神刀安全网

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript.

A couple of hours ago, Azer Koçulu unpublished more than 250 of his modules from NPM , which is a popular package manager used by JavaScript projects to install dependencies.

Koçulu yanked his source code because, we’re told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name.

According to Koçulu, Kik’s briefs told him to take down the module, he refused, so the lawyers went to NPM’s admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. "This situation made me realize that NPM is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People," Koçulu blogged.

Unfortunately, one of those dependencies was left-pad . The code is below. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it.

With it removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency and thus fell over. Thousands, worldwide. Left-pad was fetched 2,486,696 downloads in just the last month, according to NPM. It was that popular.

module.exports = leftpad;  function leftpad (str, len, ch) {   str = String(str);    var i = -1;    if (!ch && ch !== 0) ch = ' ';    len = len - str.length;    while (++i < len) {     str = ch + str;   }    return str; }

You can witness some of fallout here , here , here and here .

To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the " unprecedented " step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it’s gone. Now NPM has forcibly resurrected the code to keep everyone’s stuff building and running as expected.

"Un-un-publishing is an unprecedented action that we’re taking given the severity and widespread nature of breakage, and isn’t done lightly," Voss explained about an hour ago.

"This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many. This whole situation sucks. We will be carefully considering the issues raised by and publishing a post-mortem later.

"In the meantime, several thousand open source projects have been repaired, and I’m sleeping fine tonight."

A new maintainer has stepped forward to look after left-pad on NPM. Meanwhile, Oakland-based Koçulu has hosted his work on GitHub .

And that’s how JavaScript app development works in 2016. ®

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