I've Just Liberated My Modules

The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, &quot;liberated&quot;) over 250 NPM modules, making those global names (e.g. &quot;map&quot;, &quot;alert&quot;, &quot;iframe&quot;, &quot;subscription&quot;, etc) available for anyone to register and replace with any code they wish.<p>Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, &quot;left-pad&quot; with 2.5M&#x2F;month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds. Because most package.json configs use the &quot;^1.0.1&quot; caret convention (and npm --save defaults to this mode), the vast majority of future installs could grab the malicious version.<p>@seldo Is there a plan to address this? If I&#x27;m understanding this right, it seems pretty scary :|<p>[1] <a href="https:&#x2F;&#x2F;medium.com&#x2F;@azerbike&#x2F;i-ve-just-liberated-my-modules-9045c06be67c#.6je6fouj8" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@azerbike&#x2F;i-ve-just-liberated-my-modules-...</a>

One interesting thing to me, is that it is pretty clear that the kik lawyers pretty dramatically over enforced their trademark.<p>For those who don&#x27;t know, the purpose of trademarks is to prevent customer confusion; essentially we don&#x27;t want people to be able to sell cheap knock-offs of someone else&#x27;s thing without the general public being able to easily distinguish between them. In practical terms, trademarks are &quot;scoped&quot; by their &quot;goods and services&quot; declarations.<p>For example, Apple the device manufacture[1] and Apple the record label[2] could both be trademarked because they had non-overlapping goods and services declarations... until iTunes started selling music[3].<p>If you look at kik&#x27;s trademark application[4], you can clearly see that the trademark is limited to chat&#x2F;media consumer applications, a pretty obvious over enforcement.<p>[1] <a href="http:&#x2F;&#x2F;apple.com" rel="nofollow">http:&#x2F;&#x2F;apple.com</a><p>[2] <a href="http:&#x2F;&#x2F;applerecords.com" rel="nofollow">http:&#x2F;&#x2F;applerecords.com</a><p>[3] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Apple_Corps_v_Apple_Computer" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Apple_Corps_v_Apple_Computer</a><p>[4] <a href="https:&#x2F;&#x2F;trademarks.justia.com&#x2F;858&#x2F;93&#x2F;kik-85893307.html" rel="nofollow">https:&#x2F;&#x2F;trademarks.justia.com&#x2F;858&#x2F;93&#x2F;kik-85893307.html</a>

I applaud this action and while I&#x27;d like to point the finger at NPM, there&#x27;s no real other method to fix historical package versions that depend on this.<p>It is worth pointing to the silly state of NPM packages: Who decided that an external dependency was necessary for a module that is 17 lines of code?<p><pre><code> module.exports = leftpad; function leftpad (str, len, ch) { str = String(str); var i = -1; if (!ch &amp;&amp; ch !== 0) ch = &#x27; &#x27;; len = len - str.length; while (++i &lt; len) { str = ch + str; } return str; } </code></pre> Developers: less dependencies is better, especially when they&#x27;re so simple!<p>You know what&#x27;s also awesome? The caret semver specifier[1]. You could install a new, broken version of a dependency doing that-- especially when other packages using peerDependencies rely on specific versions and you&#x27;ve used a caret semver specifier.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;lydell&#x2F;line-numbers&#x2F;pull&#x2F;3&#x2F;files" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lydell&#x2F;line-numbers&#x2F;pull&#x2F;3&#x2F;files</a>

Reading some of the comments reminds me old tale about a young man, that every morning on his way to work passed by a beggar and gave him a coin (that was back when coins actually had some value). One morning though the beggar notices the coin is smaller than usual, and he asks:<p>- Why you gave me a different coin today?<p>and the young man says:<p>- I got married and now I&#x27;m starting a family, I need more money so I can not give you as much anymore.<p>And the beggar cries out:<p>- People, look at this putz, he got married, and now I have to feed his family?!<p>I think the fact that we get so many awesome things for free is unbelievably lucky. I mean, not only we work in the one of the more generously paid jobs, we also get a lot of the tools we need for free! How cool is that? But some people think that if they are given those awesome things for free, they must deserve it and whoever gives them owes them forever. That&#x27;s not the case. Yes, it is annoying to find somebody who contributed before does not want to do it anymore. It is mildly inconvenient and it can be improved. But let&#x27;s not lose the perspective - the author does not owe us or npm continued support. It is sad he does not want to do it anymore, but that&#x27;s what open source is about - people can take it over, and it happened within a single day. Such resilience is something to be proud of, not something to complain about.

FYI I&#x27;m the one who republished left-pad after it was unpublished.<p>I think of it similar to letting a domain name expire. The original author removed the code and I forked it and published a new version with the same package name.<p>The main issue was there were so many hard coded dependencies to 0.0.3 so I asked npm support if they could allow me to re-publish that version and they complied since I was now the maintainer of that package.

This is a surprisingly effective protest action. It got the attention of an incredible number of people very quickly, and the damage is mostly limited to wasting the time of a bunch of build cops.<p>I don&#x27;t have much of an opinion on his actual reasons for protesting, but I do think it was a pretty cool protest.

