back to article How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koçulu yanked his …

This whole debacle mirrors Gamergate

I didn't have a bloody clue what was going on then, either.

31
2
Silver badge

Re: This whole debacle mirrors Gamergate

ITYM the whole debacle shows up the standard use case for javascript for what it is - a fragile conglomoration of scripts scattered about the internet which then get dragged into a web page when its loaded giving multiple points of failure. Aside from that, I can't actually think of a more lax indifferent approach towards security with a better attack vector for malware in the whole progamming world.

"Yeah , lets just load in joescode.js from scrits-r-uz.net each time our page is loaded and hope it hasn't been broken/deleted/corrupted". What a brilliant development model!

Javascript kids - is it really so hard to download common code onto your own website having checked it first Ok, maybe you won't get updates so fast but you won't get shafted like this either.

45
2

Re: This whole debacle mirrors Gamergate

Well not really much. Developers will get the dependencies as they work (using bower or whatever the JS dep manager tool of the week is), and then build a single JS file at deployment time (using webblywobblify or the JS build tool of the week), and that goes up to the server for production. I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

I'd only ever load something from a non-local site if it was something I regard as stable, popular, and coming from a robust CDN.

7
3
Silver badge

Re: This whole debacle mirrors Gamergate

"and then build a single JS file at deployment time"

That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

9
0

Re: This whole debacle mirrors Gamergate

Node modules aren't loaded on page load separately, they are usually bundled into something larger. Think like Python modules or C libraries, they're part of a larger whole (except in this case they're JavaScript). I don't think that unpublishing his packages would 'break the internet', it would just stop people from updating their modules during development.

For client side JS, competent devs compile it into a bundle anyway and load it server side. Everyone wants you to use their CDN for some reason though.

The node package manager (npm), though, is abominable and incredibly easy to break.

I also think it's bullshit that the npm maintainer re-published his packages - if they give him the ability to unpublish his work, they are giving him the agency to do so at his choice. Someone could publish a new left-pad that does much of what his script does instead. Then he could sue them for trademark infringement and create a constitutional crisis.

7
0

Re: This whole debacle mirrors Gamergate

That may be your working model, but look at the majority of medium to large websites - their pages all load seperate javascript files from assorted sites.

Yes. This is readily apparent when you run something like NoScript. Oh, look, scripts from a dozen domains are blocked on this page. Let's temporarily allow some to try to get this thing working. Great, those have remote dependencies on scripts from another dozen domains...

ECMAScript is the C of the decade. In certain domains it's perfectly suitable, but it's widely used by people who ignore its pitfalls for purposes it is not well-suited for. It's possible to write good ECMAScript code, even for non-trivial projects, but it requires discipline - something few developers seem to care about.

10
1
Silver badge

Re: This whole debacle mirrors Gamergate

"Javascript kids - is it really so hard to download common code onto your own website having checked it first "

Exactly! Is it any wonder that pages take so long to load when shitty little bits of code any beginner could knock up have to be dragged in as *live* dependencies from some 3rd party server? WTF are these people thinking? FFS, this left-pad thing was one of the exercises in BASIC programming in GCE "O" level Computer Studies (No kids, that wasn't a mistake, GCE predates GCSE, yes THAT long ago) back in about 1979 when I took the exam.

For that matter, WHY are there even code snippets like that even made available for live linking? No one could possibly own any IP on such a simple and obvious technique.

4
1

Re: This whole debacle mirrors Gamergate

Yeah, it's not 2005 anymore. No production webapp is built that way. If yours is, you've got some shitty Web devs on your hands. You need to give them a week to learn what a gulp plugin is, or they're fired.

Yes, that's right, we primitive javascript "kids" have discovered these miraculous things called build tools! Anyone would think it was a real language or something. Dipshit.

Did you not even bother to read this comment thread before adding to it? This has already been pointed out. Left-pad was not being "live linked", but pulled in as a static dependency at build-time. This did not "break the Web", it broke nightly builds.

Get down off your high horse before you get a nose bleed.

