npm left-pad incident

submited by
Style Pass
2024-11-29 22:00:07

On March 22, 2016, software engineer Azer Koçulu took down the left-pad package that he had published to npm (a JavaScript package manager). Koçulu deleted the package after a dispute with Kik Messenger, in which the company forcibly took control of the package name kik. As a result, thousands of software projects that used left-pad as a dependency, including the Babel transcompiler and the React web framework, were unable to be built or installed. This caused widespread disruption, as technology corporations small and large, including Meta Platforms, PayPal, Netflix and Spotify, used left-pad in their software products.

Several hours after the package was removed from npm, the company behind the platform, npm, Inc, manually restored the package. Later, npm disabled the ability to remove a package if more than 24 hours have elapsed since its publishing date and at least one other project depends on it. The incident drew widespread media attention and reactions from people in the software industry. The removal of left-pad has prompted discussion regarding the intentional self-sabotage of software to promote social justice and brought attention to the elevated possibility of supply chain attacks in modular programming.

left-pad was a free and open-source JavaScript package published by Azer Koçulu, an independent software engineer based in Oakland, California.[ 1] The package repetitively prepends characters to a string using a loop.[ 1] left-pad has been characterized as being extremely simple, consisting of only 11 lines of code (when empty lines are discounted) in the final version authored by Koçulu.[ 2] [ 3]

Leave a Comment