Kik, left-pad… Should I stop using npm?

TL;DR: No, unless you make npm packages. If you do publish npm packages think about how the disputes are resolved and decide if you are OK with it.

I started using npm a few years ago in our build system. My CTO and his deputy today told me that means it is in production. I thought it was not, but on second thought I think they are right since it decides what code is in the production artefacts.

A few days ago, while I was on holiday, two of my colleagues investigated a problem with npm regarding some dependencies that may contain malicious code. I’m the one who used it first. I felt responsible.

I read about the issue on GitHub and I was more worried: npm allowing reuse of names meant that it was unsafe to use it. Due to my decision to adopt npm more and more projects in the company depend on that, was I responsible for us disseminating malware?

How did you feel at that time? Had you done your due diligence on npm? I felt I had not.

Or did I? After all, what is the difference between npm, Maven and GitHub? Don’t they all allow you to download some code identified by a name and a version number?

The difference between them struck me when reading a specific part of the three party conversation between Kik, Azer and npm.

BTW, If you have not yet done this I suggest you read, right now, the positions of npm, Azer and Kik. I’d like to read a post on how they all contain example of bad communication and how we could all be that much better but that’s not the purpose of this post.

The line that got my attention was “So you’ll let these corporate lawyers register whatever name they want ?” asks Azer to npm’s Isaac.

How is it that I never heard of this in Maven or GitHub?

I think naming conflicts in Maven and GitHub are less likely because those don’t use single global namespace for packages: both GitHub and Maven allow names only within the domain of an organisation (eg. guava exists within com.google) while npm is aiming at a much harder problem: “provide npm users with the package they expect” when all the user is providing is a name and a version.

A global namespace means acting as the global naming authority for JavaScript software. I do not envy them, at all.

What we see here I think is peculiar. Two entities, an open source developer and a company that makes a messaging app enter a collision course because their system of beliefs is different.

The company believes in trademark laws while the open source developer believes in the network of trust of JavaScript developers. Each one believes that the name Kik belongs to them based on the rules of the system that they believe in. Which system do you believe in? Which one do you chose to adopt?

I’m undecided, trademark laws are so complex to be inaccessible to me, I would need a lawyer just to tell if the claim on kik is reasonable. On the other hand the npm policy is just not accessible to me: it is based on the individual decisions of the people who control the npm registry, do I trust them?

Do I have to decide?

As a consumer of npm packages I think I’m OK: the technical measures put in place by npm are enough to make me sleep well and the response to the parallel worm problem sounds sensible to me: “we rely on users to flag suspicious packages and act quickly to remove them from the registry”.

As a producer of npm packages (which I am not, yet) I’d like more transparency on how npm rules over naming disputes. the documentation of what happens in case of disagreement is simply not there: the npm documentation explains what you should do if you think you deserve a name already taken. It gives zero information on how npm decides between the parties once they can not agree amicably.

Would a distributed system be better? Build one and we will see.

Leave a Reply

Your email address will not be published. Required fields are marked *