Parthenon Software Group


Dependencies: Should We Worry?

Posted by: Julianne Chatelain 9 months, 3 weeks ago

On March 22nd, for two and a half hours, programmers discovered that they couldn't build or install some of their code written in JavaScript. Widely used software such as Node (used by LinkedIn and PayPal) and Babel crashed along with many individual projects. Those of us who didn't discover the crashes in our own projects learned about it from this article. Business people may now be asking, “How could the actions of just a few people break the internet? Do I have to worry about this happening with my software?”



Developers worry so you don't have to

It is the job of your software developers to protect you from surprises like this: to make sure your project's dependencies are sensibly chosen and professionally managed.



A longer recap (with optional links)

The problem arose in a repository of open source JavaScript code. JavaScript is one of the basic building blocks of the web. As web sites' requirements have grown over the years, JavaScript's capabilities have evolved to support more of them.

What Is JavaScript, and Can The Internet Exist Without It?

Open Source (originally “free”) Software


NPM is one of several popular repositories of open-source JavaScript. When you use such code in a project, you can specify that each time you build or install the project, it automatically “fetches” the latest version of the code.

The March 22nd problems began on March 11th, with a disagreement between an open source developer, Azer Koçulu, and a patent agent, Bob Stratton, over which of them was going to use the project name “kik” on NPM. Azer was using the name, but Bob’s company had trademarked the three letter word. NPM’s staff applied their “package name dispute resolution” policy and sided with Bob. Azer removed (“unpublished”) all his code from NPM at about 2:30 pm Pacific Time on March 22nd.

Effective immediately, projects trying to “fetch” any of Azer’s code could no longer be installed or built. Seeing the crashes caused by attempted fetches of Azer’s most popular file, “left-pad”, NPM first put up a new version (common in open source practice) and then took the un-precedented step of “un-un-publishing” the numbered version that most of the fetches were looking for.

As one of NPM’s founders wrote on Twitter. “Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.”

More detail from all sides

Azer's statement
@seldo's breaking news on Twitter
NPM's longer statement
NPM's blog
Analysis



The file at the center of the storm

Azer Koçulu’s “left-pad” was 11 lines of code. Grabbing it from a repository allows developers to fill (“pad”) the entire left side of a string with either zeroes or spaces.

This is something that is often helpful; in the month before this incident, the left-pad code snippet was fetched almost 2.5 million times.

Left-Pad on GitHub




Dependencies: feel free to ask us about them

The way this issue arose reminds us why we work the way we do.

The coding philosophy at Parthenon, originated by our founders and carried forward today, is that when using open source software on behalf of a client, we ensure that our only dependencies are on modules that are large, well-maintained, and comparatively complete. We then customize that code and the customizations belong to the clients who have commissioned them. We write necessary smaller code snippets ourselves (and/or reuse code from in-house archives).

We take dependencies seriously, and encourage you to ask about them specifically as part of your engagement with Parthenon.





Share this post: