Earlier this week, a messy situation putting open-source software at odds with trademark ownership impaired the functions of thousands of pieces of software, demonstrating the dangers of relying on third-party code for important software. Large companies including Facebook, Netflix, and Spotify were briefly affected.
In this case, the drama surrounded NPM (short for “node package manager”), the default manager for node.js, a runtime environment popular with web developers. NPM is used to install open-source software, collected into packages. In turn, developers can call upon that software, known as dependencies, to perform functions, eliminating the need to code from scratch. If a dependency disappears from NPM, it has the potential to break the software calling upon it, creating a domino effect. NPM is hardly the only system that works like this. The web is basically built upon an interweaving of different systems and software libraries that call upon each other to work together all the time.
For the past couple of weeks, a developer named Azer Koçulu has been in a dispute with messenger service Kik over his use of the name “kik” for one of his packages. Koçulu, an adamant proponent of open-source software, refused to change the name or yield to a corporate interest.
In a blog post about the dispute, Kik employee Mike Roberts reprinted emails between Koçulu and another Kik rep, Bob Stratton.
Stratton wrote on March 11:
We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.
Can we not come to some sort of a compromise to get you to change the name without involving lawyers? Is there something we could do for you in compensation to get you to change the name?
Koçulu responded just over an hour later:
hahah, you’re actually being a dick. so, fuck you. don’t e-mail me back.
And that’s when NPM’s governing body got involved. They have a policy in place for naming disputes such as this. In their own blog post recounting the incident, CEO Isaac Schlueter wrote:
The policy’s overarching goal is this: provide npm users with the package they expect. This covers spam, typo-squatting, misleading package names, and also more complicated cases such as this one. Entirely on this basis, we concluded that the package name “kik” ought to be maintained by Kik, and informed both parties.
In disputes like this, packages are normally altered in such a way that existing programs using the dependencies can still find them without needing to be altered themselves, but instead Koçulu decided to simply remove all of his nearly 300 packages from NPM, breaking tons of other software in the process.
In a blog post announcing the move, he wrote:
When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it. After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me. @izs [schlueter] accepted to change the ownership of this module, without my permission.
This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.
Among the software removed was a package known as left-pad, 11 lines of code comprising a function that adds extra space to the left side of a string of text.
Here it is in its entirety:
That’s it. But a lot of other software relied on left-pad to work. “Shortly after 2:30 PM (Pacific Time) on Tuesday, March 22, we began observing hundreds of failures per minute, as dependent projects — and their dependents, and their dependents … — all failed when requesting the now-unpublished package,” Schlueter recounted.
Because the code was open-source, another coder republished an identical, new version (1.0.0) within minutes. That version number was another problem, though. Though it’s not required, dependency requests can specify the software version number, and many of them specifically requested Koçulu’s old 0.0.3 version. So NPM had to take the “unprecedented” step of republishing it via backup. The issue, by their account, lasted two and a half hours.
There are other lingering effects of the disruption. The exodus vacated hundreds of package names that others are now free to use, so if existing software calls for one of Koçulu’s old packages, it could have been replaced with an entirely different program. Developers might not know what code they’re executing. Many of the package names are already being squatted on.
Other developers are using the incident as an opportunity to call out lazy programmers, relying on external dependencies that are really just single functions. In a post about the incident, Stack Overflow employee David Haney wrote about the disfunction of NPM as a whole, saying, “It feels to me as if the entire job of an NPM-participating developer is writing the smallest amount of code possible to string existing library calls together in order to create something new that functions uniquely for their personal or business need.”
What the incident serves to highlight is how, for all the good that open source does, its highly malleable state also turns it into a delicate house of cards, in which one missing dependency can cause a cascading effect that reaches some of the largest services on the web.