[Not actually OT] Trouble in node.js land

Wed Mar 23 05:03:31 EDT 2016

This is not actually off-topic, as it has relevance to open source projects 
like Python: the importance of getting package management right, and not 
basing your development ecosystem on cowboys who might pull the rug out from 
under your feet at any time.

Ironically, this also showcases what happens when you use a language with no 
batteries included, namely Javascript.

One developer just broke most of the Node.js ecosystem by removing an eleven 
line package from npm (the node.js package manager, somewhat similar to 
Python's pip only even more critical):

http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

This critical package is "left-pad". What does it do? It pads strings with 
spaces from the left. It's not just spaces though, it can pad with any 
character you like! Zeroes, commas, even hash signs! We truly live in an age 
of miracles.

The removal of this package (along with about 250 others by the same author, 
but only left-pad appears to have been noticed) crippled Node.js development 
as suddenly thousands of deployed apps could no longer download their 
dependencies.

The author removed his package in a fit of pique because he wasn't allowed 
to continue using a trademarked name. Rather than suck it up like a grown up 
and change the package name, he removed his entire collection of packages 
from npm and (temporarily) broke the entire Node.js ecosystem.

https://medium.com/@azerbike/i-ve-just-liberated-my-modules-9045c06be67c

Of course, moving his allegedly infringing package "kik" to github isn't 
going to fix the problem. It's still allegedly infringing.

More discussion here:

https://github.com/azer/left-pad/issues/4

https://news.ycombinator.com/item?id=11340510

https://www.reddit.com/r/programming/comments/4bjss2/an_11_line_npm_package_called_leftpad_with_only/

A colleague passed on this quote from an acquaintance of his:

"i asked an npm dev at a talk once if they were going to make a stable 
version and they said javascript is not like operating systems and doesn't 
need stable versions"

There's a lesson here for Python package management too. As pip becomes ever 
more popular and functional, there are certain people who believe that the 
whole "batteries included" philosophy of Python is outdated and unnecessary. 
Why have a standard library when you can just download the most recent 
version from PyPI using pip? The node.js experience shows how this can go 
badly wrong.

For those curious, here's left-pad in all its glory:

module.exports = leftpad;
function leftpad (str, len, ch) {
  str = String(str);
  var i = -1;
  if (!ch && ch !== 0) ch = ' ';
  len = len - str.length;
  while (++i < len) {
    str = ch + str;
  }
  return str;
}

I leave a Python translation for the experts :-)

-- 
Steve