The NPM / kik debacle leaves the future of open source package management in question.

There’s a really interesting thing happening in the Node community right now. Long story short, Azer Koçulu had some 250 packages on NPM. He had a dispute with a corporation (kik) who wanted his package name (full details here in official response from kik). The dialogue included:

“our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them.”

Azer refused, and NPM ultimately sided with the corporation. They claimed it was to prevent ambiguity, but everyone knows that they simply weren’t up for a potential legal fight with kik and caved.

So…Azer unpublished 250 packages, including one simple string module (left-pad). The removal resulted in thousands of other packages breaking — including the builds for projects like Babel and React — major JavaScript projects.

Within 10 minutes, another developer then pushed a package with the same name, but the versioning wasn’t the same, so problems remained.

NPM then un-unpublished the original developer’s package.

All of this has sparked off a lot of rage and concern from the open source community, for a few reasons:

1) NPM, as it turns out, is a centrally managed service that can make arbitrary decisions like removing packages because a corporation threatens them. It is not, as many developers have believed, an egalitarian bastion of shared productivity.

2) NPM has suggested that it may lock critical packages in the future, so they cannot be unpublished.

3) (valid) Security concerns have been voiced over the fact that a package can be unpublished and then published by someone else with the same name — opening the door to some really serious potential hacks — like getting direct access to execute code on someone’s file system, or code injection attacks in web apps.


The question is, what does the “perfect” package management system really look like? Is it decentralized, based on a new protocol?

Is it source agnostic?

Or is it what we already have with NPM, and we must just accept the authority and power that centralized services have in exchange for the convenience of offloading responsibility?

In your mind what is the perfect package management system? Has it been built already? What are the most important problems to address? Should we abandon centralized services? I’m curious what your answers are.

Show your support

Clapping shows how much you appreciated Calvin Froedge’s story.