back to article How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …

Page:

  1. Tommy Pock

    This whole debacle mirrors Gamergate

    I didn't have a bloody clue what was going on then, either.

    1. Anonymous Coward
      Anonymous Coward

      Re: This whole debacle mirrors Gamergate

      ITYM the whole debacle shows up the standard use case for javascript for what it is - a fragile conglomoration of scripts scattered about the internet which then get dragged into a web page when its loaded giving multiple points of failure. Aside from that, I can't actually think of a more lax indifferent approach towards security with a better attack vector for malware in the whole progamming world.

      "Yeah , lets just load in joescode.js from scrits-r-uz.net each time our page is loaded and hope it hasn't been broken/deleted/corrupted". What a brilliant development model!

      Javascript kids - is it really so hard to download common code onto your own website having checked it first Ok, maybe you won't get updates so fast but you won't get shafted like this either.

      1. Spacedman

        Re: This whole debacle mirrors Gamergate

        Well not really much. Developers will get the dependencies as they work (using bower or whatever the JS dep manager tool of the week is), and then build a single JS file at deployment time (using webblywobblify or the JS build tool of the week), and that goes up to the server for production. I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

        I'd only ever load something from a non-local site if it was something I regard as stable, popular, and coming from a robust CDN.

        1. Anonymous Coward
          Anonymous Coward

          Re: This whole debacle mirrors Gamergate

          "and then build a single JS file at deployment time"

          That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

          1. zarvus

            Re: This whole debacle mirrors Gamergate

            Node modules aren't loaded on page load separately, they are usually bundled into something larger. Think like Python modules or C libraries, they're part of a larger whole (except in this case they're JavaScript). I don't think that unpublishing his packages would 'break the internet', it would just stop people from updating their modules during development.

            For client side JS, competent devs compile it into a bundle anyway and load it server side. Everyone wants you to use their CDN for some reason though.

            The node package manager (npm), though, is abominable and incredibly easy to break.

            I also think it's bullshit that the npm maintainer re-published his packages - if they give him the ability to unpublish his work, they are giving him the agency to do so at his choice. Someone could publish a new left-pad that does much of what his script does instead. Then he could sue them for trademark infringement and create a constitutional crisis.

          2. Michael Wojcik Silver badge

            Re: This whole debacle mirrors Gamergate

            That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

            Yes. This is readily apparent when you run something like NoScript. Oh, look, scripts from a dozen domains are blocked on this page. Let's temporarily allow some to try to get this thing working. Great, those have remote dependencies on scripts from another dozen domains...

            ECMAScript is the C of the decade. In certain domains it's perfectly suitable, but it's widely used by people who ignore its pitfalls for purposes it is not well-suited for. It's possible to write good ECMAScript code, even for non-trivial projects, but it requires discipline - something few developers seem to care about.

            1. Anonymous Coward
              Anonymous Coward

              Re: This whole debacle mirrors Gamergate

              Define "good" ECMAScript.

              EMCAScript doesn't expose a modulus operator nor define a method of modularising applications.

              In short, it's a hack lacking in almost every meaningful way the basic utilities one takes for granted in languages invented after COBOL, it's neither portable nor well-specified, both of which gave C it's longevity.

              Being used by people who don't know any better is hardly a reason to drag's C's good name into the gutter.

        2. Anonymous Coward
          Anonymous Coward

          Re: This whole debacle mirrors Gamergate

          I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

          You're new here, right?

      2. John Brown (no body) Silver badge

        Re: This whole debacle mirrors Gamergate

        "Javascript kids - is it really so hard to download common code onto your own website having checked it first "

        Exactly! Is it any wonder that pages take so long to load when shitty little bits of code any beginner could knock up have to be dragged in as *live* dependencies from some 3rd party server? WTF are these people thinking? FFS, this left-pad thing was one of the exercises in BASIC programming in GCE "O" level Computer Studies (No kids, that wasn't a mistake, GCE predates GCSE, yes THAT long ago) back in about 1979 when I took the exam.

