When a programmer broke the internet!

Matt Weinberger

Advertisement

Last week, one angry programmer broke a whole mess of the software the internet runs on with the deletion of one simple program consisting of 11 lines of code.

Everything is OK now. But it’s a strange case that involves copyright lawyers, a petulant developer, and a behind-the-scenes look into how tech titans like Facebook, Spotify, and Netflix make the sausage. It all starts with a developer named Azer Koçulu, who wrote an otherwise unremarkable piece of code called Kik, an extension for the popular programming language Node.js. Koçulu put his Kik module up on NPM, essentially an App Store for Node.js programmers, as a free download for developers to work into their apps at their leisure.

The other Kik

Kik, a popular social network of the same name, sent Koçulu an email requesting that he change the module’s name. Koçulu’s admits Kik’s initial request was reasonable. Still, Koçulu wouldn’t budge.

“When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it,” Koçulu writes. Given that Kik did have copyright on its side, Koçulu says that NPM CEO Isaac Schlueter took away his ownership of the module in question without asking. Koçulu announced he was removing his Kik from NPM entirely — as well as all of his other code.

It’s likely that nobody would have noticed — except that Koçulu is also the person who created a very silly, very basic, but very popular NPM module called “npm left-pad”. It’s 11 lines long and doesn’t actually do anything complicated, but it’s been downloaded over 575,000 times. When it vanished, developers on Reddit, Twitter and elsewhere did take notice.

A house of cards

This is where things get sticky. A module like npm left-pad is basically a shortcut so a developer doesn’t have to write a whole bunch of basic code from scratch. If a developer calls on an NPM module, it’s basically shorthand for “put this code in later”, and a software compiler will just download the code when the time is right.

Most of the time, this works just fine. But sometimes the software ends up relying on what’s essentially a house of cards: One Node.js module calls on another, calls on another, calls on another. Again, usually it works fine — right up until npm left-pad is taken offline. Boom — down went the house of cards. Popular software projects like Babel, which helps Facebook, Netflix and Spotify run code faster, and React, which helps developers build better interfaces, were suddenly broken. Overall, over a thousand projects were affected.

Fixing the problem would require programmers to sift through all of those dependencies, making sure nothing relied on the silly 11-line code. And after a mass outcry from developers worldover, NPM was forced to “un-un-publish” the code in question, handing it over to a new owner.

NPM CTO Laurie Voss says on Twitter that the company wasn’t comfortable handing over what’s still Koçulu’s intellectual property, but much of the software industry had ground to a halt over the issue. The storm is over, and npm left-pad is back online. But the wounds are felt: “Have We Forgotten How To Program,” asks a blogger urging developers to rethink how they build their apps.

— The Independent