When Relying On Other Peoples’ Code Goes Wrong

When Relying On Other Peoples’ Code Goes Wrong

April 2, 2018 0 By Cory Hanson

Thousands of projects adversely but temporarily affected by the deletion of an NPM package.

Thousands of projects in Node and Babel rely on a dependency in NPM called “left-pad”, according to The Register. It was a simple package with about 11 lines of code that broke all of these projects temporarily because the author unpublished all of his NPM modules out of spite in a dispute over a claim of brand infringement over one of his module’s names.

This was one of the modules he pulled.

module.exports = leftpad;

function leftpad (str, len, ch) {
  str = String(str);

  var i = -1;

  if (!ch && ch !== 0) ch = ' ';

  len = len - str.length;

  while (++i < len) {
    str = ch + str;
  }

  return str;
}

Eventually an NPM executive took the “unprecedented” step of restoring the module so that the missing package would not continue to break all of those projects that relied on it.

Although this is not something I have seen a lot, this may be a good reason to not rely heavily on other people’s modules in systems the way NPM handles their packages. This allowed thousands of projects to be affected by such simple code that could have been easily written without importing a module.

I think this Reddit discussion is a good example of relying too heavily on other people’s code.

Or perhaps the quote, “Lucky for me, we live in an age where people install NPM packages like they’re popping pain killers.” from the article, I’m harvesting credit card numbers and passwords from your site. Here’s how.