        For that matter, WHY are there even code snippets like that even made available for live linking? No one could possibly own any IP on such a simple and obvious technique.

        1. daemonaka

          Re: This whole debacle mirrors Gamergate

          Yeah, it's not 2005 anymore. No production webapp is built that way. If yours is, you've got some shitty Web devs on your hands. You need to give them a week to learn what a gulp plugin is, or they're fired.

          Yes, that's right, we primitive javascript "kids" have discovered these miraculous things called build tools! Anyone would think it was a real language or something. Dipshit.

          Did you not even bother to read this comment thread before adding to it? This has already been pointed out. Left-pad was not being "live linked", but pulled in as a static dependency at build-time. This did not "break the Web", it broke nightly builds.

          Get down off your high horse before you get a nose bleed.

          1. Kristian Walsh Silver badge

            "static" volatile dependencies

            So, what you're saying is that your organisation's software development process can be stopped at any time by a third-party in a different jurisdiction. I'd love to have the kind of Programme Manager who'd hear that and say "Oh, the builds are broken? Because a guy in XYistan broke a module? And he's not answering his mails? That's fine. I'll tell the client that the service won't ship until an indefinite date in the future, and you guys can all go home early.."

            The purpose of any build system is to produce repeatable outputs from your source-code, and to provide an audit trail for your releases. Repeatable is hard when you effectively do Lucky Dip dependency resolution. A build-system worthy of its name can check out any previous release of software by ID, and produce a binary-identical output product to that. A build process is language independent: you might need different tools, but using a particular language for development doesn't magically absolve you from responsibility.

            Live-downloading isn't a "static dependency". "static" means "not moving", and you cannot guarantee that from a remote resource. You can barely even guarantee that if it's your dynamically-fetched resource. (Versioning components doesn't help you; you're still relying on strangers to not change code without re-versioning...)

            So, if you're live-downloading every time you make a build, explain to me how you guarantee that those remotely-fetched dependencies don't dramatically change between the developer writing the unit tests, and your automated build system running them? There's a good way to waste development time. Also, how do you guard against someone maliciously injecting a backdoor into that crypto class you download every time you make a build.

            More to the point (and this is the real reason companies spend money on revision control and build systems): Imagine it's next year, and you're being sued for doing something nasty, and to provide evidence of your innocence, you've got to set up a server with your company's software the way it was on the day of the alleged offence. How the hell are you going to rebuild it? Wayback Machine? Well done, you've just handed their lawyer the downpayment on a yacht.

            ALL dependences used by a project must be accounted for. If you're not doing that, you're just wasting time and effort - you've got a glorified compiler/packager that offers no better consistency or auditing than just deploying straight off a developer's workstation.

          2. Anonymous Coward
            Anonymous Coward

            Re: This whole debacle mirrors Gamergate

            >Left-pad was not being "live linked", but pulled in as a static (static eh?) dependency at build-time. This did not "break the Web", it broke nightly builds.

            >Get down off your high horse before you get a nose bleed.

            Way to reinforce the original poster's overall point Mr. Web "Developer". At least your UI follows whatever web 3.0 industry design guidelines are in fashion currently with the hipster millennials eh?

          3. Anonymous Coward
            Anonymous Coward

            Re: This whole debacle mirrors Gamergate

            ". No production webapp is built that way."

            Except every one of them. I'm using NoScript and it tells me directly what domains/sites javascript is trying to access. This page alone has 6.

            Allowing all 6 creates 8 new ones. No idea what kind of 'production webapps' you use, but that's the way web pages are generated nowadays.

      3. jnoelz

        Re: This whole debacle mirrors Gamergate

        Oh yeah, you read an article and you advising developers on how to organize their work, really? Do you have any comprehension of how the entire stack works and what was actually deleted and loads from where? yeah that webpage you made in 98.... You are are demonstrating your profanity - you have no idea of how expensive it is to produce production quality, reusable code. The reason why the open source community exists is because it is efficient and reliable.. but yeah script kids, playing jenga code.