Azer has contributed awesome modules to the community, but such a move _obviously_ messes with a bunch of people who previously didn&#x27;t trust npm, but Azer. Npm works fine. There might be issues with it, but the reason builds are failing right now is that he decided to unpublish all of them - in a move that feels very kneejerky, despite him claiming that it&#x27;s the opposite.<p>If this had been actually in the interest of the community (because he thinks that npm isn&#x27;t acting in our interest), he&#x27;d give people a fair warning. I could have lived with a &quot;Hey, this was my experience, it sucked, I&#x27;ll unpublish things in 30 days. Please update your dependencies.&quot; We know how to deprecate things gracefully.

I am obviously a old fossilized ancient developer. This situation seems like insanity.<p>not the unpublishing part. the part where the thing that you require to sell&#x2F;publish&#x2F;do your job isn&#x27;t under control or isn&#x27;t stored within your organization.<p>Am i wrong in thinking that you should just have a local copy of all of your source code dependencies. would it really take that much longer?

In case anyone is wondering what was in the now broken dependency - here is the source code in full:<p><pre><code> module.exports = leftpad; function leftpad (str, len, ch) { str = String(str); var i = -1; if (!ch &amp;&amp; ch !== 0) ch = &#x27; &#x27;; len = len - str.length; while (++i &lt; len) { str = ch + str; } return str; } </code></pre> <a href="https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;blob&#x2F;master&#x2F;index.js" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;blob&#x2F;master&#x2F;index.js</a>

Update: NPM takes &quot;unprecidented action [...] given the severity and widespread nature of the breakage&quot; and un-un-publishes left-pad<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;seldo&#x2F;status&#x2F;712414400808755200" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;seldo&#x2F;status&#x2F;712414400808755200</a>

This is why you should vendor it. What is &quot;it&quot;? All of it, whatever it may be. You should be able to build your systems without an internet connection to the outside world.<p>I say this with no reference to particulars of your language or runtime or environment or anything else. This is merely a specific example of something that could happen to a lot of people, in a lot of languages. It&#x27;s just a basic rule of professional software development.

Sadly there is a user @nj48, who already published empty modules and took the names [1].<p>Is this a joke or something coordinated with the community?<p>[1] <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;~nj48" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;~nj48</a><p>EDIT : The hijacked modules look suspicious. <a href="http:&#x2F;&#x2F;www.drinchev.com&#x2F;blog&#x2F;alert-npm-modules-hijacked&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.drinchev.com&#x2F;blog&#x2F;alert-npm-modules-hijacked&#x2F;</a>

I&#x27;ve never felt good any time I have to use node modules and see this gigantic stream of dependencies come flying down. It&#x27;s even more painful when you need to assemble license information for your software and crawl through _every single dependency and all of their dependencies_ to find their licenses, etc. to check they are OK to use in your software. Just look at the View License info in the Atom text editor some time for a truly insane wall of text (over 12,000 lines!!). IMHO the entire node &#x2F; NPM system is seriously flawed with so many tiny dependencies for trivial stuff.

I think that unfortunately this was a foregone conclusion. Copyright law, like most other laws in our society, favor corporate interests.<p>I support his stand on principal, however. Azer is a talented developer and has an impressive life story, and has certainly contributed more to society than a social network well know for invading children&#x27;s privacy.<p><a href="https:&#x2F;&#x2F;medium.com&#x2F;@azerbike&#x2F;i-owe-my-career-to-an-iraqi-immigrant-2c075a495b25#.355he9y0b" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@azerbike&#x2F;i-owe-my-career-to-an-iraqi-imm...</a><p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Kik_Messenger#Controversies" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Kik_Messenger#Controversies</a>

Not sure I follow this completely...<p>You start a project with the same name as a company, which owns the registered brand and are surprised when some 3rd party complies with legal suggestions to make an adjustment?<p>Seems kind of silly to expect that NPM would want to fight for your project name when you didn&#x27;t seem to do your own due diligence when picking a name. Also, a bit backwards to go remove all your modules as well, therefore breaking builds.

Here&#x27;s a highly downloaded 11 line module with lots of dependents.<p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;escape-string-regexp" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;escape-string-regexp</a><p>I stopped searching at 1.<p>I&#x27;ve certainly benefitted from the vast ecosystem of npm. I greatly appreciate the work that goes into making this ecosystem what it is. However, I think we need to be a bit more critical when it comes to acquiring dependencies. Especially authors of very prominent packages.<p>Fun fact: one of my projects (a web api) depends on over 700 unique name&#x2F;version modules.<p>Fellow programmers. This is embarrassing.

If NPM wants to stay relevant and a serious contender, they need to have more clear policies in case of IP issues. In this case, the companies weren&#x27;t even in the same space. Republishing someone&#x27;s package who has chosen to unpublish and leave your platform is akin to Facebook resurrecting a Facebook profile because they had a lot of friends and the social circle ripple effects would be too high for feed quality for other users, so they chose to reactive the account AGAINST the author&#x27;s wishes. WHAT?!? We need an open source NPM alternative, yesterday.

