8 years have passed since the the left-pad incident happened. It’s been good for me to avoid this subject for focusing on actual work. Also, silence is gold. On the other hand, left-pad is seen as a notable event mentioned in books, so I’ll share more info and thoughts about what exactly happened.
In most of 2016, I spent almost every weekend camping in remote areas without any signal. If you’re curious how I felt when making the decision to unpublish; it was a choice made during self-reflection in nature.
Not driven by logic, anger, or greed.
It was a decision guided by my heart.
And it came from a simple principle: if NPM breaks its own rules to remove one of my packages, they should remove all of them.
Not that I’m an inflexible “rules” person — quite the opposite. The spirit behind the rules matter more than the rules themselves to me. In a different context, we could be asking NPM to take down a package without owner’s
14 Comments
skrebbel
I have to admit that I don't understand half of this blog post, feels like I'm missing some context, but I do like that the "left pad guy" does a post mortem.
That said, this seems like a weird argument to me:
> but I still don't understand why NPM didn't take the time to find out if any of my modules were widely used and consider ways to handle the unpublishing without breaking anything
Sure, NPM's unpublish mechanism was a misdesign, but is he saying that he expected people at the company to manually go through this every time someone did an unpublish? That doesn't seem too reasonable IMO, NPM the company isn't curating NPM the registry. They host it as a public service.
I can't fault the author all too much here though, if he hadn't triggered "the left-pad incident" then someone else would've not too long after. NPM fixed the problem, by means of a better unpublish policy [0] and that's that.
[0] https://docs.npmjs.com/policies/unpublish#packages-published…
_thisdot
Relevant discussion from the time left-pad incident happened
– https://news.ycombinator.com/item?id=11349870
arturocamembert
left-pad even being a package is pretty funny, no? How many bytes got pumped across CDNs, proxies, build pipelines, etc. just to write a tiny utility function? I'm all for taking advantage of existing solutions, but I can't wrap my head around needing to pad a string and thinking "oh, I bet there's a package for that"
lloydatkinson
> On the NPM side, I observed general condescending attitude towards developers, which led them make series of unreasonable decisions and ultimately blame me for all the cost.
NPM has not really learned much in the time since this event either.
aa-jv
As someone who avoids javascript and its attendant ecosystem like its the Visual Basic plague of the 21st Century, the most interesting aspect of this whole story is the fact that Koçulu disconnected from the tech scene for some time, did some amazing hiking and camping and trail discovery, and now .. 8 years later .. still feels compelled to explain himself.
Technology is a fickle muse. We nerds obsess over her and degrade ourselves in her service, but she always calls us back into the light.
As someone who was around for the Morris worm and spent weeks negating its impact, I feel that there is a fundamental issue impacting our ability to make world-changing technology with the current tools. The less we strive to understand the organizational (ethical) failings of technology, the less technology can be used to effect productive change in the realms it is being applied.
That said, I'm about a month (and a few hundred failed compiles) away from taking my own sabbatical, and I can't help but try to reason what things would be like for me, upon my return after some years, in the technological space I've carved out for my own needs, at much different scales and contexts.
Perhaps it should become somewhat standard for us technologists to take sabbaticals, more often, and more seriously, in order to give us the context we need to understand the ethical dilemma that impinges upon our technological prowess.
Koçulu, thank you for your thoughts. I may never be effected by the javascript world, but the lessons it provides from within the temple nevertheless reverberate among the outer chambers ..
shellac
It's a minor thing, but:
> Most of my open source work followed Unix philosophy, so the packages did one thing at a time.
Nobody has suggested that libc — to take the most obvious example — is against the Unix philosophy. Debates occur around whether whether commands / daemons do too much (recent poster child being systemd) or aren't composable.
pstadler
The version history of the kik package[0] is odd. It has been replaced with a security holding package nine years ago[1].
[0] https://www.npmjs.com/package/kik?activeTab=versions
junon
Maintainer of a few top-10 npm packages here. This makes complete sense.