  2. Anonymous Coward
    Go

    "This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people"

    So he moved to github lol.

    Thankfully I wrote my own padStart function as a polyfill. Eventually, in like 10 years, ES7 will add padding a string to JavaScript as standard.

    1. AMBxx Silver badge
      Boffin

      Left padding

      I don't do much JavaScript, but is this really the most efficient way to pad a string from the left? What's wrong with a repeat string function then right(lengthNeeded)? This looks like something copied from a BASIC tutorial 20 years ago.

      1. Andrew Moore

        Re: Left padding

        exactly what I was thinking- after checking ch and len were valid, it should just be a case of

        return ch.repeat(len-length(str))+str;

        1. mark jacobs
          Boffin

          Re: Left padding

          function leftpad(str,len,ch)

          {

          var s1='                                                ';

          var s2='0000000000000000000000000000000000000000';

          if (ch) if (ch=='0') return s2.substr(0,len-str.length)+str;

          return s1.substr(0,len-str.length)+str;

          }

          et voilà!

        2. Rabster

          Re: Left padding

          You kids get off my len()! Feeling old.

          1. AMBxx Silver badge
            Happy

            Re: Left padding

            Starting to feel sorry for the guy. First he's threatened by lawyers, now we're al saying his code is rubbish!

      2. Destroy All Monsters Silver badge
        Windows

        Re: Left padding

        This looks like something copied from a BASIC tutorial 20 years ago.

        I think you mean 30 years ago.

        As the Reg population ages, an "undertaker" icon will become of higher priority.

        1. AMBxx Silver badge
          Unhappy

          I think you mean 30 years ago

          You caught me out! 30 years ago, I was working with BBC B and ZX Spectrum They were both getting long in the tooth at the time.

          Feeling really old now.

          1. Hideki

            Re: I think you mean 30 years ago

            Oh please, 30 years ago was 1986, the year the Spectrum 128 and BBC Master 128 were released, they were hardly long in the tooth then, 4 years old in the case of the Speccy, 5 in the case of the Beeb.

            Still a great fan of both platforms, the Sinclairs for bringing computing to people who coudln't otherwise afford it and the BBC for creating an excellent machine with a structured basic, an understandable accessible OS and a proper assembler, in ROM.

            Still have one of each set up here (although rather modifed/expanded to make use of modern storage solutions, CF and Ethernet in the case of the Speccy, SD in the case of the BBC (Bit banged SPI using the user VIA to do SD access)), if curious see: http://kupo.be/tpics/oldsystems20160307.jpg

        2. Doctor Syntax Silver badge

          Re: Left padding

          "I think you mean 30 years ago."

          Only 30? Kids today.... Wanders off mumbling to self.

          1. Anonymous Coward
            Anonymous Coward

            Re: Left padding

            Only 30? Kids today.... Wanders off mumbling to self.

            Indeed. 30 years ago they already had these new-fangled electronic computers!

            I remember back in the day, having to rig up the pulleys and vine ropes just right, and keeping the elephants motivated was a nightmare!

        3. Tom -1

          Re: Left padding

          Actually Basic was introduced into classes at Dartmouth College 52 years ago, and I suspect that padding a string on the left was something that cropped up in class within the first couple of years of using it as as a teaching language. By the mid-70s it was used all over the place. So I think 40 years ago is more likely than 30, and it 's quite likely that it turned up in a tutorial developed at Dartmouth 50 years ago.

          1. RMycroft

            Re: Left padding

            Good old DTSS. I can't be arsed to dig out my copy of BASIC 6th edition to see if there was a built-in function that would do the job. In any event someone did it in COBOL long before to pad out money amounts with asterisks on cheques.

            RUN LEM****

      3. Brewster's Angle Grinder Silver badge

        Re: Left padding

        "What's wrong with a repeat string function then right(lengthNeeded)?"

