This week, one angry programmer broke a whole mess of the software the internet runs on with the simple deletion of one simple program consisting of 11 lines of code.
Everything is OK now. But it’s a strange case that involves copyright lawyers, a petulant developer, and a behind-the-scenes look into how tech titans like Facebook, Spotify, and Netflix make the sausage.
It all starts with a developer named Azer Koçulu, who wrote an otherwise unremarkable piece of code called Kik, an extension for the popular programming language Node.js. Koçulu put his Kik module up on NPM, essentially an App Store for Node.js programmers, as a free download for developers to work into their apps at their leisure.
The other Kik
Kik, the popular social network of the same name, took notice and sent Koçulu an email requesting that he change the name of his module. By Koçulu’s own admission in a blog post, Kik’s initial request was reasonable. Still, Koçulu wouldn’t budge.
« When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it, » Koçulu writes.
Given that Kik did have copyright on its side, Koçulu says that NPM CEO Isaac Schlueter took away his ownership of the module in question without asking.
Upset, Koçulu announced in that blog entry that he was removing his Kik from NPM entirely — as well as all of his other code.
It’s likely that nobody would have noticed — except that Koçulu is also the person who created a very silly, very basic, but very popular NPM module called « npm left-pad. » It’s 11 lines long and doesn’t actually do anything complicated, but it’s been downloaded over 575,000 times.
And when it vanished, developers on Reddit, Twitter, and elsewhere definitely took notice.
A house of cards
This is where things get sticky.
A module like npm left-pad is basically a shortcut so a developer doesn’t have to write a whole bunch of basic code from scratch. If a developer calls on an NPM module, it’s basically shorthand for « put this code in later, » and a software compiler will just download the code when the time is right.
Most of the time, this works just fine. But sometimes, software ends up relying on what’s essentially a house of cards: One Node.js module calls on another, calls on another, calls on another. Again, usually it works fine — right up until npm left-pad is taken offline.
Boom — down went the house of cards. Popular software projects like Babel, which helps Facebook, Netflix, and Spotify run code faster, and React, which helps developers build better interfaces, were suddenly broken and no more work could be done with them. Overall, over a thousand software projects were affected, according to the npm blog.
Fixing the problem would require that programmers sift through all of those dependencies, making sure that absolutely nothing relied on that one silly 11-line bit of code.
And so, after a mass outcry from developers all over the world, NPM was forced to « un-un-publish » the code in question, handing it over to a new owner.
In a series of Twitter posts, NPM CTO Laurie Voss says that the company wasn’t totally comfortable handing over what’s still Koçulu’s intellectual property, but much of the software industry had ground to a halt over the issue.
Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it. — Laurie Voss (@seldo) March 22, 2016
Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.
— Laurie Voss (@seldo) March 22, 2016