efficient libraries and the fact that Python has a lot of functionality built into the language syntax (where it runs as the underlying language run time machine code) instead of writing a lot of explicit byte twiddling code. Add to this the fact that a few lines of Python equal many lines of Javascript (e.g. this 11 line string padding function would be a one-liner in Python) and I find it pretty hard from a business perspective to justify writing anything using Node.js.

    P.S. - Look for a repeat of this fiasco with Docker, since Docker Inc. has applied more or less the same "walled garden full of wild toad stools and noxious weeds" business model to the container field.

    P.P.S - The "left-pad" package is at version 0.0.3? WTF? Were there 2 previous versions that had to be fixed? Was he planning on putting out a 1.0 eventually?

    1. Anonymous Coward
      Anonymous Coward

      Re: Thames

      Your clams are incorrect.

      1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.

      2. NPM does actually allow "shrinkwrapping" of dependent modules, which would safeguard your code from a module disappearing on npm.

      3. The attack on Docker is even less warranted since Docker doesn't force anybody to host images with them, rather: every responsible company using Docker in production hosts all required images themselves (software for doing so is widely available).

      4. Node.js will smoke-out any Python code in I/O-intensive operations and nobody knowledgable ever claimed Node was "faster" than Python for CPU-intensive work. Also that debate is complete out of scope for the article at hand.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thames

        Go will smoke out node.us on any I/O intensive operations.

        1. TheOtherHobbes

          Re: Thames

          >Go will smoke out node.us on any I/O intensive operations.

          Indeed. No one of clue should be using Python or Node for a web server. They're both ludicrously slow - Python more so than Node, but Node isn't exactly speedy.

          Between Django, Flask, Rails, and Node there's so much Lego Level Developer bullshit in that space it's not true.

          See e.g. some benchmarks.

          1. JLV
            Thumb Down

            Re: Thames

            >Indeed. No one of clue

            Generalizations, the hallmark of brilliance. Not.

            https://www.shoop.io/en/blog/25-of-the-most-popular-python-and-django-websites/

            There are plenty of big uns on Django. This was the first link I found and some claims seem dubious, but the fact stands.

            Or would you code a site in C++?

            Java? Please. Much as a missing lpad in JS is silly, didn't Java programmers have to wait till java 7 for a built-in File copy?

            1. Vic

              Re: Thames

              Or would you code a site in C++?

              I've coded sites in C, using apxs.

              I'm not going to claim it's suitable for everyone, but in the right set of circumstances, it gives you a very performant site for minimal coding difficulty. Sometimes, that's the right choice.

              Vic.

      2. Anonymous Coward
        Anonymous Coward

        Re: Thames

        1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.

        I call apples and oranges.

        AIUI, (and hell, I try and keep clear of all this shit) Web 2 "design" loads shit dynamically from places all over The Interwebs. So if any of that breaks, your website/app iimediately breaks.

        It hardly needs saying that RedHat/CentOS/Debian/Ubuntu package management works nothing like this.

        For starters, the packages aren't dynamically loaded. And it's all cryptographically signed by the distributor and verified on installation. Does your website demand that the browser does that with every Random Piece of Javashit that it grabs ??

        I could go on....

      3. Tomato42
        FAIL

        Re: Thames

        Red Hat does this little thing called "review" and "Quality Assurance" before the code goes anywhere near release process, let alone signing and publishing in repository.

        As does any other half-decent Linux distribution. Hell, even Apple and Google do at least cursory review of the fart apps they ship through their package managers.

        While anyone can publish anything on sites like PyPI, NPN, RubyGems... Admins/Moderators/Owners of those simply Don't Care™

      4. I am the liquor Silver badge

        Re: Thames

        "1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc."

        Better package managers, like NuGet or Ruby Gems, don't allow users to delete their packages once they've been published, precisely to prevent the problem that has happened here on NPM.

        Of course even with those you still have the risk of your dependencies disappearing due to legal threats or other special circumstances. I've never really felt comfortable relying on pulling my build dependencies from a package manager, even if it is the recommended model with the likes of NuGet.

    2. Anonymous Coward
      Anonymous Coward

      My walled garden

      I specifically to keep wild toads out, so the can leave their stools in somebody else's garden.

    3. nematoad Silver badge
      Thumb Up

      Good.

