npmjs.org tells me that left-pad is not available (404 page) #4
90 participants
and others
according to https://registry.npmjs.org/left-pad
unpublished: {
name: "azer",
time: "2016-03-22T21:27:15.696Z",
...
}
It's causing Babel to fail installation
silkentrance
changed the title from npmjs.org tells me that left-pad is not available to npmjs.org tells me that left-pad is not available (404 page)
@tonytamps thanks for pointing this out
@azer why? this will break babel based builds on travis...
Seems like https://www.npmjs.com/package/left-pad is up again, but no versions published.
@tonytamps it seems like the registry has updated weirdly
{
"_id": "left-pad",
"_rev": "12-29db2b53680e1c66ee1acc89502fe1b0",
"name": "left-pad",
"time": {
"modified": "2016-03-22T21:42:18.002Z",
"created": "2014-03-14T09:09:20.762Z",
"0.0.0": "2014-03-14T09:09:20.762Z",
"0.0.1": "2014-08-14T03:31:03.146Z",
"0.0.2": "2014-08-15T07:13:09.056Z",
"0.0.3": "2014-08-15T07:14:44.360Z",
"0.0.4": "2015-05-20T04:04:04.473Z",
"1.0.0": "2016-03-22T21:42:18.002Z",
"unpublished": {
"name": "westlac",
"time": "2016-03-22T21:47:25.250Z",
"tags": {
"latest": "1.0.0"
},
Yeah I published a 1.0.0 to try to resolve the dependency. It looks like someone (not me) completely removed left-pad from the npm registry
Is there a way to get all the old versions back again? In my project it's at the end of a fairly long dependency chain...
Just tried replacing the travis version of npm which is fairly old by a the latest and see what it will do
npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm v3.8.2
npm ERR! No compatible version found: left-pad@0.0.3
npm ERR! Valid install targets:
npm ERR! 0.0.9
npm ERR!
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1
It will now tell me that there is a version 0.0.9... weird.
Will not try to install that one, though, with all the malware going around...
@jmcriffey I can't publish 0.0.3 because it's already been published and removed. NPM forbids publishing a version of the same library twice.
See npm/npm-registry-couchapp#148 for context
@lydell is there a way to make line-numbers work again, perhaps an alternate package or by depending on left-pad@1.0.0 instead?
My build wants version 0.0.3 back or else it's going to hold me hostage. npm reports the only valid install target is 0.0.9
was about to deploy after weeks of work (to demonstrate to the client) and bam - this issue.
It looks like someone (not me) completely removed left-pad from the npm registry
Time to update your password / credentials?
@jacksonrayhamilton I'm not the original author. When it was removed from npm I just forked this repo and republished it.
Yep, given that it's unclear when line-numbers will be updated, we're dropping the dependency from babel-code-frame for now until we have more time to resolve.
You can install from github by adding left-pad to your to your package.json.
"dependencies": {
"left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355"
}
I made a pull request to line-numbers that is using this as a dependency if you guys want to thumb that up so he sees it lydell/line-numbers#2 i believe @camwest made one too
Published a new version of babel-code-frame as 6.7.3 that removes line-numbers. Need to backport it to v5.
@maxkostow Thanks,
adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json
fixed my build
The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.
NPM should really not allow removing of previously published versions.... surely?
FYI Babel 6 is now fixed.
$ npm install babel-core@6
/Users/sebmck/Scratch/fuckkk
└─┬ babel-core@6.7.2
├─┬ babel-generator@6.7.2
│ ├─┬ detect-indent@3.0.1
│ │ ├── get-stdin@4.0.1
│ │ └── minimist@1.2.0
│ ├── is-integer@1.0.6
│ └── trim-right@1.0.1
├── babel-helpers@6.6.0
├── babel-messages@6.7.2
├─┬ babel-register@6.7.2
│ ├── core-js@2.2.1
│ ├─┬ home-or-tmp@1.0.0
│ │ ├── os-tmpdir@1.0.1
│ │ └── user-home@1.1.1
│ ├─┬ mkdirp@0.5.1
│ │ └── minimist@0.0.8
│ └─┬ source-map-support@0.2.10
│ └─┬ source-map@0.1.32
│ └── amdefine@1.0.0
├── babel-template@6.7.0
├─┬ babel-traverse@6.7.3
│ ├── globals@8.18.0
│ └─┬ invariant@2.2.1
│ └── loose-envify@1.1.0
├─┬ babel-types@6.7.2
│ └── to-fast-properties@1.0.2
├── babylon@6.7.0
├── convert-source-map@1.2.0
├─┬ debug@2.2.0
│ └── ms@0.7.1
├── json5@0.4.0
├── lodash@3.10.1
├─┬ minimatch@2.0.10
│ └─┬ brace-expansion@1.1.3
│ ├── balanced-match@0.3.0
│ └── concat-map@0.0.1
├── path-exists@1.0.0
├── path-is-absolute@1.0.0
├── private@0.1.6
├── shebang-regex@1.0.0
├── slash@1.0.0
└── source-map@0.5.3
The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.