3
12
Silver badge

"static" volatile dependencies

So, what you're saying is that your organisation's software development process can be stopped at any time by a third-party in a different jurisdiction. I'd love to have the kind of Programme Manager who'd hear that and say "Oh, the builds are broken? Because a guy in XYistan broke a module? And he's not answering his mails? That's fine. I'll tell the client that the service won't ship until an indefinite date in the future, and you guys can all go home early.."

The purpose of any build system is to produce repeatable outputs from your source-code, and to provide an audit trail for your releases. Repeatable is hard when you effectively do Lucky Dip dependency resolution. A build-system worthy of its name can check out any previous release of software by ID, and produce a binary-identical output product to that. A build process is language independent: you might need different tools, but using a particular language for development doesn't magically absolve you from responsibility.

Live-downloading isn't a "static dependency". "static" means "not moving", and you cannot guarantee that from a remote resource. You can barely even guarantee that if it's your dynamically-fetched resource. (Versioning components doesn't help you; you're still relying on strangers to not change code without re-versioning...)

So, if you're live-downloading every time you make a build, explain to me how you guarantee that those remotely-fetched dependencies don't dramatically change between the developer writing the unit tests, and your automated build system running them? There's a good way to waste development time. Also, how do you guard against someone maliciously injecting a backdoor into that crypto class you download every time you make a build.

More to the point (and this is the real reason companies spend money on revision control and build systems): Imagine it's next year, and you're being sued for doing something nasty, and to provide evidence of your innocence, you've got to set up a server with your company's software the way it was on the day of the alleged offence. How the hell are you going to rebuild it? Wayback Machine? Well done, you've just handed their lawyer the downpayment on a yacht.

ALL dependences used by a project must be accounted for. If you're not doing that, you're just wasting time and effort - you've got a glorified compiler/packager that offers no better consistency or auditing than just deploying straight off a developer's workstation.

10
0
Anonymous Coward

Re: This whole debacle mirrors Gamergate

>Left-pad was not being "live linked", but pulled in as a static (static eh?) dependency at build-time. This did not "break the Web", it broke nightly builds.

>Get down off your high horse before you get a nose bleed.

Way to reinforce the original poster's overall point Mr. Web "Developer". At least your UI follows whatever web 3.0 industry design guidelines are in fashion currently with the hipster millennials eh?

6
0
Anonymous Coward

Re: This whole debacle mirrors Gamergate

I doubt anyone has every done <script src="http://randomsite.com/pad-left.js">

You're new here, right?

2
0

Re: This whole debacle mirrors Gamergate

Define "good" ECMAScript.

EMCAScript doesn't expose a modulus operator nor define a method of modularising applications.

In short, it's a hack lacking in almost every meaningful way the basic utilities one takes for granted in languages invented after COBOL, it's neither portable nor well-specified, both of which gave C it's longevity.

Being used by people who don't know any better is hardly a reason to drag's C's good name into the gutter.

1
0

Re: This whole debacle mirrors Gamergate

Oh yeah, you read an article and you advising developers on how to organize their work, really? Do you have any comprehension of how the entire stack works and what was actually deleted and loads from where? yeah that webpage you made in 98.... You are are demonstrating your profanity - you have no idea of how expensive it is to produce production quality, reusable code. The reason why the open source community exists is because it is efficient and reliable.. but yeah script kids, playing jenga code.

0
0
Silver badge
Go

"This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people"

So he moved to github lol.

Thankfully I wrote my own padStart function as a polyfill. Eventually, in like 10 years, ES7 will add padding a string to JavaScript as standard.

22
1
Silver badge
Boffin

Left padding

I don't do much JavaScript, but is this really the most efficient way to pad a string from the left? What's wrong with a repeat string function then right(lengthNeeded)? This looks like something copied from a BASIC tutorial 20 years ago.

28
1
Silver badge

Re: Left padding

exactly what I was thinking- after checking ch and len were valid, it should just be a case of

return ch.repeat(len-length(str))+str;

6
1
Silver badge
Windows

Re: Left padding

This looks like something copied from a BASIC tutorial 20 years ago.

I think you mean 30 years ago.

As the Reg population ages, an "undertaker" icon will become of higher priority.