Wow, very interesting post for me. Earlier today, at work, we ran into an issue where `npm install` was failing because the `shuffle-array` module wasn’t found. Investigation showed that the cause was that it was unpublished today. We found that this was a required dependency of the `match` module and this was in our dependency list in`package.json`.<p>We investigated and found out that it had been erroneously committed — it’s actually a memory game and has absolutely no place in our webservice project. :) (Mistakes happen… dependency audits can be worthwhile!)<p>Now, some hours later, I found your post on HackerNews and was really shocked to see, hey, this is exactly why it was unpublished. Quite a chain of events. Never thought I’d figure out why the modules were unpublished, but now I get it! Thanks for the explanation.<p>[crossposted from the medium article]

funny thing, but assuming that kik is related to kik.com<p>if you look here <a href="http:&#x2F;&#x2F;dev.kik.com&#x2F;build&#x2F;" rel="nofollow">http:&#x2F;&#x2F;dev.kik.com&#x2F;build&#x2F;</a>, they promote their own server eg. &quot;Our open source web server Zerver can help serve your cache manifest properly, as well as doing other speed boosting stuff like automatic style inlining.&quot;<p>this Zerver is on github and build with npm<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jairajs89&#x2F;zerver&#x2F;blob&#x2F;master&#x2F;package.json" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jairajs89&#x2F;zerver&#x2F;blob&#x2F;master&#x2F;package.json</a><p>I did not run the build but I&#x27;m pretty sure that now their server is not building anymore as it depends on babel<p>call that irony ;) ?

I think it&#x27;s amusing to see this from the perspective of the company. Some guy uses your trademark without your permission so you tell him to knock it off. He refuses, so you go around him, and so he protests... by fucking over all of his users. In a dispute that doesn&#x27;t involve them. And people are celebrating this.

About a year ago I tried to unpublish a version of a library I&#x27;d pushed to Elixir&#x27;s hex.pm package manager but the API rejected it. Turns out they only allow you to revert publishing for an hour after you push.<p>It was a little inconvenient at the time but in light of this I can very clearly see the wisdom of that decision.

This broke a number of builds that depended on the (previously) published modules, here&#x27;s a GitHub issue showcasing that: <a href="https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;issues&#x2F;4" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;issues&#x2F;4</a>

&quot;eventually create a truly free alternative for NPM.&quot;<p>Which will either comply with copyright laws, or get blasted off the &#x27;netz and break <i>everyone&#x27;s</i> build...<p>The rules are messed up, but dramatic gestures and abstract hopes that &quot;free software will save us&quot; aren&#x27;t going to fix them.

What if Kik uses Node and they broke their own builds inadvertently by enforcing their trademark. 0_0

Small modules they say. Small standard lib is ok they say. Just going to point out that in a lot of other languages, string padding is just built into the standard lib.

brouhaha, this is why you should not put node_modules into .gitignore (same for PHP&#x27;s composer.lock and vendor&#x2F; folder).<p>To be honest, I have waited for something like this to happen so that people finally wake up and realize how deeply and truly compromised the JS ecosystem really is. 11 SLOC not available any more and all over the internet builds are breaking etc.?!<p>And please, why isn&#x27;t essential stuff like this in the JS standard string library?

Here&#x27;s [1] a list of all modules that were liberated. Some serious land-grab opportunities there<p>[1]: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;azer&#x2F;db27417ee84b5f34a6ea" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;azer&#x2F;db27417ee84b5f34a6ea</a>

Does this mean that I can no longer safely run `npm update`, or ask anyone to download my Node.js project and tell them to run `npm install`? Because the npm repo has in effect been compromised and is unsafe to use, until further notice?<p>That&#x27;s what I&#x27;m assuming right now anyway. I&#x27;m not going to upgrade any Node.js dependencies or run `npm update` or tell anyone to run `npm install`.<p>If you look at the list of liberated libraries ( <a href="https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;azer&#x2F;db27417ee84b5f34a6ea&#x2F;raw&#x2F;50ab7ef26dbde2d4ea52318a3590af78b2a21162&#x2F;gistfile1.txt" rel="nofollow">https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;azer&#x2F;db27417ee84b5f34a6ea...</a> ) — it&#x27;s &quot;impossible&quot; for me to know which ones of all these libs I use indirectly via some other libraries, and ...<p>...Elsewhere in this discussion: (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11343297" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11343297</a>)<p>&gt; &gt; Is there a plan to address this?<p>&gt; Too late. Every package name on the list has been claimed already by a randomer with unknnown intentions.<p>Sounds dangerous to me. ... And I wish there was some way to get notified, when this issue has been fixed somehow.

Even if those trademarks would include a tool like kik, it is completely brainwashed to enable trademarks for three letter words and enforcing them on software packages names.<p>What are we supposed to type for package names in 10 years. &#x27;abshwjais_kik&#x27;, or will it be hipster to use unicode like in &#x27;κικ&#x27;.

My god! It&#x27;s full of attack vectors! <a href="https:&#x2F;&#x2F;github.com&#x2F;substack&#x2F;provinces&#x2F;issues&#x2F;20" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;substack&#x2F;provinces&#x2F;issues&#x2F;20</a>

Why isn&#x27;t GitHub the source of all node packages? npm supports it very nicely.<p>I mean: why don&#x27;t people write `npm install user&#x2F;repo --save` instead of `npm install package --save` every time already?