The way I see it, the problem is not the modules, but rather reliance on a centralized system.
A relevant place to bring up the npm issue is over here
No, that is not a relevant place to bring up the issue. This is not something over which the npm CLI maintainers have any control or responsibility. It's unfortunate that this package got unpublished, but this is the system behaving as designed.
The problem is reliance on other people.
If you rely on other people -- for literally anything -- then you can be surprised when they act in ways that you didn't predict.
That goes for relying on other peoples' servers, their code, their ability to show up to their jobs on time, etc.
The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.
@sheki https://docs.npmjs.com/files/package.json#bundleddependencies
This problem was identified and then fixed in minutes. This isn't an example of the small modules philosophy breaking; it's an example of it working.
Hi all,
Sorry about this. I've unpublished all my stuff from NPM.
You can change your dependency to point to azer/left-pad.
If there is any volunteer to take over this module, I'll happily transfer the repo.
Apologizes for inconvenience.
Azer
haha broke my build too. this literally broke major projects like react-native 
Seems like a lot of major projects have dependencies on this.
wait nope, there's literally no way to fix this for older versions. you've basically broken every single version of babel. you can't republish over already published packages. babel relies on line-numbers with a fixed version and line-numbers relies on left-pad with a fixed version.
The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.
That's not what I was implying. The JavaScript community is library-based; of course we must and do rely on each other for almost everything.
I was implying some decentralization could make the system more reliable. For instance: If a package can't be downloaded, but is cached, install the cached version? (Maybe resolve this issue?) Or: Replicate (part of) the registry locally or onto your own server, and refuse to delete packages on your server?
@azer While I'm annoyed this has wasted part of my day. I'm okay for the reasons as you've explained. Now to deal with the fallout.
I changed my pull request for line-numbers which is the dependency that babel uses to use lodash over this library lydell/line-numbers#2 please help get this noticed.
Is there really no way to tell npm to re-publish a package that was explicitly unpublished?
@loganfsmyth there sure is - NPM Inc can step in and steal control of this module just like they did the kik module.
Forget my broken build, that's some non-sense!! @azer I totally agree, thank you for your contributions and helping the JS community grow just a little bit more, regardless of this outcome. Cheers buddy!
In my eyes, this is not a waste of time, but a learning experience on dependencies and how open source software is being effected by big companies.
wait nope, there's literally no way to fix this. you've basically broken every single version of babel. you can't republish over already published packages.
If it's not apparent yet, but this exemplifies how NPM and much of the community's use of it is utterly broken.
Thanks to @maxkostow - his fix also worked for me.
npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355
Add --save or --save-dev at the end to overwrite your package.json.
FYI I was deploying on Codeship but had to clear their depenency cache.
adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json
Thanks for the fix!
Managed to publish babel 5.8.36.
IF YOU HAVE YOUR VERSION FIXED THEN YOU WILL NEED TO UPDATE TO ONE OF THE FOLLOWING:
6.7.25.8.38
We've made a copy of 0.0.3 available for anyone who wants to point to it instead: https://github.com/Automattic/left-pad-0.0.3
Here's how we updated our shrinkwrap file to point to it: Automattic/wp-calypso@a6ab617
I've requested from npm that they restore 0.0.3 on npm since I'm now the owner of the package...
npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 --save
Unfortunately, this does not work behind most corporate firewalls.
