The managers of the popular NPM registry, which houses JavaScript packages, want to assure the community that everything is OK, despite the calamity caused this week by the removal of a small package. NPM’s predicament, though, brought criticism from JavaScript founder Brendan Eich, who stressed a need to improve the module system.
Upset over a naming issue, a developer decided to unpublish his modules on the registry, including left-pad, and as a consequence shut down several dependent programs, such as the Babel compiler. The module itself consists of only 17 lines of code, but modules that relied on left-pad could no longer be installed.
Within 10 minutes of being unpublished, left-pad was repaired by a community member and a new version was published, said Laurie Voss, CTO of NPM Inc., which runs the registry. Isaac Schlueter, the creator of NPM and CEO of NPM Inc., also emphasized the speed of repairs: “Essentially, the biggest disruption that happened as a result of this, it was partially mitigated within minutes and then completely mitigated within two-and-a-half hours. So everybody whose builds broke, their builds got fixed again very quickly.”
NPM Inc. plans to take action to prevent additional ripple effects of systems failing when they are dependent on a module that suddenly disappears. “We’re going to have to address our policies and technical details around how modules get unpublished,” said Schlueter.
But Eich criticized the circumstances that led to the situation: “I think they made a mistake by allowing people to unpublish a module that is widely shared through this distributed package manager, essentially.” The loss of left-pad was an issue for his company, Brave Software, which relies on the Babel tool chain. He acknowledged NPM Inc. was working on improvements and suggested if the apps that needed the affected module could copy the few needed lines of code, they would be better off.
Eich reflected on how he, as an old Unix hacker, found that Unix was about little commands that worked well together. But the Unix world did not have a master repository in which the owner could take away critical lines of code. “Having a way to share code is great, but you shouldn’t have this brittle network dependency that could have one person affect millions,” he said.
Schlueter stressed the importance of NPM's mission and a need to review the issue at hand. He said there has not been anything before akin to the “social media storm” involving the NPM registry over this week’s incident.