You might not be aware, but on 23 March 2016, the internet as we know it almost came crashing down.
That doesn’t sound like a big deal – after all, code is deleted and re-uploaded all the time – but Oakland-based developer Azer Koçulu just happened to be the creator of a simple but frequently-used 11-line package that was relied upon by companies such as Facebook, Netflix, and Airbnb.
The problem was promptly fixed, and for the vast majority of us users, there was no down-time thanks to caching, and we wouldn’t have noticed anything out of the ordinary.
But for web developers, it was a temporary nightmare that resulted in thousands of builds failing each second. One developer wrote on the github forum at the time: “This kind of just broke the Internet”.
So how the hell does such deleting such a small chunk of code pull down the rest of the Internet like a house of cards? First, you need to understand that when it comes to building programs, there are a whole lot of modules and tools available to make the process quicker and simpler.
One of the most popular of these modules was Koçulu’s 11-line-long ‘left-pad’ module, which was a surprising simple, yet heavily relied upon, piece of code. In fact, the programming community didn’t even realise how relied-upon it was until Koçulu pulled it down.
Basically, left-pad is used as a shortcut by developers, so they didn’t have to write a whole bunch of basic code from scratch each time. “If a developer calls on an npm module, it’s basically shorthand for ‘put this code in later’, and a software compiler will just download the code when the time is right,” Matt Weinberger reports for Business Insider.
And it’s not just kids at home using those modules, we’re talking about high-profile Silicon Valley ventures here. Software that was reliant on left-pad included Babel, which helps Facebook, Netflix, and Spotify run code faster, and React, which helps developers build better interfaces, as Weinberger reports.
And most of the time that works just fine – unless of course the module in question disappears, which is what happened with left-pad after Koçulu unceremoniously unpublished it.
To give credit to the open source community, within 10 minutes, someone else had published a functionally identical version of left-pad, which fixed a few of the problems, but not all of them.
In the face of ongoing build fails, npm decided to take the unprecedented step of re-publishing the original ‘left-pad’ from a back up, which resolved the remaining problems.
But the move caused backlash and debate amongst the programming community, as well as discussions over why companies such as npm are allowing developers to build software on modules that can be unpublished at any time.
So why did Koçulu delete left-pad in the first place? As he explained in a post over on Medium, it all started because of a dispute with messaging company Kik, over a module Koçulu was working on, also called kik.
The company wanted him to change the name of his module so they could roll out their own product, but he declined, leading to some heated emails between the two parties (which you can see here).
Eventually, npm got pulled into the argument, and instead of siding with their long-time developer, they agreed that, for the sake of their users, having Kik the company use the package name kik would make more sense.
“It very quickly became obvious that they were not going to be able to resolve their dispute over the name,” npm CEO, Isaac Schlueter, told Ars Technica. “We made the decision based on what we thought would be in the best interest of the npm community. What it came down to is that a reasonably well-informed user who types ‘npm install kik’ would expect to get something related to Kik. So that’s why we turned (the name) over.”
Koçulu was understandably pretty annoyed by the decision, and sent them an email back saying:
“I know you for years and would never imagine you siding with corporate patent lawyers threatening open source contributors … I want all my modules to be deleted including my account, along with this package. I don’t wanna be a part of npm anymore. If you don’t do it, let me know how do it quickly. I think I have the right of deleting all my stuff from npm.”
A few hours later, npm gave him the command to do just that, and he deleted all 273 modules he’d registered on npm. But with all the focus on kik, no one considered the ramifications of deleting left-pad, and chaos ensued.
Koçulu has since apologised for the unexpected disruption, but stands by his decision. “Feeling very sorry for interrupting people’s work,” he wrote in an email to Ars Technica. “I did it for the benefit of the community in long term. Npm’s monopoly won’t be dictated to the free software community anymore.”
The bigger issue that remains is how to deal with these problems in future, and how to avoid them happening in the first place – and that’s something npm are now looking into.
In the meantime, be careful with code out there, kids. You never know what could be relying on it.
A version of this article was originally published in March 2016.