Npm package author revokes his packages, breaking tons of builds

I just came across an interesting post via Hacker News, from an author of several hundred NPM packages (some of which quite popular) that just removed all of his packages from NPM.

Tons of other projects around the world depending on his packages broke as a result of this. The NPM project responded by un-un-publishing the packages:

While you can say that the original author was not very nice to do this as a protest, and without warning, I think it highlights a larger underlying problems, in not just NPM but also other packaging systems:

  • We’re currently relying on the trustworthiness and ethics of many package authors.
  • Package repositories are a critical piece of our infrastructure.

Both are single points of failure for a lot of projects, except the few that actually commit their node_modules, vendor, etc directories to their github repository.

Another interesting thing is that package authors can not just un-publish their packages, they can even modify already-released packages.

I think this is a very weak link in our infrastructure. What we need is a packaging system that is:

  • Immutable / Append-only
  • Decentralized
  • Distributed, anyone should be able to run a mirror.

Append-only means that once you publish a package, it can never be changed or unpublished. It can’t be censored or taken down. This puts the control back in the hands of the user, and we’re no longer at the mercy of package developers or centralized repositories.