Somewhere along the way NPM stopped being cooperative with the community. It cemented itself with the Microsoft acquisition, but was obvious quite a bit before that.
There were so many cracks with how npm functioned, they weren't cooperating well with the community / mainline Node team, their push to commercial viability was really off-putting and forced, and many of the team members had a somewhat rough reputation.
Indeed I visited the offices in Oakland (if I recall correctly), and had an… interesting set of interactions there, not particularly positive, that I'll keep to myself.
The unpublish hole was well known at the time. Everyone blamed left-pad for breaking the internet, as it were, but nobody seemed to come down on npm for the sheer mismanagement of it all.
If memory serves they forcefully reinstated the package against the maintainer's wishes, which is a divorcement from the people they claimed to serve at best, and legally dubious at worst. Shortly after this they stopped caring much at all about abuse on their platform at all (core.js advertisement spam, anyone?) and haven't really worked with the community on standards, compatibility, etc. after that.
The npm@5 release was a disaster. The introduction of package lock files couldn't have gone worse, and as I remember it it was a push to get it out alongside the next Node.js major release (I got the feeling the Node team didn't wait for npm to be ready, which I think is a good thing given npm is a for-profit, or at least acts like one).
The community outreach during that time of what seemed like endless major, catastrophic bugs and the shaming of the community for putting pressure on them, the pious attitude, was only further proof that npm was no longer an agent of FOSS. I can't remember if left-pad came before or after that but in my head it was all one long drawn out declination of the ecosystem.
The packages on npm are a meme now; small packages that do trivial tasks, and everyone likes to make fun of it. Maybe it wasn't the best thing, in hindsight. But context is crucial; npm was the first incredibly accessible package manager for an emergent popular technology, almost entirely community managed, with a good system for querying and tight integration with Github's "social coding" spirit.
It existed very early in the Node lifetime, back before even ES5 was available (we still used `var` and `prototype`!), before JavaScript best practices really existed. Before Node.js was given to the community by Joyent. Before even the Io.js fork and the exit from the long stagnation that was Node 0.10/0.12.
Nobody knew the best way to do things.
I can completely understand the author. From a security perspective I'm really thankful left-pad happened, even if it wasn't the reasoning of the author; it made people acutely aware of what relying on corporate interests divested from the communities they claim to serve, bring to the table in terms of risk. It started many conversations about supply chain security, redundancy, etc. That's a hard thing to do, and it's made the industry a bit better in the long run.
Good followup, neat to read this after so long.
imtringued
Azer Koçulu has never been a scourge to the NPM ecosystem. Nobody forced anyone to use left-pad. The reason it got included in so many projects is due to messy transitive dependencies.
Jon Schlinkert on the other hand is going out of his way to produce these micro libraries and then include them in his widely used legitimate projects (handlebars-helpers) with zero willingness to simply integrate them into the projects that actually use them. Here is the deal: Do you want to be trolled? Then use handlebars-helpers, if not, then stop using the damn library.
throwaway290
NPM (well Microsoft) forcibly took guy's package to give the name to this company: https://www.bbc.com/news/uk-45568276
Since then the name is basically squatted?
Whether you use left-pad or not is up to you… but this Kik story is just a bad look for Microsoft all around.
majorbugger
Why Java can have reliable utility libraries such as Apache Commons and Google Guava, but JS somehow cannot?
iLoveOncall
> Left-pad was like a "death" and "re-birth" moment for me. The part of me passionate about open-source was dead, and something new took over. Now, I'm passionate about business, marketing, running companies / teams
Wow, I couldn't think of a worse rebirth.
heroku
I owned the heroku user name on npm and gave it to official heroku website upon request.
incrudible
It was good that this happened. Name squatting is a real problem and when in doubt, err on the side of least surprise. Not having usage statistics was a real problem. Being able to just unpublish was a real problem. Infrastructure relying on trivial 10-liners by opinionated individuals was (and still is) a real problem. Nobody in this situation is truly at fault, because nobody owes anyone anything, yet everyone can learn something from it.