How 17 Lines of Code Took Down Silicon Valley’s Hottest Startups
Yesterday at 2:35 PST, one developer clicked one button on a site that broke the codebase of some of the hottest startups in the country.
Rewinding a little bit, a few weeks ago a developer named Azer Koçulu got an email from a patent lawyer asking him to remove one of his open source project from NPM, a directory of Open Source JavaScript code that is used by most JavaScript developers.
Azer wasn’t interested in taking the project down and told the lawyer he wouldn’t comply.
Ultimately, the lawyer won, convincing NPM to transfer ownership of the Open Source code. While the one project that was transferred wasn’t a huge incident, Azer decided to remove all of his work from NPM. He talked about the experience on his medium profile.
This includes one package called left-pad, which happened to have a single file that was exactly 17 lines of code.
Silicon Valley startups are a hotbed of using the state of the art JavaScript tooling. Companies like AirBnB, Netflix, ProductHunt, Facebook and a lot more are using ReactJS. And most are using two other technologies too: WebPack and Babel.
It turns out, in order for Babel-dependent applications to work… left-pad, this silly 17 lines of code, needed to be in NPM. Immediately, tens (if not hundreds) of thousands of developers would be unable to run the command to install their application on any machine.
Laurie Voss, founder of NPM, took to Twitter to explain what the heck was going on.
A ton of developers weren’t happy about the situation that had just transpired. They looked toward the open source community and accused NPM of being run in an irresponsible way.
But the fact is, only 42 minutes after the initial report a GitHub user posted a viable work-around for the problem:
And only a minute after that, the contributors at Babel announced that a new version of Babel had been released as an emergency hot-fix, allowing projects to work again.
Shortly after this transpired, a new user came to the rescue and uploaded the package back to NPM, fixing the problem. Laurie Voss updated everyone on the situation.
And developers have taken to twitter on the hashtag to discuss the #NPMGate debacle.
Despite the craziness, this is an open source developers banded together in a remarkably fast time frame to repair the state of the open source community.
But after that unfolded, a “known friendly” seems to have uncovered a potential security exploit that presumably uses the un-publishing feature to “hijack modules”, according to sources.
This issue brings up major concerns about the modern JavaScript tooling and will likely have major implications in the upcoming weeks and months.
Update: Mike Roberts from Kik Interactive posted the exchange he and Azer had and the exchange paints Azer as less of a victim than his initial post indicates. Read it on medium here.
Update: Azer’s modules were not hijacked, rather they were transferred to a different user.