Wow. Many hundreds (thousands by the time it's all done?) of man hours were just wasted because someone doesn't understand basic copyright and trademark law. I'm not a lawyer, but as I understand this NPM and the lawyers did exactly what they were legally required to do.
There's no "sticking it to the man" here, this is punishing your fellow node and javascript developers. This is a knee-jerk reaction to a very typical and expected situation (do a Google search for "kik") with no thought at all to the consequences.
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
Thx a ton @maxkostow !!! 
You sire are a life-saver!! This works sweet. Installs the so-badly-needed left-pad@0.0.3 version. I am on track now :)
"left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355",
It seems to be working now. Without any hacks or having to manualy install the package.
@paladox I just tried, doesn't work for me. Did you do an npm cache clear before you tried to install?
@paladox Do that and try again. I'm fairly certain its still broken, and will remain so since npm doesn't allow you to republish with the same version number.
@loudwinston if you have a shrinkwrap you need to delete npm_modules, reinstall and regenerate it
@jasonroelofs Reminds me of DNS - also incompatible with the trademark system.
Namespacing might help avoid this, too. We'd probably still have suits over namespaces, but at least kik and azer could probably each have their own kik.
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
@jasonroelofs I dunno, but I got tired of reading changelogs for dozens of semi-maintained deps, so I went back to using Python on the server. Just sayin'
@stavarotti Did you try using git+https://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 ? That works for me behind my corp firewall
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
not to sound too cynical, but welcome to NPM!
majority of modules are tiny, repeatable simple logic pieces ... it seems as a community we're heavily relying on this pattern.
anyways, not a relevant discussion to this thread, but one I'd like us (as a community) to discus further.
Was broken for my react-native build, is now working with no changes on my part.
https://twitter.com/seldo/status/712414588281552900
edit inlined tweets:
Laurie Voss
Hey npm users: left-pad 0.0.3 was unpublished, breaking LOTS of builds. To fix, we are un-un-publishing it at the request of the new owner.
Laurie Voss
Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly.
So everyone is clear on what has been updated:
Babel 5
A new version babel-core@5.8.38 has been published. If your deps were relying on semver ranges, reinstalling your deps should install the newest version, otherwise you'll need to manually bump your dependency to 5.8.38.
Babel 6
The package babel-code-frame@6.7.3 was released, which is a sub-dependency of babel-core@6.x, so re-installing any version of Babel 6 should resolve the issue for you because babel-core@6.x has a very broad range for its subdependencies.
Note, if you have an npm cache on your network, you could still have issues so please be sure you're pulling in the updated versions of everything.
That is our recommended solution currently.
Ooops! Wrong issue! @deoxxa, you're right. That was meant for npm/npm#12012, which has now been locked. Sorry to all for the misfire.
@jasonroelofs So true, man. "I'm dismayed NPM wouldn't break the law for me and thus protect me from myself."
all y'all are acting super entitled that some guy decided to exercise his legal right to go elsewhere. don't rely on underpaid, overexploited developers for your critical infrastructure maybe? :)
I'd like to request that @othiym23 given abilities to lock any thread on any repo. Thanks for your understanding.
is left-pad 0.0.3 still being restored? doesn't seem to work yet for me.
npm ERR! argv "node" "/usr/local/bin/npm" "install" "left-pad@0.0.3"
npm ERR! node v0.12.7
npm ERR! npm v2.11.3
npm ERR! version not found: left-pad@0.0.3
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
Also as much as it sucks what happened, it's @azer's choice to do what he wants with his modules. Nobody here is entitled to them working forever, nor is he required to keep them on npm. Stop and take a step back before you start scolding him.
@michaelshobbs My recommendation would be to upgrade your Babel version to the latest of whichever major version you are on.
npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 worked for us.
credits to @maxkostow
hrm, unfortunately not using babel-core. instead, we're pulling in a bunch of babel-* deps.... :(
This just started working for me
$ npm --registry https://registry.npmjs.org install left-pad@0.0.3
left-pad@0.0.3 node_modules/left-pad
@michaelshobbs You've definitely got babel-core in there somewhere :) Feel free to drop by our support channel on Slack if you want more direct help.
Ah, and it does appear that the re-publish of 0.0.3 has been completed. Hopefully that can be the final fix.