Seems odd that a patent lawyer is being involved in a trademark dispute. Also, given the fact that he didn&#x27;t make any money off it, I <i>severely</i> doubt that it would ever go to court.

The package author decided to unpublish the package. A new author has now stepped in and re-published the package (yay open source!) and deps are fixed.

Hi everyone, please read this explanation from Kik&#x27;s head of messenger about how this played out: <a href="https:&#x2F;&#x2F;medium.com&#x2F;@mproberts&#x2F;a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@mproberts&#x2F;a-discussion-about-the-breakin...</a><p>We&#x27;re sorry for our part in creating the impression that this was anything more than a polite request to use the Kik package name for an upcoming open source project.

Good for him, if that platform isn&#x27;t working go somewhere else.<p>The major problem here is relying on a central authority like NPM in the first place.

I like how npm even encourages you to create packages in place of the &quot;liberated&quot; ones when you try to visit their now missing pages:<p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;abril-fatface" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;abril-fatface</a><p><pre><code> abril-fatface will be yours. Oh yes, abril-fatface will be yours. mkdir abril-fatface cd abril-fatface npm init # work your magic… npm publish</code></pre>

The problem here is that NPM is a private company in an institutional role.<p>You will always have some very common dependencies which, if brought down or altered, could compromise a lot of projects.<p>The problem is that npm has to act like an institution, not like a private company.

My congrats and respect for his decision. Through actions like this companies might understand that the current trademark (and patent) law is only benefiting lawyers.<p>And wouldn&#x27;t it be wonderful if as a result of this the build for KIKs Pedo API are broken?

I don&#x27;t think Kik is the bad guy here. This npm module was rather new (&lt;6 months?), while Kik Messenger has been around for years, and is VERY popular with the young crowd. They are both software. It would be like the author naming his module &#x27;imessage&#x27; or &#x27;spotify&#x27;, except this is with a company that isn&#x27;t as visible to the HN crowd.<p>I personally think him not knowing Kik existed was odd, and not googling the name at all even odder. Even still, I think Kik&#x27;s response and npm&#x27;s response were perfectly valid.<p>Looking at the voting of the comments here makes me sad for what has become of the HN community.

The number of coders complaining about an author exercising the basic of intellectual property rights is too high.<p>1) all coders should understand authors right be the code free or closed;<p>2) there is no excuse for someone whose value is based on creativity to ignore how IP works (the good and the bad part) because our comfortable incomes come from the protection these rights gives to our work<p>3) if your code is broken for 11 sloc, maybe you depend too much on others work and you have no value yourselves.<p>Benevolent persons sharing their code on their free time owes you nothing.<p>Repay authors whose code you use.<p>Buy closed source software, and at least respect the free software authors. It costs you nothing already.

IED [0] + IPFS [1] + GPG looks like a dream come true.<p>Note: IED could be much faster than NPM installer due to parallel downloads, which would work great with the slower IPFS.<p>[0]: <a href="http:&#x2F;&#x2F;gugel.io&#x2F;ied&#x2F;" rel="nofollow">http:&#x2F;&#x2F;gugel.io&#x2F;ied&#x2F;</a><p>[1]: <a href="https:&#x2F;&#x2F;ipfs.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ipfs.io&#x2F;</a>

Assuming it&#x27;s kik.com that complained, the complaint to take down the kik NPM module seems legitimate. They&#x27;ve clearly been around a lot longer, are known by more people, and are in an overlapping market.<p>It seems like a lot of people would expect a kik module in NPM to be related to the company in some way, and it wasn&#x27;t.

Was that lawyer overreaching? I don&#x27;t know. But for this guy to expect npm to use their resources to defend him (which they may even possibly lose!) and get mad at them is... a bit presumptuous? Github isn&#x27;t open source either so is he going to get mad when the lawyers send them an email about kik?

Lol that satire flipped bit site even caught it <a href="http:&#x2F;&#x2F;www.theflippedbit.io&#x2F;2016&#x2F;03&#x2F;23&#x2F;developer-outraged-asked-remove-whatsapp-package-npm&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.theflippedbit.io&#x2F;2016&#x2F;03&#x2F;23&#x2F;developer-outraged-as...</a>

Open source community needs to aggregate a list of lawyers who will consult on these sorts of things (related to the community at large) pro-bono. This way all parties on the open source side can feel a little less pushed around and bullied and a little more protected.<p>The best part would be to learn that the claim was not valid in the first place. At the very least, having representation would provide for some wiggle room where you can have days if not weeks to resolve the issue, instead of feeling you have to take immediate action.

Can we talk about how patents own namespaces? If I have a little &quot;kik&quot; soccer tournament that no one knows about, then it&#x27;s fine. As soon as the namespace collides with the HUGE, vastly connected internet, it&#x27;s a &quot;problem&quot;.<p>We&#x27;re going to run out of proper nouns, folks.

