Twitter LinkedIn Github


Yesterday the JavaScript community was in turmoil. To make a long story short, someone unpublished a few packages from the public repository, and one of these packages was used by many many other packages, including Node and Babel.

The package in question, left-pad was 9 lines of JavaScript, counting braces, excluding white lines and the import module statement.

Now I’m not going to debate why we’re packaging up 9 lines of JavaScript, maybe it’s because anti-NIH syndrome is stronger than we think, or maybe it’s just a consequence of JavaScript not having a standard library. I’m not even going to argue about whether NPM were right in allowing some lawyers dictate what package should or shouldn’t be removed.

Instead, what I’d like to focus on is something that caught my attention today:

I’m not sure whether Jeff was referring to NPM, in that they wrongly pulled down a package, or the author of left-pad. But assuming it was either of them, then I’d disagree. In fact, the only time I’d agree with such a statement is if he were referring to the developer that uses that dependency, in allowing a critical piece of software (well fair enough 9 lines isn’t critical but other packages might be), developed by a third-party person, hosted by a third-party company, potentially impact the software that they use, build and deliver to their customers. And they do this with dependencies that often have no SLA’s in place.

Where did my free lunch go?

Open source software, free package repositories, all of these things are truly wonderful things. We all use OSS and public repositories in one way or another. But at the end of the day, none of these free packages, free projects or free services necessarily owe us anything. And yet we seem to often choose to ignore this fact when we’re evaluating technology and costs of what is involved with adopting something.

If we are naive enough to believe that certain things are too centric or big to fail and us having a dependency on them is fine, then we should recall that they said the same about Lehman Brothers and other large banks.

At the end of the day, we’re exclusively responsible for the software we build and deliver to our customers. And in doing so, we have to safeguard our own dependencies in one way or another.