Npm package author revokes his packages, breaking tons of builds
Tons of other projects around the world depending on his packages broke as a result of this. The NPM project responded by un-un-publishing the packages:
Hey npm users: left-pad 0.0.3 was unpublished, breaking LOTS of builds. To fix, we are un-un-publishing it at the request of the new owner.— Laurie Voss (@seldo) March 22, 2016
While you can say that the original author was not very nice to do this as a protest, and without warning, I think it highlights a larger underlying problems, in not just NPM but also other packaging systems:
- We’re currently relying on the trustworthiness and ethics of many package authors.
- Package repositories are a critical piece of our infrastructure.
Both are single points of failure for a lot of projects, except the few
that actually commit their
vendor, etc directories to
their github repository.
Another interesting thing is that package authors can not just un-publish their packages, they can even modify already-released packages.
I think this is a very weak link in our infrastructure. What we need is a packaging system that is:
- Immutable / Append-only
- Distributed, anyone should be able to run a mirror.
Append-only means that once you publish a package, it can never be changed or unpublished. It can’t be censored or taken down. This puts the control back in the hands of the user, and we’re no longer at the mercy of package developers or centralized repositories.