Also: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;seldo&#x2F;status&#x2F;712414400808755200" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;seldo&#x2F;status&#x2F;712414400808755200</a>

kik has lawyers all over the world... because it is the platform of choice for pedophiles and sexual predators. there are many billable hours spent responding to doj&#x2F;states attorney subpoenas. (<a href="http:&#x2F;&#x2F;www.trentonian.com&#x2F;general-news&#x2F;20140728&#x2F;pedophile-on-kik-app-its-well-known-in-our-industry" rel="nofollow">http:&#x2F;&#x2F;www.trentonian.com&#x2F;general-news&#x2F;20140728&#x2F;pedophile-on...</a>) (<a href="http:&#x2F;&#x2F;woodtv.com&#x2F;2015&#x2F;02&#x2F;02&#x2F;sexual-predator-warns-parents-about-kik-app&#x2F;" rel="nofollow">http:&#x2F;&#x2F;woodtv.com&#x2F;2015&#x2F;02&#x2F;02&#x2F;sexual-predator-warns-parents-a...</a>)

I&#x27;ve been warning of the potential for issues like this for quite a while and would be really grateful for people&#x27;s feedback on this approach to try and insulate your projects from them <a href="https:&#x2F;&#x2F;github.com&#x2F;JamieMason&#x2F;shrinkpack" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;JamieMason&#x2F;shrinkpack</a>.<p>Its not completely there yet, but I think there&#x27;s something worth exploring further in this idea.

So what keeps Kik from going after Github?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;starters&#x2F;kik" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;starters&#x2F;kik</a>

I am a heavily invested user of JavaScript and the surrounding ecosystem and the security aspects of the npm package system has been in the back of my mind for a while. As I don&#x27;t consider myself an &#x27;expert&#x27; in all things npm and package management I&#x27;ve deferred to the general consensus, which didn&#x27;t seem to mind too much about the security problems npm exhibits (This reminds me of the sub-prime crisis).<p>I think an event like this is a really positive thing, as it promotes discussion about something that is exceedingly important. All it takes to exploit this vulnerability is a bit of time and effort, it looks really easy to inject malicious code into any number of &#x27;de-published&#x27; packages. I hope that some kind of name spacing and &#x2F; or locking of npm packages results from this and that the javascript ecosystem continues to mature and develop in the right direction. Npm inc have an opportunity here to do the right thing. If they don&#x27;t then there&#x27;s going to be a mutiny and a &#x27;better&#x27; alternative will supersede npm. Bower anyone? ;)

I&#x27;ve been reading in the comments regarding 1) the practical effect of breaking builds and 2) the security issues of how package names can be reused on npm once they are unpublished (versioning aside for a moment).<p>I wonder what other, similar, packaging distribution platforms are vulnerable to this sort of thing? I am not speaking from knowledge of any of the procedures of any of those I&#x27;m about to mention, but I have and do depend on some them. Thinking about this issue and some of those other tools that pull long strings of dependent packages does give me pause. Especially the replacement of some dependency with less than friendly code... breakage can be managed, but silent invaders...<p>Does Perl &amp; CPAN, Rust &amp; crates.io, or Ruby &amp; RubyGems.org suffer these same issues and it just just hasn&#x27;t been a problem yet? Do they have means of avoiding this? Again, I haven&#x27;t studied the question... but I think I may :-)

Does this series of tweets [0] seem rather odd to anyone? He seems to be calling people soulless and pondering his own &quot;Power and Responsibility&quot;.<p>[0] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;izs&#x2F;status&#x2F;712510512974716931" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;izs&#x2F;status&#x2F;712510512974716931</a>

The problem here is that there is a single petname space (pet namespace? pet name space?) administered by one organisation but used by everyone.<p>With a different system, the author could have a key $foo, and call his package ($foo kik), and that wouldn&#x27;t interfere with (us-trademark-office kik).

Wow, this is an amazing outcome here.<p>Why is &quot;unpublishing&quot; something that can happen in npm? What&#x27;s the point? I can see the downside, what&#x27;s the upside?

Why don&#x27;t people just use lodash?<p><a href="https:&#x2F;&#x2F;lodash.com&#x2F;docs#padStart" rel="nofollow">https:&#x2F;&#x2F;lodash.com&#x2F;docs#padStart</a><p>It&#x27;s well-tested, well-maintained, performant, with good documentation and has custom-build to leave out functions you don&#x27;t need.

Why yes, depending on a third-party, external package manager is a huge risk. I have always believed that open source projects should be fully inclusive of any and all dependencies. This event has not changed that opinion.

There&#x27;s a PR open to remove &quot;unpublish&quot; from NPM here:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;npm&#x2F;npm&#x2F;pull&#x2F;12017" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;npm&#x2F;npm&#x2F;pull&#x2F;12017</a>

This is a really bad decision on npm&#x27;s part. Kik&#x27;s laywer has pulled a fast one on them. Kik has no right to enforce the Kik trademark beyond the limited set of goods and services listed in the trademark application [1]. Kik is a registered word mark for mobile messaging software <i>only</i>. That&#x27;s why the trademark database contains many entries for just the word Kik, other companies own the use of that word for other goods and services.<p>I&#x27;m really surprised that npm didn&#x27;t push back against this. It&#x27;s not like npm isn&#x27;t full of trademarks:<p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;pepsi" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;pepsi</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;coke" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;coke</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;kfc" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;kfc</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;virgin" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;virgin</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;sprint" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;sprint</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;nba" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;nba</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;nfl" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;nfl</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;google" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;google</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;yahoo" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;yahoo</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;skype" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;skype</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;word" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;word</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;excel" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;excel</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;unix" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;unix</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;windows" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;windows</a><p><a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;osx" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;osx</a><p>[1] <a href="http:&#x2F;&#x2F;tmsearch.uspto.gov&#x2F;bin&#x2F;showfield?f=doc&amp;state=4804:liro6q.4.1" rel="nofollow">http:&#x2F;&#x2F;tmsearch.uspto.gov&#x2F;bin&#x2F;showfield?f=doc&amp;state=4804:lir...</a>

