Why it's finally time for developers to address the chaos of Node.js and NPM

Multiple overlapping packages that perform effectively identical functions have become a problem too large to ignore in NPM.

Node.js is a uniquely weird platform. In particular, there is one really good example of "who possibly thought this was a good idea" that is easy to point to, because of the outbreak of chaos that surrounded it.

In 2016, the messaging service Kik (think LINE, except Canadian) requested that developer Azer Koçulu—who had an unrelated package with the same name—change the name of his package in the NPM package manager. After declining, lawyers representing Kik contacted NPM CEO Issac Schlueter, who reassigned ownership of the package to Kik. Koçulu unpublished all of his modules from NPM in protest, among them the "left-pad" package, breaking everything in deployment that depended on the package.

The left-pad package was used by Node and Babel, among other things. It had been downloaded 575,000 times in the week prior to the incident, according to ZDNet. The fallout was bad enough that NPM had un-unpublished the package in order to fix the situation. With a name like "left-pad," what clearly critical thing does this package do that requires importing this package?

It's this:

module.exports = leftpad;
function leftpad (str, len, ch) {
  str = String(str);
  var i = -1;
  if (!ch && ch !== 0) ch = ' ';
  len = len - str.length;
  while (++i < len) {
    str = ch + str;
  return str;

It pads. Left. As the name implies. It would be troubling if it did something else.

Now, think about this situation. The package naming problem is a confluence of the forceful use of lawyers and a quick reaction to a programmer having the rug pulled out from under him. You should draw your own conclusions about the appropriateness of involving lawyers in this situation, and the appropriateness of Koçulu's reaction. You should also draw your own conclusions about the design of a package manager that allows a widely-deployed package to be globally unpublished without delay, which breaks production systems.

That is not the primary problem.

The problem is that so many things could be broken by a package that pads left. Who needs this package? Why would you create a dependency for something this obvious?

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

NPM is littered with packages exactly like this. JavaScript doesn't have a standard library, which leaves Node.js programmers with the option of either writing basic string handling functions every time they start a new project, or importing individual packages each time they run into something that needs to be done in order to complete the actual goal of the program.

NPM enables this behavior by making packages like left-pad trivial to import. Under other circumstances, many programmers would likely just copy something from Stack Overflow or similar websites. The quality of that code and applicability of that code to the intended use case are likely suspect. NPM, for its flaws, creates a chain of ownership for the imported code, not just a patchwork of snippets found on message boards.

The earlier problem of sudden package unpublishing—which is still possible in NPM despite the left-pad incident—makes the prospect of having even moderate amounts of imported packages unappealing. The lack of real security in NPM makes the frequency of importing packages for trivial things a problem, as David Gilbertson noted in this essay from January about code insertion and living "in an age where people install npm packages like they're popping pain killers."

So, with a combination of this historical problem with "micropackages" and reasonable caution about security, the internet hive mind has descended upon one prolific programmer: Jon Schlinkert. Schlinkert is designing "a supply chain system that is focused on bringing commerce into impoverished regions." He also has 821 repositories on GitHub, and by all appearances, is making full use of each one of them.

Schlinkert is responsible for the is-odd package, which has just over 2.8 million installations in the last week. He has written dozens of packages that fall under the broad category of type checking packages. The is-odd package is drawing criticism because of a chain of dependencies that connect it to nanomatch and micromatch, the latter of which is a dependency of over 300 packages, including browser-sync and webpack.

SEE: Comparison chart: Enterprise collaboration tools (Tech Pro Research)

For his part, Schlinkert insists that "the NPM ecosystem is fostering creativity," but that the proliferation of type checking packages is a JavaScript problem—which, given the lack of a standard library, is not a wrong conclusion to draw. For Schlinkert's own proliferation of packages, he noted in a call with TechRepublic that many of these are related to a project generator library he is designing, and that the modules take 15 minutes to publish. He organizes the modules in this way for the sake of unit testing.

This is reasonable. Ultimately, Schlinkert is working within an ecosystem with significant structural problems. Personally attacking someone for that is unwarranted. That said, NPM needs to address the structural problems which allow for—if not directly promote the production of—multiple overlapping type checkers in their package manager.

Update: NPM did change policy surrounding unpublishing in response to the left-pad incident. While unpublishing is still possible, it can only be done if the package is less than 24 hours old.

Also see

Image: iStockphoto/beer5020

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox