Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming Software The Internet

How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk) 480

An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
This discussion has been archived. No new comments can be posted.

How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript

Comments Filter:
  • So, in summary (Score:4, Insightful)

    by Anonymous Coward on Wednesday March 23, 2016 @09:26AM (#51760647)

    So, what have we learned?

    External dependencies are unsustainable;

    JavaScript is unmaintainable;

    Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable

      This is the state a *lot* of open source projects are in. Dependency trees that make windows dll hell look sane. We have cranked out thousands of packages like this. Tons of people writing things to get 'resume cred' then immediately forgetting about it after they get a job. The code lives on as a zombie with no one really digging in and taking a look at it.

      Then this litt

      • by Dog-Cow ( 21281 )

        I think the Kik guys deserved to have a sharp spike "kiked" (sic) up their asses. You really think they look like good guys for threatening an open source developer who probably never wrote an IM client in his life?

    • by Anonymous Coward

      It's fucking unbelievable how much trouble JavaScript has caused for so many people.

      Let's ignore how fundamentally broken it is, as a programming language, in almost every respect. That includes its fucking awful type system, its total lack of real OO (sorry, prototypes are complete shit), its ultra shitty standard library (which is why NPM and this problem exist in the first place), and similar problems.

      JavaScript has allowed too many unskilled cranks to shit out way too much broken code. It was one thing

      • by Pseudonymous Powers ( 4097097 ) on Wednesday March 23, 2016 @10:48AM (#51761379)

        It's fucking unbelievable how much trouble plumbing has caused for so many people.

        Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with toxic lead, its total lack of real modularity (sorry, reservoirs are complete shit), its ultra shitty set of mutually incompatible pipe sizes, materials, and connections (which is this problem exist in the first place), and similar problems.

        Plumbing has allowed too many unskilled cranks to shit out way too many leaky pipes. It was one thing when they did it in Ancient Rome, where it was isolated to a fountain in the town square. Now it's being done in people's houses, and it's a motherfucking disaster!

        Worse, plumbing has enabled the for-profit water supply industry. Plumbing makes it trivial for them to track every drop of water you use. If you don't want to fall victim to it, then you have to waste your time turning off a bunch of valves, and digging wells everywhere.

        Plumbing needs to go.

        If you really need to use a water delivery technology, use a river, or a pond, or even a goddamn barrel . All three of them are better than plumbing in every way.

        • by AmiMoJo ( 196126 ) on Wednesday March 23, 2016 @01:25PM (#51762951) Homepage Journal

          Do you work in the water industry? This is actually spot on!

          It's so bad we don't even know where half the damn pipes are. We know where the ends are, but if there is a leak in the middle we are fucked. Even in the best countries 25% of the water leaks out, and in some places it's over 50%. Even better, the last 20% just isn't even worth fixing... If a leak is costing the company 5 bucks a month, they ain't gonna send someone to dig up the road and fix it.

          • Interestingly, I'm dealing with that problem now. The place I'm renting has a bad slab leak, and rather than bust up the floor to fix it, the landlord decided it's going to be better to put new pipe in the walls, meaning that one bedroom, a closet, both bathrooms, and the kitchen are going to get the walls ripped up to put the new plumbing in. I'm *so* looking forward to the next few days, and then cleaning up all of the dust when everyone involved is done.

            I'd almost rather deal with Javascript. Almos
        • by cas2000 ( 148703 )

          unfortunately for you, the rant against javascript was not equivalent to a rant against plumbing, it was equivalent to a rant against using plain cardboard for pipes rather than, say, copper or stainless steel or plastic.

      • by rwven ( 663186 )

        JS/Node/NPM are the new PHP.

        • by Penguinisto ( 415985 ) on Wednesday March 23, 2016 @11:36AM (#51761757) Journal

          ...and Docker is the new Solaris Zones. Err, okay?

          The point isn't that node.js sucks (personal opinion - it kinda does when mishandled, just like PHP), it's that like any tool, you have to use it correctly and try not to make it do shit that it wasn't designed to do.

          We see this shit in Puppet-land, where so-called DevOps people rely on external github (not puppetforge, but random github) modules to run their servers. They never pull a local copy, but instead use something like Librarian [github.com] to pull it in dynamically... never realizing that if the guy maintaining $randomModule says 'fuck it' and pulls his project (or even just breaks his module), suddenly you're stuck with a broken model and a potential outage.

  • by retchdog ( 1319261 ) on Wednesday March 23, 2016 @09:28AM (#51760671) Journal

    This is just hilarious. What a shit-show, from the bullshit legal threat to the developer's hissy fit to the dependence on an apparently obscure package to implement (lol) left-padding.

    Reminds me of someone I knew who was wringing his hands for a few days over which license to use for his super-awesome R function library. He asked me for advice, and I told him that it's ~30 lines of syntactic boiler-plate code so get over yourself and just put it in public domain so that the two people who ever use it can do so easily. But of course, he had to deeply consider the political implications of which flavor of "freedom" he would support.