Thank you everyone for bringing the issue to us. On the plus side, it's always nice to hear from ours users :P
@loganfsmyth ah most likely a sub-sub-sub-dep ;P
seems to be working now. thanks!
Prime time for pushing ES2016 usage. https://jsfeatures.in/#ES7-string-prototype-padleft
don't use simple things you could just write yourself.
As much fun as it would be to reinvent & retest the entire world, assuming I had no actual work to do, seems that a single incident such as this in the entire history of npm isn't a reason to just throw it all out the window...
If you want to depend on a person's work, be prepared to deal with the consequences of the person's actions over their work.
@jasonroelofs Copyright law is different in every country. Company names are different in every country. I guarantee you, if you've published code, you have published to a package that is already trademarked in a country, somewhere around the world.
Personally, I think this was a very good, very strong message to send to the Open Source community. It is time for copyright reform, and it is time for companies like github, npm, etc to be protected from nonsense like this.
If KIK had an issue, they should be forced to take it up with the original repo owner. At that point, the judge should be forced to understand the impacts of "unpublishing" or "handing over" a repo.
Even "RealDonaldTrump" was forced to pick an alternative name for twitter. You don't see me stomping around because I'm older than that young whippersnapper that just registered my handle on that new social media site - You snooze, you lose.
Kik was a fairly small package, but what would you say if instead, "react" or "angular" or "handlebars" were forced to unpublish their packages, because all of those have different trademarks in different countries.
NPM should really not allow removing of previously published versions.... surely?
Definitely agree with this. I don't know of any other major package management system that lets you completely delete a package that has been published, other than in very rare scenarios (like a module being backdoored) where it's done manually. Neither NuGet nor Packagist allow deletion of packages, for example.
@jamietre this happens all the time, same with sec issues and bugs, but ultimately you will have to face what @Lana-chan stated. To avoid this you have three ways:
- Self hosted npm registry
- Write your own module
- Clone & link to clone
I'm no lawyer, but my understanding is that this is exactly what the "safe harbour" part of the DMCA is for.
Nope. "safe harbour" is only for the DMCA. "kik" package is trademark related, not copyright.
don't use simple things you could just write yourself.
I'll just leave this here. https://en.wikipedia.org/wiki/Unix_philosophy
@deoxxa Yes, and companies should be able to confidently rely on safe harbour, instead of bending to the will of patent lawyers.
The recent Apple v FBI case is a good example of why a company like npm SHOULD be scared - there's no precedents that will guarantee that a company like npm WONT be sued, and have to waste money defending itself, and even if there were, there are too many loopholes for conniving lawyers to try and wiggle their way through.
If the clause was as clear cut as "only the original publisher of material may be prosecuted", then we wouldn't have a problem, but RIAA,MPAA would never allow that - it would cut into their bottom line too much.
so everything should be pretty good until Left Pad Inc makes a trademark claim, right?
I think this opens a good discussion for FOSS. What if a package (assuming the dependency was to the last version, instead of a fixed revision) was edited to do something completely different instead of just removed, would it still be okay for an organization to step in and revert it over the author's wishes? At what point do we stop this from becoming a Wikipedia edit war?
Just a warning, a bunch of other
More tools for Github issues they said. Will cut down on +1's they said.
Also just leaving this here.
http://ruby-doc.org/core-2.3.0/String.html#method-i-rjust
https://docs.python.org/2/library/string.html#string.zfill
@dolkensp Yeah, to be clear I was referring to other people namesquatting, as the new packages will be pulled in for any package.json whose version range matches. An ideal package management system would be able to tell that the new (namesquatted) package is not signed with the same key as the older package, and at least warn you about it. npm packages aren't verifiable due to the lack of a signature on the packages.
@nijikokun sure, but I was responding to the notion of writing everything trivial yourself to avoid this, not that nothing will ever go wrong.
I doubt any car manufacturers are going to make their own airbags even though Takata screwed the pooch for millions of drivers. You accomplish much more by leveraging the work of others. Yes it comes with risks. They are minute compared to the risk of having to reinvent & test every 3rd party library I use.
Just a warning, a bunch of other @azer packages just got name squatted on npm by who knows who so watch out when updating your package.json files.