23
1
Silver badge
Unhappy

I think you mean 30 years ago

You caught me out! 30 years ago, I was working with BBC B and ZX Spectrum They were both getting long in the tooth at the time.

Feeling really old now.

5
1
Silver badge

Re: Left padding

"What's wrong with a repeat string function then right(lengthNeeded)?"

String.prototype.repeat didn't officially exist until last year. Yes it can be done more efficiently than repeatedly adding a single string together. (Mine takes no more than 2 × log2(N) concatenations to produce N repeats.) But typical paddings are a handful of characters, so that's probably as efficient as anything: remember we are on 64 bit machines where you can have 8 utf8 characters in a single register; concatenation is just bit shift and bitwise-or.

5
1
Silver badge

Re: Left padding

"I think you mean 30 years ago."

Only 30? Kids today.... Wanders off mumbling to self.

6
1
Boffin

Re: Left padding

function leftpad(str,len,ch)

{

var s1='                                                ';

var s2='0000000000000000000000000000000000000000';

if (ch) if (ch=='0') return s2.substr(0,len-str.length)+str;

return s1.substr(0,len-str.length)+str;

}

et voilà!

0
0

Re: I think you mean 30 years ago

Oh please, 30 years ago was 1986, the year the Spectrum 128 and BBC Master 128 were released, they were hardly long in the tooth then, 4 years old in the case of the Speccy, 5 in the case of the Beeb.

Still a great fan of both platforms, the Sinclairs for bringing computing to people who coudln't otherwise afford it and the BBC for creating an excellent machine with a structured basic, an understandable accessible OS and a proper assembler, in ROM.

Still have one of each set up here (although rather modifed/expanded to make use of modern storage solutions, CF and Ethernet in the case of the Speccy, SD in the case of the BBC (Bit banged SPI using the user VIA to do SD access)), if curious see: http://kupo.be/tpics/oldsystems20160307.jpg

2
0
JLV
Silver badge

>Thankfully I wrote my own padStart function

This chimes with me as well. How often, in Python/Django you see an SO question that requires 20-30 lines of code.

With the recommendations to pip in package XYZ that does it for you. Now you have an external dependency for something super trivial.

JS should really tweak some basic stuff though. Even the humble sprintf seems missing. I use Handlebars for that now* but it's like swatting a fly with Yamato's 18"s.

* and mostly for templating

1
0

His code was already on Github. Good point, though.

0
0

Re: Left padding

You kids get off my len()! Feeling old.

3
0
Silver badge
Happy

Re: Left padding

Starting to feel sorry for the guy. First he's threatened by lawyers, now we're al saying his code is rubbish!

3
0
Anonymous Coward

Re: Left padding

Get yerself a proper language. Y'know, something which doesn't require manually defined functions to left pad a string.

s/^(.*)/$padchar x ($wantlength-length($_)+1) .$1/e;'

If only we had something... something which had been around since 1987...

0
0

turning into a coding competition?

function leftpad(str, len, ch)

{

var i = len - (str + "").length;

var pad = (i > 0) ? Array(i + 1).join((ch || ch === 0) ? ch : " ") : "";

return pad + str;

}

No charge.

-A.

0
1
Anonymous Coward

Re: Left padding

Only 30? Kids today.... Wanders off mumbling to self.

Indeed. 30 years ago they already had these new-fangled electronic computers!

I remember back in the day, having to rig up the pulleys and vine ropes just right, and keeping the elephants motivated was a nightmare!

0
0

Re: Left padding

Actually Basic was introduced into classes at Dartmouth College 52 years ago, and I suspect that padding a string on the left was something that cropped up in class within the first couple of years of using it as as a teaching language. By the mid-70s it was used all over the place. So I think 40 years ago is more likely than 30, and it 's quite likely that it turned up in a tutorial developed at Dartmouth 50 years ago.

0
0

Re: Left padding

Good old DTSS. I can't be arsed to dig out my copy of BASIC 6th edition to see if there was a built-in function that would do the job. In any event someone did it in COBOL long before to pad out money amounts with asterisks on cheques.

