How 11 Lines of JavaScript Broke the Internet

On March 22, 2016, the JavaScript developer Azer Kocculu typed a command that npm's CEO had written for him personally, and 273 packages disappeared from the registry. One of them was a function called left-pad. It took a string and padded it on the left with spaces until it hit a target length. Eleven lines of code, no dependencies.

The trigger was a name dispute. Kocculu had registered an npm package called kik. Kik Interactive, the chat-app company, owned the kik trademark and asked him to release the name; their email noted, "We don't mean to be a dick about it, but it's a registered Trademark in most countries." Kocculu refused and asked for $30,000. On March 18, npm CEO Isaac Z. Schlueter wrote that npm would transfer the package manually. Kocculu replied that he wanted out of npm entirely. Schlueter sent him the deletion command.

Within minutes of left-pad's removal, build pipelines around the world started failing. The package had become a transitive dependency of Babel, React's tooling, and a long tail of front-end projects. Continuous-integration systems at Facebook, PayPal, Netflix, and Spotify all stopped pulling clean builds. Watching it happen on Twitter that afternoon felt like watching a small, very specific kind of weather.

npm restored left-pad from a backup within about two hours, by republishing the original tarball under a different maintainer. A few days later the company changed its policy: a package can no longer be unpublished after 24 hours if any other package depends on it.

The incident is usually told as a parable about tiny dependencies. The other lesson is about ownership. The whole pipeline of modern web development sat on a public utility that, until that Tuesday, anyone could withdraw on a whim.