Lesson from NPM fiasco

If you’re active over any of the developer community recently, you must have heard of NPM fiasco. If not, read here — http://www.businessinsider.com/npm-left-pad-controversy-explained-2016-3.

After this happened, everybody came out with their official response and defense. First the author Azer, then Kik and finally Node.

There are many side to choose here, but one thing is clear — everybody was somewhat wrong. If I’m to believe, biggest jerk in this situation was NPM, closely followed by Kik and Azer being far behind. Here’s why -

  • Azer’s first response was unprofessional, he might have replied better.
  • Kik although requested politely at first and offered remuneration next, they immediately backed off from their offer and strong armed Azer.
  • When Azer didn’t buzz, they tried strong armed NPM, and things got ugly.
  • In addition to strong arming NPM, Kik threaten Azer with lawsuit.
  • NPM decided to do nothing about it contributors, decided to side with Kik. Appeasin big company seemed to be easier decision than facing lawyers while supporting their contributors.
  • When forced by NPM to hand over the ownership, for no logical reasons (Kik also said they’re never gonig to use the kik in any of the package name), Azer took harsh measures and pulled all his repositories.
  • Now when NPM and Kik were arrogantly happy about their success, the developer community soon realized that their code started to break because of one particular unpublished package — left-pad.

Situation has gone worse from this point and borderline illegal

  • NPM gave the ownership to other developer — no license MIT, ISC, (L)GPL(1,2,3), etc. gives you any permission to do that. Right to ownership of original package is always with you, although you can fork as much as you want.
  • NPM basically stole from it’s developers.
  • NPM, when saw forked version of left-pad is not enough, decided to unpublish the original source. For those who’re fighting for Right to be Forgotten definitely think the breach of trust here.
  • NPM announced that they’ll make unpublishing even harder. I tried this with my one (and forever only) project over there and now I cannot unpublish my code at all.
  • NPM basically takes ownership of your code as soon as you publish them. In open source world, this probably is the worst way to insult a developer.

But all past aside, there’s a lot of things for a developer to take from this fiasco -

  • Depending on obvious and short repository is never beneficial. Like left-pad was just 11 lines of code doing very simple task. It’d be much better, if you have your own library of such resources if you don’t want to repeat yourself again and again.
  • But not all repositories are short or obvious like this. For such, create your own registry of repositories, so that you always have a forked version of dependencies with you. In any team, anyway, everybody needs to be on same version for best compatibility.
  • NPM has shown that they can steal your code at their will. Be very aware of that. Unless you’ve array of lawyers, or bigger than the other party, you’re going to lose your repository there. Personally, I’d avoid publishing anything there.
  • Rely on something other than NPM. And no, not just because of they take ownership of your code without asking you (polite way of saying stealing). Also because, your repository needs package level separation. Go for some registry which offers package name as well as naming.
  • bikas/project is much better than project which has chance to go generic.
  • Also go for offering which are not corporate puppets.
  • Periodically refactor your code and remove unnecessary dependencies. Seems obvious, but you won’t believe how many projects have useless dependencies floating around.
  • Make sure whatever alternative you choose, it comes with proper ownership rights. Rights not to properly own the project but ability to publish/unpublish your codes. And before anybody says that it breaks their code, think what big companies do as well — Facebook unpublished their APIs and nobody said anything. A single developer should enjoy same rights, NPM is completely incorrect place for that.
  • Having said already, but to repeat one last time Avoid NPM At All Cost.
Show your support

Clapping shows how much you appreciated Bikas Vaibhav’s story.