My working day today started with the drama of 273 node modules being removed from a public repository everyone uses, with one module in particular – “left-pad” – breaking a surprisingly large number of other modules. Talk about a great disturbance in the Force, as if millions of voices suddenly cried out in terror, and were suddenly silenced.
The author of the module posted the reason for his actions: https://medium.com/@azerbike/i-ve-just-liberated-my-modules-9045c06be67c#.xp2dkmk69 and while I mostly agree with him, I do wish the impact weren’t quite so large. A list of the modules he removed was also posted: https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt
Apart from breaking application deployments and causing inconvenience, there’s also the very real risk of malicious code being pushed up to the NPM repository under the names of these removed modules, so I did some digging…
Several people have already registered some of the modules names on the NPM repository, hopefully to replace the modules with their previous version or prevent people from doing something malicious as mentioned above: