The “left pad” incident refers to a controversy that arose in 2016 when a developer named Azer Koçulu removed his JavaScript package called “left-pad” from the NPM (Node Package Manager) registry. This caused a ripple effect, breaking numerous projects that relied on this package and highlighting the potential risks of relying on external dependencies. The incident sparked a debate about the stability and trustworthiness of the open-source ecosystem and led to discussions about best practices for managing dependencies in software development.
“It broke the build at Big Tech Company” is mostly a testimony that Big Tech Company was deeply dependent on someone’s work and they weren’t paying for it.
From memory the NPM blokes had to have a think about how they handle important packages because of that. Didn’t they revert the changes to left pad to ensure everything else didn’t break?
Fascinating to see the house of cards some of these solutions / libraries are built off
Yes. They added it back. The policy now is that you can’t remove packages that are depended on (or something to that extent, I don’t know the specifics).
Left pad https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/
Had GPT summarize what happened.
This is the one I came to post about. The fact there’s a library for this is so stupid to me.
I feel like it demonstrates how npm and modules have probably to some degree gotten out of hand.
This famously broke builds at Facebook.
“It broke the build at Big Tech Company” is mostly a testimony that Big Tech Company was deeply dependent on someone’s work and they weren’t paying for it.
From memory the NPM blokes had to have a think about how they handle important packages because of that. Didn’t they revert the changes to left pad to ensure everything else didn’t break?
Fascinating to see the house of cards some of these solutions / libraries are built off
Yes. They added it back. The policy now is that you can’t remove packages that are depended on (or something to that extent, I don’t know the specifics).
Yeah I’m pretty sure Github themselves restored the package if I recall correctly
That’s always the one I’m thinking of when anyone mentions the xkcd.
npm is one crazy infrastructure.