All it took was 11 lines of JavaScript for this disgruntled developer to break thousands of apps like Babel, Node etc.
There is a saying that even hell doesnt have the fury of a scorned woman. It would be safe to say the same about scorned developers because a disgruntled developer has left JavaScript developers scrambling left and right to fix an issue that was crashing builds and affecting thousands of projects.
The issue arose after countless projects were left in limbo because of a three-way spat between the programmer, Azer Koçulu, the company behind npm, and messaging app Kik.
What started the fight, according to Koçulu, was that Kik’s lawyers challenged the name of one of his modules on npm, which was also called Kik. A Kik lawyer asked him to delete it from npm. “My answer was ‘no’,” Koçulu explained.
Kik’s legal team then approached npm CEO Isaac Schlueter and requested the name change. According to Koçulu, following the legal threat, Schlueter “accepted to change the ownership of this module, without my permission”.
Koçulu responded by unpublishing all his packages from npm, which included the critical left-pad module. This tiny JavaScript library has only 17 lines of code, which are responsible for padding strings to their left with zeros or spaces.
Once Koçulu unpublished his packages, making them available only via GitHub, it blocked automatic builds of thousands of projects and sending developers in fervorous debug sessions. The left-pad module had around 100,000 downloads per day and 2.5 million only in the past month.
The fight then spilled on Twitter and Reddit.  “This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People,” Koçulu wrote yesterday.
Everything is back to normal now
The good news is that Koçulu has accepted to transfer ownership of his projects to anyone interested in taking them over, and reuploading them to npm.
It will take some time to have all his modules transferred to new owners, but in the meantime, left-pad has found a new home, and devs can breathe a sigh of relief that everything is up and running again.
Koçulu fight for self esteem isnt without future cyber security implications because, by removing all his npm modules, he also liberated the namespaces of those modules. This means that anyone could have very easily registered another left-pad module and delivered malicious code in the builds of thousands of JavaScript projects.
Kik, the messaging App has a different story altogether. In a Medium post, Mike Roberts, head of products at Kik explained the company’s position on this whole issue. He says in the post that they will be avoiding Kik name for their forthcoming package in order to avoid clash with Koçulu’s Kik. He also put out details of the email exchange between Kik and Azer to show that they had tried hard to convince Azer to take back the name.
It is for our readers to judge whether  Koçulu was hasty enough to pull the plug on his modules causing pain for thousands of developers.
