You probably heard about Kik, NPM and left-pad saga this week. Shortly, a company Kik asked a developer Azer Koçulu to give the ownership on a NPM module. The module name matches the name of the company. The developer refuses and the company reaches the registry (NPM). The module was transfered to the company based on a NPM policy. The developer then decided to remove all his modules from the registry. The bad thing is that one of these modules
left-pad is a dependency of many other modules. As a result of the un-publishing all the packages that depend on
left-pad can not be built. Some really popular tools like Babel and React started getting broken builds.
All the parties:
To be honest I can’t take a side because I didn’t read the TM of NPM and I have no idea how such cases are handled in US. However, I see that there are some really wrong interpretations of the situation. And I feel that we need to clarify few things:
- No one broke Node. Node as an environment is stable and it works as expected.
- The dispute between Azer and Kik is unclear and it is maybe a matter of policy and trademark documents. The real problem is in Node’s package manager. Not the company NPM but the package manager and how it is designed. Maybe we shouldn’t be able to un-publish a package if it is used by someone or there are dependent modules. Maybe we should install packages in the format of
@owner/modulethen we could have
I think that no one installs modules blindly. No one is going to run
npm install kik without checking what’s the content of the package. I wish Kik simply created
kik-chat and not bother with a single developer or going to NPM. Maybe there is a law that forces them to protect their brand and they really must own
kik, who knows.
P.S. And I hope that their back-end is not written in Ruby because there is a kik gem.