Just going to re-post the list of packages (from @azer's blog post) to help us validate our builds: https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt
Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install? 
@jacksonrayhamilton Yes, it's absolutely possible. NPM modules can run arbitrary commands on installation.
@drewhamlett https://docs.npmjs.com/misc/scripts#current-lifecycle-event see install and postinstall
@SomeoneWeird @zerkms Ok cool. Thanks. I guess you would need to run it as sudo for it to work though.
Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install?
@drewhamlett so any module installed in the normal sudo'd global way would be able to do anything. Another good reason to use nvm.
@drewhamlett doesn't stop it wiping out your home directory, including all your ssh keys etc (you have backups, right?)
Here's a quick script to check if you depended on any of @azer's packages (tested with npm@2.14.7 and npm@3.7.3). If you find any, you should confirm they are still safe.
#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
| sed 's/^\(.*\)$/ \1@/' \
> ~/suspicious-packages.txt \
&& npm ls \
| grep -f ~/suspicious-packages.txt
@tlrobinson The PR doesn't matter - npm is going to address this issue the same way they addressed long-file-paths in windows - "Not our problem, go away"
Didn't they address long file paths in Windows by releasing a flat node_modules structure? That's the exact pain-staking opposite of "Not our problem, go away".
List of number of packages depending on those unpublished by @azer: https://gist.github.com/tlrobinson/05d2354a71f5491d2f5a
Didn't really expect to spend the last hours of my day cleaning up after another's tantrum.
@aduth so you're happy to use someone's code that they shared with the world for free, and you feel that your investment of $0 entitles you to some standard of service?
If anyone is confused about @davidmason's comment, it was in reference to a now-deleted reply. Anyone who has email notifications turned on in this thread probably has a copy in their inbox.
Open source should not be oppressed. Though it cost others time, you have the reason to do that.
@davidmason the suck it up, you didn't earn it, move on mentality contributes negatively to the validity and trustworthiness of the OSS community.
@joeandaverde the "you made it, you have to support the way I use it" mentality contributes negatively to the experience of being a part of the OSS community.
Safe harbor just means that NPM is safe (somewhat) from prosecution even if someone hosts copyrighted works on NPM. It doesn't mean they don't have to act on behalf of trademark / copyright owners.
@jacksonrayhamilton thanks for the script; I made a tweak to output the full install path for any of @azer's packages found in a project:
#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
| sed 's/^\(.*\)$/\/\1$/' \
> ~/suspicious-packages.txt \
&& npm ls --parseable \
| grep -f ~/suspicious-packages.txtThis gave me the output:
/Users/jackwanders/some-project/node_modules/babel/node_modules/babel-core/node_modules/line-numbers/node_modules/left-padHopefully this might help others determine how to proceed if they are relying on any of these packages.
Surely Kik could have just spent 5 seconds to realise that the NPM package had nothing to do with anything related to them. Solid effort on notifying a bunch of people as to what happened though.
Like others have said, his code can do what he wants with it, it's open source if you wish to republish then do so, rather than complain.
Our build job caught that left-pad issues fortunately and we ended up upgrading one of our npm modules to its latest version which solve the problem, and my co-worker just swear in the team chatroom :)
This is a great example of why decentralizing the package hosting can solve the problem. If package hosting were done via a technology such as zeronet and torrents, this could be entirely avoided.
I'll be looking into this in the coming months.
@KoryNunn @SomeoneWeird @zerkms @drewhamlett If you run npm as root, it'll process.setuid() to a nobody user. https://docs.npmjs.com/misc/scripts#user
I don't wanna imagine what happens when tomorrow someone trademarks Lodash and wreaks havoc. 
Maybe it's time to add an exclusion clause to Open Source licenses for companies like Kik?
BTW: Ask one of 80 million germans about Kik and they'll recognize a completely different company.
This is why Docker exists. Because dependency management is trouble. Pack it all into one package. Do we need a Docker for JS?
When building projects on travis, or when searching for left-pad on npmjs.com, both will report that the package cannot be found.
Here is an excerpt from the travis build log
And here is the standard npmjs.com error page https://www.npmjs.com/package/left-pad
However, if I remove left-pad from my local npm cache and then reinstall it using npm it will happily install left-pad@0.0.4.