        String.prototype.repeat didn't officially exist until last year. Yes it can be done more efficiently than repeatedly adding a single string together. (Mine takes no more than 2 × log2(N) concatenations to produce N repeats.) But typical paddings are a handful of characters, so that's probably as efficient as anything: remember we are on 64 bit machines where you can have 8 utf8 characters in a single register; concatenation is just bit shift and bitwise-or.

        1. Anonymous Coward
          Anonymous Coward

          Re: Left padding

          Get yerself a proper language. Y'know, something which doesn't require manually defined functions to left pad a string.

          s/^(.*)/$padchar x ($wantlength-length($_)+1) .$1/e;'

          If only we had something... something which had been around since 1987...

          1. captain veg Silver badge

            turning into a coding competition?

            function leftpad(str, len, ch)

            {

            var i = len - (str + "").length;

            var pad = (i > 0) ? Array(i + 1).join((ch || ch === 0) ? ch : " ") : "";

            return pad + str;

            }

            No charge.

            -A.

    2. JLV

      >Thankfully I wrote my own padStart function

      This chimes with me as well. How often, in Python/Django you see an SO question that requires 20-30 lines of code.

      With the recommendations to pip in package XYZ that does it for you. Now you have an external dependency for something super trivial.

      JS should really tweak some basic stuff though. Even the humble sprintf seems missing. I use Handlebars for that now* but it's like swatting a fly with Yamato's 18"s.

      * and mostly for templating

    3. zarvus

      His code was already on Github. Good point, though.

  3. Brian Miller

    But did Kik's website go down?

    It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

    1. Dazed and Confused

      Re: But did Kik's website go down?

      Even better if the Kik's shitesters website had imploded too. Would be great if they got a sudden lesson in intellectual property rights "Know that stuff you're using? Well it's mine and you can F*&k right off"

    2. Anonymous Coward
      Anonymous Coward

      Re: But did Kik's website go down?

      It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

      They have a website with the worst privacy policy ever (you can't examine the whole policy, you have to walk through it one chapter at a time), and despite being apparently a Canadian company (don't know this for certain - I'm really starting to dislike companies that don't put their address on their website) I would not trust them with ANY data because they appear to genuinely have no idea how to protect their users.

      Not that I would ever use them anyway as I'm quite happy with the apps I have, and I am rather unimpressed by how they took this on. Overzealous lawyers are IMHO more a corporate risk than a benefit.

  4. Duncan Macdonald
    Mushroom

    Copyright infringement ?

    Could Azer Koçulu sue NPM for copyright infringement by including his code against his wishes ?

    1. SE

      Re: Copyright infringement ?

      I hope so. I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

      Truly pathetic.

      1. djack

        Re: Copyright infringement ?

        It depends on the license of the code. If it was licensed under any 'usual' open source licence then re-publishing shouldn't be a problem.

      2. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        No, it is not. Code published on NPM is open-source and anybody can republish/fork/modify it.

        1. timcroydon

          Re: Copyright infringement ?

          No, that's wrong. Every package has its own license, which may or may not be permissive. E.g. often see GPL, MIT or Apache licenses.

          I notice that the left-pad utility in question actually has no explicit license so is covered under normal copyright laws which could raise interesting questions for users who haven't checked they've got explicit permission to use it anyway.

          1. BinkyTheHorse
            Boffin

            @timcroydon

            I dunno, old status page shows the license as BSD:

            http://web.archive.org/web/20150922113035/https://www.npmjs.com/package/left-pad

            The author now updated the meta info to WTFPL, which is decidedly non-FOSS-compliant ;), but still works in this case.

            Of course the salient point is whether metainformation constitutes a valid license specification. IANAL, but I suspect NPM have a strong case in that regard (not that I condone their general behavior, as stated in the prior post).