I don&#x27;t see the issue here. If the name is taken the lawful way (and Kik is a clothes store chain as well as a chat app, so it&#x27;s even taken twice) why fight it or be angry about it? Just take another name.<p>That said the decisions by NPM are also hard to follow. Why allow someone else to take over ownership of a package? Why allow anyone to take down published versions of an open source package? If you publish open source stuff on my site I have all the right to keep that stuff in that version and share it with others. That&#x27;s pretty much what FOSS is about, right?

&gt; This is not a knee-jerk action.<p>The only thing knee-jerk and honestly irresponsible is not warning anyone first, especially knowing how much his modules were depended upon.<p>Otherwise, there&#x27;s nothing wrong with this.

npm really shouldn&#x27;t let authors unpublish. It should definitely be impossible to overwrite a published package version (it is, but only for the past year or so).<p>When you install express, you install 40 dependencies. Each of these has separate maintainer(s) and coordination is optional. If we&#x27;re going to allow this dependency mess to grow organically, npm needs to be strict about what gets published and we need to be really careful about depending on anything but a strongly pinned version.

Quick script to test if your project is using any of the modules he unpublished:<p><pre><code> for module in $(curl -s https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;azer&#x2F;db27417ee84b5f34a6ea&#x2F;raw&#x2F;50ab7ef26dbde2d4ea52318a3590af78b2a21162&#x2F;gistfile1.txt); do grep &quot;\&quot;$module\&quot;&quot; package.json; done </code></pre> If any names appear you should replace them or force that specific version always (remove ~ or ^ before it). If nothing appears you&#x27;re probably good.

Not a Package Manager (NPM)

By complying with kik&#x27;s request, npm has set a precedent for library authors that basically means: in doubt, you will lose your package name, even if you dispute the trademark.<p>This means npm apparently wants everyone to handle trademark disputes like Jade did: <a href="https:&#x2F;&#x2F;github.com&#x2F;pugjs&#x2F;pug&#x2F;issues&#x2F;2184" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pugjs&#x2F;pug&#x2F;issues&#x2F;2184</a>

This type of thing is one of the reasons I suggested before that a module registry could and should be a distributed peer-to-peer system.

In order to check if I was affected by any potentially malicious hacker that gets ownership of one of the existing liberated modules and adds malicious code on them, I have created a small script to check that:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;albertfdp&#x2F;did-azer-break-my-stuff" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;albertfdp&#x2F;did-azer-break-my-stuff</a>

I think this blossoming episode leads me to believe that if you are running a production app, then you need to be hosting your own internal npm, and updating that from the global npm. That way when something like this happens you are able to continue on, and not have many issues, like the builds braking that are being reported on github.

Sounds like something that would not likely happen on other repos like the CPAN&#x2F;CRAN&#x2F;CTAN.<p>Perhaps the JS community at large would be better off with a similar system? I remember sometime long ago that there was a JSAN effort: <a href="http:&#x2F;&#x2F;www.openjsan.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.openjsan.org&#x2F;</a>

I&#x27;m adding this bash script to the conversation. <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;mbranch&#x2F;f77e62d91f46972dcc32" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;mbranch&#x2F;f77e62d91f46972dcc32</a><p>It reports on the inclusion of unpublished modules in all package.json files found in deeper directories.

Aftermath of situation from left-pad. Some says that it started to break major projects like react-native.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;issues&#x2F;4#issuecomment-200062925" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;azer&#x2F;left-pad&#x2F;issues&#x2F;4#issuecomment-20006...</a>

The ability to &quot;unpublish&quot; a package is fundamentally strange, because it enables situations like this.<p>It&#x27;s also strange that people put so much trust and faith into a private company to host and distribute packages – largely for free – and then rile against them when they do stuff like this with infrastructure <i>they</i> own. NPM is not some free and open space, it&#x27;s a private company with private interests. You should expect them to do whatever they need to protect those interests – which may or may not coincide with public interest.<p>I hope this resolves in more people getting involved with projects like IPFS and Nix, that may ultimately provide some recourse to the issues of centralized package management.

I read the whole damn thread and nobody, nobody links to the assholes that deserve to be kik-ed.

More details of the story: <a href="http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2016&#x2F;03&#x2F;23&#x2F;npm_left_pad_chaos&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2016&#x2F;03&#x2F;23&#x2F;npm_left_pad_chaos&#x2F;</a>

NPM is a for profit, so they&#x27;re a SPoF from lawyers and governments seeking to control others.<p>The other issues is a lack of distributed package&#x2F;artifact replication which makes it possible to take down an entire ecosystem by unplugging a few servers.

