I just came across a story that offers us several lessons. It’s a tale about a programmer who withdrew a trivial function from NPM and subsequently caused several applications to fail. Some of failures were second order effects in that the failing application’s authors had never heard of the function but it was used in functions that they did use directly.
The function itself simply padded a string on the left with spaces to reach a specified a specified string length. As I said, it’s a trivial function (the implementation is only 11 lines) that anyone—even a rank beginner—could write but it was available in some random library so why reinvent the wheel?
All went well until a billion dollar corporation wanted to use the name of one of the programmer’s other packages and asked him change the name of his. When he refused, they threatened legal action and got NPM to side with them and assign the name to the billion dollar corporation. In a fit of—justifiable in Irreal’s opinion—pique, the programmer withdrew all his code from NPM including the aforementioned left padding function. Things went south immediately as several applications started failing to build.
There are a couple of obvious lessons here. First, exhortations to avoid the NIH syndrome notwithstanding, it pays to avoid deep dependencies, especially those you can’t rely on. It’s fine to depend on, say, the C library (or whatever) and other libraries that are part of the programming language environment, but when you start depending on random libraries untethered to the language runtime you’re asking for trouble.
Second, it’s wise to avoid depending on repositories like NPM that may side with big corporations rather than do the right thing. At least according to the story at the link, the programmer was clearly in the right and the corporation had no argument other than muscle in the form of money on their side.
It seems almost paranoid to say you should avoid using NPM packages on the ground that it’s extraordinarily fragile but as this story demonstrates, sometimes a little paranoia is called for. Of course, some packages offer services that are far too complex to be worth implementing on your own but a left padding function is not among them. Neither the primary application developer nor the secondary library developer should be depending on such things.
Afterword
Over at chaitanya.dev there’s a post that gives a few more details about the controversy. He reaches pretty much the same conclusions that I did: beware gratuitous dependencies.