      "P.P.S - The "left-pad" package is at version 0.0.3? WTF? Were there 2 previous versions that had to be fixed? Was he planning on putting out a 1.0 eventually?"

      Have an upvote for the correct use of PPS!

      1. Joel 1
        Coat

        Re: Good.

        @nematode

        "Have an upvote for the correct use of PPS!"

        Parliamentary Private Secretary?

        1. Charles 9 Silver badge

          Re: Good.

          "Postquam Post Scriptum".

          But for the record, PSS can be valid, too (as it would mean "Post Super Scriptum").

          1. John Brown (no body) Silver badge
            Happy

            Re: Good.

            "Postquam Post Scriptum"

            Postman Pat Scripting? Or was it just me that read it that way.

    4. To Mars in Man Bras!
      Facepalm

      Sometimes It's OK to Reinvent the Wheel

      *"...Look for a repeat of this fiasco with Docker..."*

      At the risk of sounding like an old codger, I think this is symptomatic of 'the yoof" of today.

      Now I'm all for DRY and "not re-inventing the wheel" but sometimes I think we've gone too far the other way. No fecker bothers to work out how to do anything for themselves any more. They just bolt together a load of packages built by someone else and hope it works.

      I'm in no way a high-level coder, but I do freelance web developement, some JS tinkering and server config and I hand-code most of what I do.

      I've been called in on a few occasions to help web developers at design agencies who need something adding to their site, or to troubleshoot when they can't get something to work.

      A lot of the time I find they've no idea what's going on in their own code because they either build the sites in some WYSIWYG app like Dreamweaver without ever looking at the HTML which is being output or –if they're feeling really adventurous, they "Hand Code". By which they mean download Twitter Bootstrap and embed jQuery in it –again, without having any idea what any of the code is doing. I've seen jQuery used on websites, solely to provide some minor functionality that a single line of JavaScript could do.

      Seems to me NPM and [since you mentioned it] Docker are just more examples of this. Only Docker is bringing the practice to server management.

      Instead of actually doing a bit of `apt-get` and setting a few config options, just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't] –congratulations! You are now a "Server Administrator and Back-End Developer"

      1. John Brown (no body) Silver badge
        Facepalm

        Re: Sometimes It's OK to Reinvent the Wheel

        "They just bolt together a load of packages built by someone else and hope it works."

        'round here we call them Lego Coders. Like most three year olds, they recognise the pretty coloured blocks and can make them fit together in some random, occasionally useful, way.

        just press the big magic button and the internet unicorns will set everything up for you. It doesn't matter that you haven't a clue what's going on and have now idea how any of it works [or what to do when it doesn't]

        And this brings us back to the old SF story referenced in another article's comment section the other day, E. M, Forsters 1909 short story "The Machine Stops, or for those who prefer not to read, the BBC Out Of The Unknown episodes, a 100+year old story of how tech developers don't know how their tech works and can't fix it when it breaks.

  5. Daedalus Silver badge

    Waaa !!!

    Mr K doesn't just act like a child, he codes like one.

    1. Destroy All Monsters Silver badge

      Re: Waaa !!!

      Hush!

  6. Daniel Voyce

    There is zero need to include an entire package dependency for 11 lines of Javascript!

    Also you have to wonder what was in versions 0.01->0.03?

    1. Anonymous Coward
      Anonymous Coward

      The change log in full

      The change log:

      0.01 - first implementation of leftpad(). Left pad to fixed length of 64 chars. Pad with the fixed string 'banana'. Send padded string to Microsoft telemetry server.

      0.02 - correct logic to left pad rather than right pad. Allow setting of both length and pad character, following user requests.

      0.03 - don't go into an infinite loop if pad string is ''. No longer send padded string to Microsoft. First stable version.

  7. GidaBrasti

    Who is the thief?

    So NPM.js not only re-published the left-pad package against the original author's intentions, it assigned a new maintainer on top of that effectively taking ownership of the module.

    If that isn't stealing, I don't know what is.

    Is this Open Source?

    1. Tom 38 Silver badge

      Re: Who is the thief?

      Yeah, that's basically the definition of open source.

  8. Anonymous Coward
    FAIL

    Bug in leftpad

    If ch isn't a single character, then the len param makes no sense. Calling leftpad with ch set to 'fondue' and len set to 100 won't result in a 100 character string.

    I can see v0.04 being required pretty soon. I could of course submit a patch. But I don't care enough about left padding strings in JS.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020