    • Re: (Score:3, Insightful)

      Yeah, because should only apply their ethics when you say it's okay. How vain of people to care about their personal ethics.
      • Re: (Score:3, Funny)

        by retchdog ( 1319261 )

        you make a good point.

        incidentally, i just took my morning shit. could you please tell me, before i flush the turds down the toilet, what redistribution license should i bless them with?

        • You don't like the license? Fuck off and write your own then. Simple.

    • Just waiting for the obligatory "and a million applications cried out in pain and were suddenly silenced"
    • Re:oh vanity... (Score:5, Insightful)

      by firewrought ( 36952 ) on Wednesday March 23, 2016 @12:47PM (#51762517)

      Missing from your list is that NPM didn't just pull the npm package, they reassigned it to a different user. Think about the security implications of that... it implies anyone can send a few intimidating emails, gain control of a major project, and then substitute with their own code/malware.

      Assuming that's how it played out, it might be a good thing the developer threw a hissy fit: the resulting public fallout may or may not prompt NPM (and NuGet, Cargo, Docker, and so forth) to reconsider the trust problem they have created.

  • by The Evil Atheist ( 2484676 ) on Wednesday March 23, 2016 @09:28AM (#51760673)
    Don't know who they are or what they do, but fuck them and boycott whatever it is they sell.
    • And fuck NPM for restoring someone else's work without their permission. Surely that's got to be a copyright infringement.
      • by Luthair ( 847766 )
        Not really, the owner distributed under an open source license.
        • You still retain copyright over your own copy. That's how it stops other people from dictate what you can or cannot do with your copy outside the scope of the licence and what makes that licence desirable to that person.
          • by Luthair ( 847766 )
            And what does copyright have to do with distributing code under its license?
        • There is a legal aspect, and there is a moral aspect. SourceForge had the right to adware infected installers for open source software. Whether they should do, is another question. Same here.

      • 1. The new owner apparently asked them to, so that would be permission.

        2. They already have permission since the license the "software" was published under gave it to them.

    • Re: (Score:3, Informative)

      by Luthair ( 847766 )
      They're a messaging application and have been around 5-6 years. Recall that trademark owners are required to protect their trademark.
      • Recall that trademark owners are required to protect their trademark.

        That's only relevant if Kik has a JavaScript library. AFAIK, they do not. It's just another patent troll overreach.

        • by Cid Highwind ( 9258 ) on Wednesday March 23, 2016 @10:12AM (#51761083) Homepage

          This is the USPTO we're talking about here. Instant messaging services and Node.js libraries probably both fall under a category like "Products and services pertaining to computers, electronic calculators, magnetic or paper tapes, teletypes, slide rules, and abacuses"...

      • Re:What is Kik? (Score:5, Informative)

        by angel'o'sphere ( 80593 ) <angelo.schneider @ o o m e n t o r .de> on Wednesday March 23, 2016 @09:43AM (#51760821) Journal

        And the trademark for "KiK" an instant messenger "App" on phones or tablets, does not cover a "library" or even a "program" written for software development.

        At least not in my country, and likely not in yours either.

        • Re:What is Kik? (Score:5, Insightful)

          by AmiMoJo ( 196126 ) on Wednesday March 23, 2016 @10:01AM (#51760985) Homepage Journal

          True, but lawyers don't understand those words, they just know it's about computers so anything computer related called "kik" must die. They are like marauding barbarians, waving their clubs in the air and smashing anything that looks a bit like the magic rock they worship.

        • by Jahta ( 1141213 )

          And the trademark for "KiK" an instant messenger "App" on phones or tablets, does not cover a "library" or even a "program" written for software development.

          At least not in my country, and likely not in yours either.

          I'm guessing you are not a lawyer. The international law [wikipedia.org] on trademarks classifies goods and services into trademark categories. This classification puts "data processing equipment, computers; computer software" in the same group (along with bunch of other things). So an "App", a "program" and a "library" are all just "computer software" for trademark purposes.

          But if you wanted to start a company called "KiK" to sell "Apparatus for lighting, heating, steam generating, cooking, refrigerating, drying, venti

      • They have a trademark for an instant-messaging application, not a JS library. Attempts to enforce the Kik trademark against NPM modules not dealing with instant messaging are vexatious, and any lawsuit raised is legal barratry.

      • They're a messaging application and have been around 5-6 years.

        Oh, so I don't need to do anything then.

        Recall that trademark owners are required to protect their trademark.

        Trademarks are only in effect for what purposes they filed for. It cannot just cover any use of the word in any context.

    • Kik is an anonymous IM service where you can invite friends to a board and you all post horrible things about other people.
  • by 31415926535897 ( 702314 ) on Wednesday March 23, 2016 @09:29AM (#51760679) Journal

    Just kidding, I have no problem with Javascript. By the way, that summary was confusing as hell.