My biggest issue with npm is the lack of verifiable build. Even if I read it on github, I have absolutely no idea if that&#x27;s exactly what the person uploaded to npm. I very well could have malicious code and not know it.

Perhaps someone has already suggested this, but what if npm had some sort of &quot;unpublish block&quot; if any modules depended on yours? Or maybe some sort of notification to the dependent package owners. This doesn&#x27;t solve the issue of unpublishing dependent free packages, nor does it solve someone taking over and putting malicious code, but it would encourage a more responsible behavior when removing a highly depended upon package.

Can NPM not add to their TOS and features a &quot;notice period&quot;? With a grace period for errors e.g. if published and older than one week to remove a package you have to give notice first, e.g. 2 months. With a suspension before actual removal?<p>With some avenues for expedite removal&#x2F;suspension ie security and legal, which would have removed kik quicker but not leftpad.<p>Whether people would be aware of the notices or ignore them is another issue.

Thanks to this, I hope people will consider the way too common deployment approach when during the build time you pull stuff from npm (or whatever external package manager&#x2F;repository), and if it fails, the build fails.<p>This is fine for small projects. There are tons of applications where availability is less important then development speed.<p>However, not being aware of the risks and tradeoffs you&#x27;re making is just plain simple insanity.

this is why your dependencies should be checked into git

oh geez.... welcome to trademark law<p>Google.<p>(why is this getting frontpage HN coverage?)<p>a trademark is a globally enforceable right (madrid agreement) and one has an obligation to protect ones mark from &quot;dilution&quot; from others in the same category:<p>i.e. if you are selling &quot;apple&quot; garden shovels, you needn&#x27;t worry about crossing into &quot;apple&quot; computer land, but I guarantee you that they already registered that mark for &quot;home electronics&quot; etc.<p>Most countries require formal registration of the trademark (they are searchable in online databases) and most will go on a &quot;first filing&quot; basis. but several, including the USA, go by a &quot;first usage&quot; basis and require you to prove your use of the mark in public...<p>it&#x27;s a long shot, but you can always look of that company has, in fact, registered that mark, and in which country&#x2F;territory are they claiming usage rights.<p>(for example, they can&#x27;t be a local computer shop named &quot;apple computers&quot; that only sold to locals since 1854, that suddenly sells computers on the global market, as there is already a global entity with that name registered)

We gotta support: <a href="http:&#x2F;&#x2F;puu.sh&#x2F;nQOLH&#x2F;d225ff95d3.png" rel="nofollow">http:&#x2F;&#x2F;puu.sh&#x2F;nQOLH&#x2F;d225ff95d3.png</a><p>:D

&quot;This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because, Power To The People.&quot;<p>This is true of all package distribution systems. There&#x27;s always a small elite of admins who regard the system as their territory (and usually have no respect for the authors).<p>People contributing should be well aware of this.

Well done OP! I stand in solidarity with OP. I think this is a good way of showing our resistance to corporate power - by boycotting them.

If your project use the packages in the list, and got broken due to this. Here comes a solution <a href="https:&#x2F;&#x2F;medium.com&#x2F;@viktorw&#x2F;how-to-fix-npm-issues-in-your-projects-after-azer-ko%C3%A7ulu-liberated-his-modules-7368951c2509#.5wiknjg39" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@viktorw&#x2F;how-to-fix-npm-issues-in-your-pr...</a>

The only Kik I knew was the Cola: <a href="https:&#x2F;&#x2F;p2.liveauctioneers.com&#x2F;1164&#x2F;26545&#x2F;9944497_1_l.jpg" rel="nofollow">https:&#x2F;&#x2F;p2.liveauctioneers.com&#x2F;1164&#x2F;26545&#x2F;9944497_1_l.jpg</a><p>So this lawyer he&#x27;s from what company? Cause there seems to be quite a lot a Kiks around these days (Kik Messenger?)

For everybody discussing decentralization of NPM in the comment threads down below, <i>please read the following thread</i>: <a href="https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;NG&#x2F;issues&#x2F;29" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nodejs&#x2F;NG&#x2F;issues&#x2F;29</a><p>Much of the thinking work has already been done.

While I don&#x27;t disagree with OP&#x27;s angst, fuck them for choosing pride over working products. It&#x27;s irresponsible and shows a complete lack of maturity. I&#x27;ll make sure never to consume their modules in the future. God forbid they have a bad day and decides to insert malicious code into their modules.

It&#x27;s high time people publishing packages on NPM audit their dependencies. I bet 80% of them are unnecessary.

&gt; npm took the name away because they reasoned that more people would think that `kik` the pkg would refer to kik the app. full stop.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;ag_dubs&#x2F;status&#x2F;712669386511949824" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;ag_dubs&#x2F;status&#x2F;712669386511949824</a>

If I call my module pizza, are they going to send me an email about naming it pizza? Let&#x27;s think about that. If a company owns kik as a trademark, I&#x27;d offer some money to buy it off before trying to act like a tough guy. At least be soft first if your goal is get rid of kik module out there.

Meta: please don&#x27;t upvote for agreement if facts are asserted that you cannot corroborate. And please carefully consider whether you only <i>believe</i> or actually <i>know</i> something is true. A lot of patent falsehoods are being asserted and upvoted in this thread.

