Thoughts on the npm fiasco

If you haven’t already heard, there was big news in the world of JavaScript this week: someone unpublished a small npm package and broke the internet.

Although that statement is clearly a gross over-simplification (and exaggeration), the event has raised some very serious question about how “modern” web applications are being architected. Before I dive into my thoughts on the subject, let’s revisit three important posts:

  1. Azer Koçulu’s post explaining why he un-published 273 npm packages
  2. Kik responds with their side of the story
  3. npm responds with their side of the story

npm left-pad kik

TL;DR — Kik (the company) wanted the existing module name “kik” (which Azer owned) and npm unilaterally decided who won the dispute (spoiler: it was Kik). In protest, Azer removed all 270+ of his modules from npm — breaking literally thousands of npm dependency chains in an instant.

Here are some quick thoughts and opinions about what happened.

npm: Probably the right decision, but for the completely wrong reasons

This may be an unpopular opinion, but I think Kik has every right to defend/enforce their trademarks — not because I particularly agree with Kik, but because I believe that trademarks exist for a reason. I’m certainly not a lawyer, and honestly I know very little about trademark law. But based on what I have read, it seems to me that Kik would likely have won this decision in a court of law. Therefore npm probably made the correct decision to grant ownership of the module — but they did so without the proper legal justification.

judge judy

What I find most interesting is that the npm dispute document (linked from their post, listed above) does not say the word “trademark” in it anywhere. “Copyright” is as close as it gets, but as I understand US law copyrights and trademarks are very different things. Twitter has a similar document for managing disputes, in which they are very explicit about resolving trademark disputes:

When we determine that an account appears to be confusing users, but is not purposefully passing itself off as the trademarked good or service, we give the account holder an opportunity to clear up any potential confusion. We may also release a username for the trademark holder’s active use.

From the three posts I linked at the beginning, this explanation appears to be exactly what happened. npm agreed that the name of the “kik” module could be confusing should any of the (allegedly) millions of Kik users who might search npm for a JavaScript module pertaining to Kik (the company). No one said Azer was purposely trying to infringe on a trademark, and it seems clear that his “kik” module had nothing to do with Kik the company — but those facts are irrelevant. Also consider that Azer’s first commit to the “kik” GitHub repo is marked October 31, 2015 while Kik the company was founded in 2009.

For me, a member of John Q. Public, this seems pretty open-and-shut.

However, I am a bit disturbed that npm would do anything when a company is threatening legal action against one of their users. I haven’t read all of the npm terms of service, but they completely threw Azer under the bus. From that perspective, I don’t blame him for abandoning npm completely.

My opinion here is that npm should have told Kik to move ahead with their legal process. npm would have to comply with a court order stating that Kik’s trademark was being violated by Azer — but I don’t believe that (in this case) npm had the legal expertise to make that decision on their own.

If I Were Azer, What Would I Have Done?

I don’t know Azer personally, nor have I even really known about him before this week. This whole situation makes me wonder if any of his packages are (were?) dependencies of mine, though I haven’t noticed anything broken yet. I do have an npm package of my own, and I’ve been involved in OSS for a long time — but it sounds like Azer can boast about much more in that arena than I ever can.

Having said that, my gut reaction is that his decision to unpublish 270+ modules was rash at best and malicious at worst. Azer’s post (linked above) clearly states that his decision was “not knee-jerk action”… I guess I just don’t believe that, but I’m not here to pile judgement onto someone I have never met.

What would I have done if I were in his shoes? Honestly I’m not 100% sure because it’s clear to me based on the things I’ve read that emotions were very high. If I were to hold true to my core values, I would like to think I would have acted differently. Let’s explore that rationale.

Accountability

The world needs great OSS maintainers like Azer, and his time is to be valued — but Azer knew damn well what yanking 270+ modules off npm would do. He knew a LOT of other people’s code would break. He may have felt like he was sticking it to npm, but mostly he wasted a LOT of other people’s time.

I take my career and my reputation very seriously — which is why “accountability” is one of my core values. If I say I’m going to do something, I do it. If I break something, I fix it.

I don’t know exactly how I would respond to npm‘s decision if I were in Azer’s shoes, but I know that I would not have removed all my code from npm. It immediately feels like the wrong decision.

code

Respect

From the email chain I read in Kik’s response (link above), I absolutely agree that Kik was threatening Azer with legal action. The “casual” language from Kik in those messages is appalling given the clear legal implications they insinuate.

Azer’s response in those messages (assuming Kik’s blog post is factual) is equally appalling. If there is one thing I’ve learned in business it’s that being confrontational gets you absolutely nowhere. Calling someone a “dick” and telling them “fuck you” accomplishes nothing — it only strengthens your opponent’s resolve.

What would I have done if I were in his shoes? I would have chosen my words far more carefully, and probably called Kik’s bluff to pursue legal action.

Empathy

I have heard some of Azer’s defenders applaud him for sticking to his values — again, I don’t know him so I don’t know how much that’s true.

