title: NodeJS: unsafe at any speed? link: https://onemoretech.wordpress.com/2016/03/28/nodejs-unsafe-at-any-speed/ author: phil2nc description: post_id: 10930 created: 2016/03/28 09:41:35 created_gmt: 2016/03/28 13:41:35 comment_status: closed post_name: nodejs-unsafe-at-any-speed status: publish post_type: post

NodeJS: unsafe at any speed?

Normally when I criticize a programming language or framework as being immature, I simply mean that it is in either an early state of development or state of arrested development such that it is lacking in a sufficiently comprehensive library of functions and methods. I've said this in the past about php, for example. But I've never said, or had reason to say, that the language or framework is emotionally immature. That changes right now. kik, left-pad, and npm provides the gory details. Here are what I consider some essential quotes:

In recent weeks, Azer Koçulu and Kik exchanged correspondence over the use of the module name kik. They weren’t able to come to an agreement. Last week, a representative of Kik contacted us to ask for help resolving the disagreement... This hasn’t been the first time that members of the community have disagreed over a name. In a global namespace for unscoped modules, collisions are inevitable. npm has a package name dispute resolution policy for this reason... The policy’s overarching goal is this: provide npm users with the package they expect... Entirely on this basis, we concluded that the package name “kik” ought to be maintained by Kik, and informed both parties. Under our dispute policy, an existing package with a disputed name typically remains on the npm registry; the new owner of the name publishes their package with a breaking version number. Anyone using Azer’s existing kik package would have continued to find it... In this case, though, without warning to developers of dependent projects, Azer unpublished his kik package and 272 other packages. One of those was left-pad. This impacted many thousands of projects.

As pointed out in this week's TechSNAP podcast, this incident really highlights a fatal flaw in the design of NodeJS and its npm packaging system: its global namespace. Because that namespace is flat, each module name needs to be unique. The provision for a "breaking version number" to differentiate packages published by different owners both curious and profoundly... unsatisfying (in the podcast Chris and Alan have a lot to say about the trivial nature of many of the 272 modules in question, and how the failure to organize the functions they provide into some core shared libraries for nodejs is a glaring deficiency in the language). An additional weakness that directly contributed to the catastrophic result in this case is something that is usually praised as a strength of node and npm: its default behavior of having each module install its dependencies within itself (How NodeJS avoids dependency hell). In many cases the addition of a single function can result in the installation of dozens of supporting modules, each with its own maddeningly complex set of dependencies that are recursively installed as part of the process. Finally, the fact that a developer has the power to "un-publish" over 200 packages that are critical dependencies for thousands of others is mind-boggling. It should also pin the risk-o-meter of any sysadmin out there riding herd over software written in node. Regarding the project's resolution of the dispute itself, I'll only say that when managing programming language or framework namespaces it is extremely disconcerting that arguable trademark rights should be elevated over language or framework stability. Fortunately I don't have any personal projects that depend on node. For my own peace of mind I've removed nodejs, npm and their associated modules from all my systems. At the end of the day, life is too short and the day not long enough, for me to be bothered worrying about the instabilities and bad design decisions of what for me is a fringe project.

Copyright 2004-2019 Phil Lembo