npm maintainers can ruin your day

opensauce

2024-05-01

dev

Remember the left-pad drama?
In March 2016, an open source maintainer processed removal of a small but widely used package called “left-pad” from the npm registry caused chaos, breaking many popular Node.js projects.

We believed this wasn’t gonna happen again, that developers had learned their lessons, don’t rely on npm always having developer’s best interest and sticking it to the ethics of oss maintainers.
In fact npm mentioned they had implemented measures to make it harder to unpublish critical packages.

After this incident, developers were more aware of the risks of relying on single-source dependencies.

Still, the potential for disruption exists, and the left-pad incident serves as a cautionary tale.

…and now it happened to me.

I rely heavily on a package called nut.js, and on April 30th, npm started giving me errors about the package not being able to be installed anymore.

Looking on the internet I found that the maintainer of nut.js was on his last straw. Then suddenly this happened: https://nutjs.dev/blog/i-give-up

I posted this on HN btw:

A blogpost detailing why it didn’t make sense for the developer (Simon) to continue building for free. I agree with 99% of what he said in this blogpost.

However, what I disagree is the fact that npm pulled (temporarily?) the package, the request must’ve happened on behalf of the author.

Check for yourself: https://www.npmjs.com/package/@nut-tree/nut-js

All hands on deck - red alert!

When a package they rely on gets yanked from npm, developers can experience a range of emotions – frustration and anger.
This causes a clear disruption to their workflow.

The only solution is to start scrambling to find alternative packages, updating code, and rigorously testing to ensure everything still functions. This can be a time-consuming and error-prone task, especially for projects with complex dependency chains.

Now I am not an advocate for cryptocurrency but blockchain technology is good for things like this: an immutable database could allow a decentralized and immutable package registry. In such a system, a package once published would be permanent, eliminating the risk of a single entity taking down critical code and causing widespread headaches for developers.

Should maintainers keep control or should users keep control?

This is an ethical question, and it’s a hard one to answer. If you published an open source library, and people rely on it - you should decide to stop maintaining it if you want to, but pulling from a registry is not the answer in my opinion, as this causes disruptions as mentioned above.

One thing is for sure, it sucks what happpened to Simon - being abused online while working for free, isn’t the way open source maintainers should be treated.

Now, back to migrating away from nut.js - ooof :/