In any case I feel horrible for Azer. Not only did some company demand ownership of something he has worked hard on (i.e. the name/brand of the work, not necessarily the work itself), but his name is being tossed around on the internet on blogs like mine as we all dissect the events. I certainly want more people in the industry to know about me; but I’d rather an event like this not be the reason why.

High Expectations

I have high expectations for myself — but I also hold the rest of the world to high expectations. Frequently I am disappointed, as I am with the actions of npm in this case.

What would I have done if I were in his shoes? I’d like to think that I would stand up and formally raise this issue with npm and with the JavaScript community at large. There is clearly a problem here; unpublishing all of my code would not help me prevent this problem for anyone in the future.

NOTE: I don’t believe Azer had the foresight to know just how big a stink would be raised if he unpublished his code. If I’m wrong about that, and Azer knew this would blow up to the epic proportion is has — then it was a brilliant protest that might well accomplish that end. But based on his post (linked above), I don’t believe that to be true.

Having Fun

There’s nothing fun about this situation.

What would I have done if I were in his shoes? I might have simply agreed to change the name of the project, because getting pissed off about legal threats over a JavaScript module’s name is a waste of my time.

I certainly would have explored how Kik would “compensate” me for my troubles.

—–

Humans are imperfect, and many situations are complicated. This situation sucks. Everyone involved made poor decisions, and I hope that the JavaScript community honestly reflects on what happened.

npm is a House of Cards

The Register summed the news up perfectly: one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript.

jenga

Today’s JavaScript applications, built using any package manager (npm, bower, etc) are a house of cards waiting to fall. Rich Harris wrote a nice piece on Medium summing up many of my feelings:

  • When you install a dependency from npm, you also install a clusterfuck of its dependencies and its dependencies’ dependencies (and it’s turtles all the way down). Far too few people seem to care about those implications.
  • Installing npm dependencies means you’re downloading a ton of code you don’t actually need — things like tests, documentation, binaries AND minified source AND non-minified source, etc
  • Installing all of that shit makes downloading things take longer and wastes disk space
  • There really isn’t any existing mechanism to compile and deploy applications build on top of a stack of npm dependencies. When you deploy a NodeJS application these days, most people blindly deploy all of the raw content contained in their npm dependencies. Ugh.
  • Package scripts in npm modules could easily be malicious, and developers running npm install are extremely vulnerable

The article is a fantastic read, but it also ignores other major problems with npm specifically:

  • Package namespaces don’t exist; this entire problem with Azer and Kik would have been solved if it did.
  • The ability to un-publish packages in its current form clearly shouldn’t exist.

npm raised $2.6M a little more than two years ago. The situation this week makes you wonder what they’ve been doing for the past two years if something like this was able to happen… because if npm (and by proxy, JavaScript as we currently know it) is going to succeed then our critical core infrastructure needs to work 100% of the time.

Final Thoughts

My thoughts go out to Azer Koçulu — he is clearly the victim of bullying from Kik and a horrible resolution process at npm. By all accounts he seems to be a dedicated professional, a great developer who is deeply committed to open-source values — and I can’t imagine he, or anyone, deserves to have the limelight thrust upon them for something as stupid as the name of a JavaScript module. I disagree with some of his actions, but then again I’m sitting in my ivory tower; I cannot blame him for feeling the way he does.

Kik has the right to defend their trademarks, but I’d say that “Bob” (their patent agent) needs to work on his bedside manner. I don’t know how he expected this situation to unfold given the language in his emails; tech companies already have poor reputations (diversity, pay-equality, gentrification, etc) and it’s completely unacceptable for anyone representing a tech company to treat people like this. If Bob (and by proxy, Kik) “doesn’t want to be a dick” then don’t be a dick — nobody likes receiving legal documents, but there’s a reason why they’re formal.

npm gets nearly all of the blame here, in my opinion. I don’t buy their rationale for making their decision, and their blog post explaining their rationale was devoid of any empathy for Azer. I am disappointed and frustrated that the company at the epicenter of web development in 2016 would react the way they did — but more importantly I’m bewildered that this situation could even happen in the first place. Infrastructure is supposed to “just work”, and the details in this case make it clear that npm is not holding true to their vision of software development.

About 

With nearly 20 years of software engineering and operations experience, Arthur Kay offers an extraordinary set of leadership skills and technical expertise to develop meaningful products and high-performing teams. He has worked with Fortune 500 companies, VC-funded startups and companies across a wide variety of industries to build cutting-edge software solutions.

Arthur is a successful entrepreneur, technology professional, and mentor. He is a full-time family man, part-time consultant and spare-time musician. He graduated from Loyola University Chicago and currently lives in greater Chicago-land.

1 comment for “Thoughts on the npm fiasco

  1. Tim McKinley
    March 27, 2016 at 2:56 am

    We are not a NodeJS shop so I find it funny that just a few weeks ago my co-workers and I were discussing if someone could unpublish their code from npm. I guess now we know. I wonder if all languages that use a package manager could potentially run into this same problem (Ruby/Gems, Python/PyPi). At least with Github if I fork a project, it doesn’t get deleted if the parent project is deleted. (At least I hope not!)

Leave a Reply

Your email address will not be published. Required fields are marked *