Atom.io is not impacted, I think it&#x27;s a good thing that apm is running on its own network.

Check your project for these liberated modules using (yay) this module <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;affected" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;affected</a>

I&#x27;m confused weren&#x27;t scoped packages added to avoid all of this sort of thing? Kik should just have used &quot;@kik&#x2F;kik&quot;, and the original package author should have been left alone.

How does serving his modules from a different corporate-controlled repository (github now instead of npm) serve his purpose of &quot;liberating&quot; the code from potential corporate meddling?

Trying to help with damage control: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11346633" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11346633</a>

&quot;This is not a knee-jerk action&quot;<p>Yes, it is. The fact you did not know about a company branded &quot;Kik&quot; does not make you excempt from the law. A law which, surprisingly enough, is being used in a reasonable situation here. Your package and their segment are closely enough related in context that people could assume they are actually related, giving you the power to essentially break their business if you do bad stuff.<p>In this case it&#x27;s not really a trolling coming from them. You don&#x27;t just brand your new beer brew &quot;Coca-Cola&quot; - there&#x27;s no reasonable argument to do that besides being a troll.<p>P.S.: holy crap npm is so broken I&#x27;m glad I&#x27;m on the backend side of life.

What would Stallmann say?

If I can buy a domain from ICANN for 10 bucks and then sell it to a company for a million... Why can&#x27;t this guy reserve the right to sell this to that company for a million?

Reading the article I thought it was some massive popular framework. But when I visited the library&#x27;s github page, it seems to have only 8 favorites. Am I missing something?

I have read the post and I still have no idea what NPM is.

This seems like a fairly childish response. I&#x27;m not pro-copyright, especially in software, but &quot;someone took my made up name&quot; seems like a dumb reason to unpublish the rest of your work.<p>&gt; <i>&quot;NPM is someone’s private land&quot;</i><p>No shit npm is a privately owned company? That hasn&#x27;t changed before nor after you took these actions.<p>&gt; <i>&quot;Power To The People&quot;</i><p>This is what I don&#x27;t get. All of the modules that were unpublished seem unpopular &#x2F; not used so I don&#x27;t know what impact this will have, but how does screwing over users of open source software equate to power to the people?

Sounds like NPM should move to pulling in the code from specific github tags or something? although I suppose, github is also &quot;private land&quot;...

I&#x27;d like to liberate <i>your</i> modules<p>The new pickup line

We should just troll them and created packages with kik in name like:<p>kik-looser iKik only-kik true-kik true-kik2 real-kik

Yet another example of the JavaScript ecosystem being pretty much garbage.<p>To be clear, I&#x27;m not attacking the author here. He released left-pad at version 0.0.3; no responsible developer should be using that in production code.

I really just hope that this guy just didn&#x27;t know what he was doing and what effect it would have.<p>Otherwise it is totally irresponsible to mess up a big project like babel just because you control a few lines of trivial code.

npm will improve after this and that is a net good thing which comes from this.

Seriously? &quot;When I started coding Kik, didn’t know there is a company with same name. And I didn’t want to let a company force me to change the name of it. After I refused them, they reached NPM’s support emphasizing their lawyer power in every single e-mail CC’ing me. I was hoping that NPM would protect me, because I always believed that NPM is a nice organization.&quot;<p>a) Ignorance is no excuse.<p>b) Expecting others to fight for one is lame. Either have the balls and fight or STFU.<p>&quot;Summary; NPM is no longer a place that I’ll share my open source work at, so, I’ve just unpublished all my modules. This is not a knee-jerk action.&quot;<p>Wrong, that is the prototype of a knee-jerk action.<p>Last but not least, whining about it in public in the hope &quot;something will happen&quot; is pathetic.<p>What I&#x27;d suggest (though now it is too late): Rename the module to comply with legal claims, put up a new module under the old name that throws errors when called that describe the reason so developers see it and put shame on the threatening company&#x2F;lawyers.

can i kik it?<p>RIP Phife Dawg

Wow, first they steal a package from the original author, then they do this. Why will anyone want to publish to NPM after this again?

All legality, copyright law, etc. aside, how did this even create a problem?<p>Even on small projects, basic build engineering dictates that you are cognizant of which package versions against which you are building. Furthermore, all packages should be locally cache-isolated on your build server (or local box if you do not have a build server). Building against the most &quot;up-to-date&quot; versions of remote dependencies puts you completely at risk for situations such as this, let alone at the mercy of malicious updates to such remote dependencies.<p>What sane (pun intended) person would ever build against the most recent version of all packages (including small ones such as this) from a remote build server? Also, for larger (i.e. more than several employees) type operations, how could QA possibly function when building from &quot;most recent version of all packages&quot;?<p>All these entities that are suffering because of this should immediately fire all their build engineers, because they are not only a reliability concern, but, more critically, a vulnerability concern.

Hopefully NPM will think of this in the future, next time they try something like this.

&gt; This is not a knee-jerk action<p>Seems like it. Why break everyone&#x27;s builds? You could just keep the modules there and then declare you will only keep them updated elsewhere?

Extremely dick move on behalf of the developer. Why would you remove modules that other people are using in production?<p>Did you think a small team like NPM would go head to head with a company having full time lawyers? And for what?