How 17 Lines of Code Took Down Silicon Valley's Hottest Startups
Rewinding a little bit, a few weeks ago a developer named Azer Koçulu got an email from a patent lawyer asking him to remove one of his open source project from NPM, a directory of Open Source JavaScript code that is used by most JavaScript developers.
Azer wasn't interested in taking the project down and told the lawyer he wouldn't comply.
Ultimately, the lawyer won, convincing NPM to transfer ownership of the Open Source code. While the one project that was transferred wasn't a huge incident, Azer decided to remove all of his work from NPM. He talked about the experience on his medium profile.
This includes one package called left-pad, which happened to have a single file that was exactly 17 lines of code.
Silicon Valley startups are a hotbed of using the state of the art JavaScript tooling. Companies like AirBnB, Netflix, ProductHunt, Facebook and a lot more are using ReactJS. And most are using two other technologies too: WebPack and Babel.
It turns out, in order for Babel-dependent applications to work...left-pad, this silly 17 lines of code, needed to be in NPM. Immediately, tens (if not hundreds) of thousands of developers would be unable to run the command to install their application on any machine.
Laurie Voss, founder of NPM, took to Twitter to explain what the heck was going on.
Hey npm users: left-pad 0.0.3 was unpublished, breaking LOTS of builds. To fix, we are un-un-publishing it at the request of the new owner.
— Laurie Voss (@seldo) March 22, 2016
Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly.
— Laurie Voss (@seldo) March 22, 2016
Full disclosure: the original author un-published his modules on purpose and in protest: https://t.co/9VPZf5c4Mg
— Laurie Voss (@seldo) March 22, 2016
This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many.
— Laurie Voss (@seldo) March 22, 2016
Even within npm we're not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.
— Laurie Voss (@seldo) March 22, 2016
A ton of developers weren't happy about the situation that had just transpired. They looked toward the open source community and accused NPM of being run in an irresponsible way.
But the fact is, only 42 minutes after the initial report a GitHub user posted a viable work-around for the problem:
And only a minute after that, the contributors at Babel announced that a new version of Babel had been released as an emergency hotfix, allowing projects to work again.
Shortly after this transpired, a new user came to the rescue and uploaded the package back to NPM, fixing the problem. Laurie Voss updated everyone on the situation.
Enormous, HUGE thanks to @ceejbot and @isntitvacant who solved a brand-new type of ops emergency with grace under fire, and fixed everybody.
— Laurie Voss (@seldo) March 23, 2016
And developers have taken to twitter on the hashtag to discuss the #NPMGate debacle.
Overall though, it is an amazing story about how open source developers, who don't know each other and are perfect strangers, banded together in a remarkably fast time frame to repair the state of the open source community.
The NPM modules have since been hijacked.
The saga now known as #NPMgate goes on.
This post originally appeared on Medium.
-- This feed and its contents are the property of The Huffington Post, and use is subject to our terms. It may be used for personal consumption, but may not be distributed on a website.