- Parthenon Software Group
It is the job of your software developers to protect you from surprises like this: to make sure your project's dependencies are sensibly chosen and professionally managed.
The March 22nd problems began on March 11th, with a disagreement between an open source developer, Azer Koçulu, and a patent agent, Bob Stratton, over which of them was going to use the project name “kik” on NPM. Azer was using the name, but Bob’s company had trademarked the three letter word. NPM’s staff applied their “package name dispute resolution” policy and sided with Bob. Azer removed (“unpublished”) all his code from NPM at about 2:30 pm Pacific Time on March 22nd.
Effective immediately, projects trying to “fetch” any of Azer’s code could no longer be installed or built. Seeing the crashes caused by attempted fetches of Azer’s most popular file, “left-pad”, NPM first put up a new version (common in open source practice) and then took the un-precedented step of “un-un-publishing” the numbered version that most of the fetches were looking for.
As one of NPM’s founders wrote on Twitter. “Even within npm we’re not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.”
More detail from all sides
Azer Koçulu’s “left-pad” was 11 lines of code. Grabbing it from a repository allows developers to fill (“pad”) the entire left side of a string with either zeroes or spaces.
This is something that is often helpful; in the month before this incident, the left-pad code snippet was fetched almost 2.5 million times.
The way this issue arose reminds us why we work the way we do.
The coding philosophy at Parthenon, originated by our founders and carried forward today, is that when using open source software on behalf of a client, we ensure that our only dependencies are on modules that are large, well-maintained, and comparatively complete. We then customize that code and the customizations belong to the clients who have commissioned them. We write necessary smaller code snippets ourselves (and/or reuse code from in-house archives).
We take dependencies seriously, and encourage you to ask about them specifically as part of your engagement with Parthenon.