            1. Anonymous Coward
              Mushroom

              Re: @timcroydon

              IANAL, but I don't think it's legally open-source. The only words about copyright/license in the entire commit history (at https://github.com/azer/left-pad) are these two tags in package.json:

              "author": "azer", "license": "WTFPL" [originally "BSD"]

              No BSD license text. No "Copyright 2014 (real name or alias)".

              DMCA takedown in 5... 4... 3...

              1. War President
                FAIL

                Re: @timcroydon

                None of this puts npm as an organization or as a package manager in a good light. They'll instantly cave to vague threats and willingly change ownership of a package (kik) to do the bidding of a 3rd party in contravention of their own dispute policy. If you terminate your agreement with npm, they'll keep your IP (left-pad) if it suits them, in contravention of their own terms of use. Who was it that removed the BSD license and changed it to WTFPL? If not the author or at their behest, then someone violated the license terms.

                To my mind, it also seems a little worrisome that there are so many dependencies built into these packages. You really need to add a dependency for a simple text padding function? Really?

            2. tekHedd

              Re: @timcroydon

              Actually, I was reading about WTFPL recently, and it is a valid open source license. (see the FAQ) I mean, come on, what's more open and free than "do what the f- you want"?

              1. John Brown (no body) Silver badge
                Joke

                Re: @timcroydon

                "I mean, come on, what's more open and free than "do what the f- you want"?

                Does that mean I'm free to copyright it?

                1. JBowler

                  Re: @timcroydon

                  >"I mean, come on, what's more open and free than "do what the f- you want"?

                  >Does that mean I'm free to copyright it?

                  It's a license to use something to which someone else has copyright. Copyright is the possession of the *author*.

                  Copyright can be assigned but the *license* doesn't assign the copyright (and it can't, logically; then it would be a copyright assignment, not a license.)

                  You can copyright any derivative, but if you ask a lawyer the lawyer will still want to speak to the author of the original work.

                  That's why when you go to work for someone else they ask you to sign away all your copyright rights. Oh, no, they don't actually *ask*, it just happens when they pay you (see the 'for hire stuff', and this is only in the US, which didn't adopt standard copyright laws until very late):

                  http://dearauthor.com/features/reclaiming-your-copyright-after-thirty-five-years/

                  John Bowler <jbowler@acm.org>

      3. Anonymous Coward
        Anonymous Coward

        Re: Copyright infringement ?

        If he ever published the code under a permissive license, there's nothing wrong with re-publishing.

      4. Michael Wojcik Silver badge

        Re: Copyright infringement ?

        I've no idea what the NPMs terms are, but publishing content against an author's wishes seems more significant than withdrawing content because it has a name that clashes with that of another, unrelated, product.

        And in the time it took them to write that PR statement, they could have written their own implementation of "left-pad" and published it under the old name and version, avoiding any legal or ethical issues around restoring the original code.

        Ah, well. Maybe this will be an object lesson for people who use NPN, and maybe it'll draw some well-deserved ire down on Kik.

    2. BinkyTheHorse
      FAIL

      Re: Copyright infringement ?

      Well, if he published it under one of the FOSS-compliant licenses (or a few of the non-compliant OS ones), as long as NPM had a copy of the package, they were free to republish without violating the license. And in general it's a Good Thing™.

      However, fail icon since the NPM folks clearly made an half-assed job PR-wise and acted shittily towards the developer - it doesn't seem likely that the trademark case would hold up in court.

    3. Voland's right hand Silver badge

      Re: Copyright infringement ?

      Come on, the code in question is trivial.

      As a few people pointed out this is like taken from a 30+ year old basic tutorial. It will probably fail the Lego test of copyright - you cannot copyright the "natural form" of something. You can patent it, but not copyright it.

      Granted, javascript is a primitive language, but none the less, even with all of its primitiveness I would have expected it to do this as a part of the base spec (*) in one line. Python and perl certainly do - * and x operators on strings respectively.

      (*) I am aware that char repetition was added to the spec last year. That is still not pattern repetition or string repetition, which Perl has been able to do for more than 20 years in a single statement and Python for more than 15.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like