[skrebbel]

I have to admit that I don't understand half of this blog post, feels like I'm missing some context, but I do like that the "left pad guy" does a post mortem.

That said, this seems like a weird argument to me:

> but I still don't understand why NPM didn't take the time to find out if any of my modules were widely used and consider ways to handle the unpublishing without breaking anything

Sure, NPM's unpublish mechanism was a misdesign, but is he saying that he expected people at the company to manually go through this every time someone did an unpublish? That doesn't seem too reasonable IMO, NPM the company isn't curating NPM the registry. They host it as a public service.

I can't fault the author all too much here though, if he hadn't triggered "the left-pad incident" then someone else would've not too long after. NPM fixed the problem, by means of a better unpublish policy [0] and that's that.

[0] https://docs.npmjs.com/policies/unpublish#packages-published...

[randunel]

> On March 18, 2016, Isaac Z. Schlueter, the chief executive officer of npm, Inc., wrote to both Kik Interactive and Koçulu, stating that the ownership of the kik package would be manually transferred to Kik Interactive. > After Koçulu expressed his disappointment with npm, Inc.'s decision and stated that he no longer wished to be part of the platform, Schlueter provided him with a command to delete all 273 modules that he had registered.[9] Koçulu executed the command on March 22, 2016, removing every package he had previously released

The author simply ran the script that NPM themselves told him to, and later NPM blamed the author for their own failings.

[skrebbel]

Ok fair! In that case I actually agree with his stance I think. I can understand how isaacs messed this up in what must've been a stressful situation, but it's hard to blame the author for it indeed, if he was just running the commands provided.

[coffeebeqn]

I mean if you’re the CEO of a package manager then you should probably have thought that one through a little bit more? Maybe ask one of the engineers what would happen?

[skrebbel]

Yeah indeed. Though I can appreciate the screwup. I mean, there was a heated thing going on, lawyers on one side and bad community PR on the other and NPM was caught in the middle. Couldnt backtrack on their maybe not so smart choice to give the "kik" package to Kik Messenger, and maybe hadn't thought through the consequences of encouraging the author to just delete all their packages. I disagree that that means they're "kids in suits" like some comments here suggest. It can just as well be an honest mistake made under pressure. People make mistakes sometimes! There's plenty precedence of mistakes by the NPM team but they also got a whole lot of stuff right!

But I do agree now that the author isn't really to blame.

[bsenftner]

"CEO of a package manager" sounds like a 15 year old, and from their behavior was just an old 15 year old.

[ben_w]

The older I get, the more I realise how many adults are just 15 year olds wearing suits to make themselves feel more grown up.

[nicou]

For context, see https://en.wikipedia.org/wiki/Npm_left-pad_incident

[HPsquared]

11 lines of code! Wow. I had no idea it was that small.

[xnorswap]

There used to be the general wisdom of, "Don't re-invent the wheel. Let the hive-mind craft utility functions and use those because they'll be battle-hardened, well tested, and you can focus on your core business".

I think the left-pad incident helped shatter that myth. He we had huge packages depending on a package which padded a string in an inefficient manner.

It turns out that the many eyeballs of the bazaar had averted their gaze from what was actually happening, which is a system of impossible to audit dependency chains.

I think it also shows the impact of using a language with a poor standard library.

Padding is absolutely something that should be available as an extension over String.

If JavaScript were controlled in the same manner that Go, Rust, Java, .NET, python etc, then it would have been added years ago.

Apparently it has now finally arrived in ES2026: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

[dagw]

On the flip side, I find that often python for example can go too far in the other directions with huge kitchen sink libraries that depend on other huge kitchen sink libraries. To the point where installing the most popular library for calculating the area of a 2D polygon requires installing a fast Fourier transform library. If you want a single quite simple image processing function, you're all of a sudden installing advanced graph algorithm and signal processing libraries.

[bakkoting]

> Apparently it has now finally arrived in ES2026

ES2017 [1]. The MDN docs always link the latest version of the spec; the year in the link doesn't correspond to the version where it was added. The proposal was already mostly done at the time of the incident [2]

[1] https://tc39.es/ecma262/2017/#sec-string.prototype.padstart [2] https://github.com/tc39/proposal-string-pad-start-end

[xnorswap]

Oh, I see, sorry the "Specification" section is definitely misleading then by not also linking to the earliest specification it was included in.

[eviks]

> the left-pad incident helped shatter that myth

In what way? Have the dependency trees gotten significantly smaller since then?

[beej71]

I don't think so, but at least awareness of dependencies as liabilities has increased.

I installed `pass` (the lightweight password manager) on a fresh headless system the other day and it brought in like 60 packages including a bunch of X stuff.

[BenjiWiebe]

Just checked on a fresh install of Fedora 42 "custom operating system" install, so pretty minimal. Didn't even check the "standard tools" box or whatever it's called.

Installing 'pass' pulled in: desktop-file-utils emacs-filesystem git-core libpng qrencode qrencode-libs

Plus weak (optional) dependencies: libwayland-client mailcap wl-clipboard xdg-utils

12 packages, 5 MB download, 24 MB installed. Could be worse, could be better.

I was honestly expecting Fedora to have less than that.

[efilife]

Inefficient? What would be an efficient way to do this? .Repeat() a string and then concatenate?

[rootlocus]

> Most of my open source work followed Unix philosophy, so the packages did one thing at a time. There was 350+ of them.

The man page for a unix binary is at least two orders of magnitude larger. At some point, the "Unix philosophy" doesn't make sense anymore. I mean, it couldn't even rightpad.

[another-dave]

When the metadata for the package is larger than the source code you've probably gone too small!

[baobabKoodaa]

packages like `left-pad` should really be named more like `resume-pad`

oh look at me, 589 published packages on npm! with 5 700 quadripillion weekly installs!

[ThinkBeat]

oh there are thousands of those out there on npm. Short and trivial code. Even if you do not use them at all in your own codebase chances are quite high that some package you do use, uses some of those tiny packages.

[DanielHB]

> NPM the company isn't curating NPM the registry

They do in fact curate the registry, mainly for reporting vulnerabilities to consumers and to remove malicious packages.

[diggan]

I'd probably call those things "maintenance" or "moderation" rather than "curation". Curation would imply they care about the quality, but in reality they just try to limit the damage of malicious packages.

[JJMcJ]

Years ago I used Sourceforge and they had a policy you had to ask permission before deleting a project.

After left-pad, I understood why.