RUN LEM****

0
0
Anonymous Coward

Good for the guy that pulled it

I really hope this gets more attention.

Kik is that crappy messaging (yes another one) "app" (so already, program for phones). How the f*ck would you mix that up with a javascript package? The D&T teacher MAYBE might be fool enough to think "Whoa, the kick app", or some tool who pastes into a terminal and hopes, but no one of any significance!

I hope this gains more attention because things where "Oh you can't have the word scrolls", "nice letters there.... they're ours" shouldn't be a problem when there's no chance of mixup or they're in totally different areas.

Grr

Posted AC because I never know how you guys are gonna react. Volatile gits.

PS: I wish the NPM guys put up more of a fight.

95
4
Silver badge
Thumb Down

Re: Cease and desist

I have recently launched an app called 'Anonymous Coward'. Your username infringes on my unregistered trademark, and I demand you withdraw your comment immediately.

127
1

Re: Good for the guy that pulled it

"How the f*ck would you mix that up with a javascript package?"

How the f*uck would you mix that up with "curved corners"?

Money talks, bullshit walks.

41
3
Anonymous Coward

Re: Cease and desist

@massivelySerial - I represent a company that makes oversized sugar and chemical loaded corn-based snacks for consumption at breakfast time. Your username infringes on my unregistered trademark, and I demand you withdraw your comment immediately.

20
1

Re: Cease and desist

> @massivelySerial - I represent a company that makes oversized sugar and chemical loaded corn-based snacks for consumption at breakfast time.

Well, that comment was rather homophonic.

21
1
Silver badge

Re: Cease and desist

"I have recently launched an app called 'Anonymous Coward'."

I have dibs on the first part of that! Someone call a lawyer!

5
1
Anonymous Coward

Re: Cease and desist

Dear Blowhard,

It has come to our attention that you are infringing the copyright of Kim Kardashian...

16
1
Stop

Re: Cease and desist

Will you lot calm down! All those flushed faces are in danger of falling foul of Royal Mail's lawyers

5
0
Silver badge
Coat

Re: Cease and desist

It certainly sounds homophonic...

1
0
Anonymous Coward

Re: Cease and desist

"I have recently launched an app called 'Anonymous Coward'. Your username infringes on my unregistered trademark, and I demand you withdraw your comment immediately."

The /. community would like to have a word with you.

0
0
Anonymous Coward

Re: Cease and desist

Homophonic? I always consider myself very pro gaze.

3
0
Silver badge

Re: Good for the guy that pulled it

"I really hope this gets more attention."

Let's also hope that Kik finds itself heavily dependant on some of the code that got pulled. And their lawyers. Karma.

3
1
Anonymous Coward

Re: Cease and desist

one of the best threads to date.

1
0
Anonymous Coward

Re: Good for the guy that pulled it

They reply to every tweet with "Thanks for reaching out...". They deserve to die just for that.

10
1
Anonymous Coward

Re: Cease and desist

I'm Anonymous Coward and so is my wife

2
0
Silver badge
Trollface

Re: Good for the guy that pulled it

Money talks, bullshit common sense walks.

There, fixed it for you.

0
0
Silver badge

But did Kik's website go down?

It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

38
0
Silver badge

Re: But did Kik's website go down?

Even better if the Kik's shitesters website had imploded too. Would be great if they got a sudden lesson in intellectual property rights "Know that stuff you're using? Well it's mine and you can F*&k right off"

13
0
Anonymous Coward

Re: But did Kik's website go down?

It would have been truly karmic justice if by removing the NPM code, Kik's own website went down. Do they have a website? I have no idea, it just isn't worth the bother to look at them.

They have a website with the worst privacy policy ever (you can't examine the whole policy, you have to walk through it one chapter at a time), and despite being apparently a Canadian company (don't know this for certain - I'm really starting to dislike companies that don't put their address on their website) I would not trust them with ANY data because they appear to genuinely have no idea how to protect their users.

Not that I would ever use them anyway as I'm quite happy with the apps I have, and I am rather unimpressed by how they took this on. Overzealous lawyers are IMHO more a corporate risk than a benefit.

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017