    One of the beauties of JS is that it's easy to provide your own functions, so as long as it's only left-pad missing, you could provide your own, right?

    function left_pad(str, min_length, pad_char){
            if(str.length min_length){
                    str = Array(min_length - str.length).join(pad_char) + str;
            }
            return str;
    }

    (note, I did not do any sanity/error checking in the function, so do not simply copy/paste, please fill it out if you intend to use it)

    • ...and fix those pesky characters that /. thinks are html and removed!

      seriously, whoever was using left-pad and was too lazy to implement this themselves deserves their fate.
    • Here's the code from the article:

      module.exports = leftpad;

      function leftpad (str, len, ch) {
      str = String(str);

      var i = -1;

      if (!ch && ch !== 0) ch = ' ';

      len = len - str.length;

      while (++i < len) {
      str = ch + str;
      }

      return str;
      }

  • Roll your own libraries. No outside dependencies, and you'll probably leave out a lot of the cruft that is there "because."
    • by NotInHere ( 3654617 ) on Wednesday March 23, 2016 @09:40AM (#51760801)

      So you say everybody should write their own buggy and incomplete reinvention of the wheel?

      Yes, probably most of his libraries aren't longer than 2000 lines of code, and therefore are pretty replaceable, but I don't think that writing your own libraries will decrease the total number of bugs, it will rather increase them.

    • No, that isn't possible in 2016. You cannot do development at this point without depending on some libraries. The trick is to create a personal git fork of all your dependencies. So if the original disappears you still have your copies.
  • Also, when was it made, originally?

    • The package Kik is for "kickstarting new projects" It was also removed from GitHub, so I don't know when it was actually created. It was a pretty old project. I remember it from a few years back.
  • Comment removed based on user account deletion
  • Installed Babel. Strange Error messages and babel borked and unusable. Same problem popping up all over the interweb.

    Sad. Wanted to start with classes in JS. :-(
    Does anyone know when this gets fixed and what the plan is?

    • Does anyone know when this gets fixed and what the plan is?

      You could try to read the article.

      To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.

  • Anybody surprised? (Score:5, Insightful)

    by gstoddart ( 321705 ) on Wednesday March 23, 2016 @09:39AM (#51760785) Homepage

    I've always thought this interconnected pile of stuff, linking across a bunch of domains was lazy, dangerous, and likely to be very brittle.

    Sorry, but the interwebs have shown me I can't afford to trust arbitrary code from all over the place, which can change at a moments notice, and which I know nothing about.

    If you've created an infrastructure where tons of stuff breaks because some asshole corporation forces some guy to say "fuck you, you can't have my code", you have a terrible mess. What happens if someone adds some malicious code?

    What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?

    Jenga tower indeed, it sounds like the state of the art is a bunch of brittle dependencies controlled by a few places, and subject to causing a shit top of things to happen when someone makes a change.

    This reminds me of a company I worked at which had a universal build system ... everything build from scratch every day and wouldn't build if any of its dependencies didn't build. So when some guy broke a components 3 components upstream, nobody could get anything compiled because the system was too stupid to go with the last known good ... and hundreds of developers sat around all day going "but, what do you mean we can't do anything because some guy checked in shit code".

    And that's how JavaScript app development works in 2016.

    Wow, just wow.

    Steaming Heaps of Innovative Technology.

    • If you used git and used your own local branches for your dependencies you would avoid this issue. You only pull from upstream when there are changes you need to incorporate. It sounds like a lot of people were doing it wrong.
    • by jareth-0205 ( 525594 ) on Wednesday March 23, 2016 @11:06AM (#51761535) Homepage

      What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?

      *sigh* We really shouldn't still be having this conversation about how open source licensing works, but OK: They don't claim to own it, but they can redistribute it under the same licence that it was being distributed under. His copyright isn't infringed, it just remains distributed under the non-reversible licence that he chose to distribute it under in the first place.

  • by rudy_wayne ( 414635 ) on Wednesday March 23, 2016 @09:48AM (#51760863)

    Damn bossy underwear!!!

  • by tekrat ( 242117 ) on Wednesday March 23, 2016 @09:55AM (#51760929) Homepage Journal

    If you write *anything* that assumes the perpetual existence of a linked library from somewhere on the internet, you deserve what you get.

    Most kids these days don't remember a time where internet access required a dial-up modem -- or it wasn't a 100% certainty it would be available.

  • by Steve1952 ( 651150 ) on Wednesday March 23, 2016 @10:11AM (#51761073)
    Ironically, it may be Kik's attorneys that acted improperly here. Trademark law allows similar names to be reused for different fields of use, so long as there is not a possibility of confusion/loss of market. Here I seriously doubt that anyone would confuse a Javascript module with a chat application. So quite possibly this was a bogus assertion in the first place, which ended up causing serious damage to a lot of folks.
  • by damaki ( 997243 ) on Wednesday March 23, 2016 @10:21AM (#51761149)
    Thou shalt always mirror your dependencies. Never assume that everything will always be available. That's continuous integration 101.
    Second paradigm: mirror even your dependencies source code, if you can.

Avoid strange women and temporary variables.

Working...