The correction about why the websites themselves didnt break is not because of caching, it's just that they are already deployed with leftpad still working, and any changes made by npm will not touch the website, and they are not allowed to be deployed again when it cannot be built due to leftpad being missing (simply nobody gets to update their website).
This is correct. Packages are fetched during deployment. Package missing = fail. Sites deployed prior to the deletion of the npm package were not crippled (but would be during a subsequent release)
@@jpaugh64 No it's not. It has nothing to do with the fact that some code was cached on the client side, nor does it have anything to do with a a cache on the infra side. It's simply incorrect lol
@@tylerbreisacher5841 yep, totally JS math. Not like its just another implementation of IEEE floats and has the same problems as every other language implementing floats. Nope, must be a JS thing.
if he really wanted to mess with people he should have just modified it by removing one of the brackets to make it so everything underneat it wasnt compiling, It would be a bit more annoying
The real crime here is that someone one day did an `npm install kik` and got some API client to some dumb messenger instead of whatever that package used to do. Name reassignment like that can have the exact same effect as the removal of leftpad did.
Except if you read NPM's blog post following this incident, they were very clear that when a package's ownership gets transferred, the new owner MUST increment the major version number, and the old owner's code will still exist on all of the same version numbers it did before. This means all existing kik-dependent code would download the same version it did before, and you'd have to explicitly ask it to download the new version which was a different package. Not saying NPM was in the right, but they were trying to resolve the situation in a way where nobody's code would break.
this is one of my biggest complaints about npm; they are a company who is ultimately in charge of a good chunk of the free internet. Thats an important note; NPM is a company, not just a repository (who is now owned by Microsoft). It's concerning to me, and i think an open alternative might be wise
@@mechtechpotato4249 you say that now wait til 2025 when Microsoft is somehow claiming the rights to all of these packages and trying to charge royally fees Edit: I meant royalty and could have sworn that's what I typed, oh well
@@TheDeadOfNight37 I think they've already learned from the Windows model that collecting and using user data is more valuable than selling physical copies of Windows. In a worst case scenario, I could see them using the same method here, adding a few lines of a code to an open source code to collect snippets of data, making it closed source, and then pretending like they haven't done anything, while they make millions/billions off more user data.
Well go ahead and be the open source dev to write npm from scratch. You'll see why this is an issue fairly quickly. Open source is time consuming with often little to no reward. Take it from a Linux user.
All this video did was make me lose respect for the NPM team for not only screwing over an open-source creator who clearly did nothing wrong and used the name WAY before Kik did, but screwed him over twice by reverting it back to published without the creator's consent.
Had it been a bigger package, it could also have been questionable legally. Did they still have the right to distribute his code after he unpublished? ...well, they probably did. They most likely wrote their TOS so they could do this, but it still leaves the question of this kind of TOS being enforceable. Since it is such a small package, it probably won't have any copyright, but it's an interesting question nonetheless.
@@Yotanido It was copyrighted with an open-source license, so it was legal--the license explicitly gave anyone who wanted to permission to redistribute and/or modify the code. So totally legal, just kind of a dick move, but also a dick move for which there weren't any particularly good alternatives.
@@allankcrain The alternative was what NPM apparently ended up doing in the end: writing their own version of leftpad that was way more complicated than it had any right to be and using practices that looked good on paper but actually didn't contribute anything in practice.
as a programmer, let's take a second to appreciate the incredible amount of effort it takes to find such a short obscure package instead of writing 10 lines yourself.
There is a NPM package called “is-odd” that does exactly what you think it does. It’s been downloaded like 30 million times and has like 2 million download a month 💀 💀 💀
@@abdelbakiberkati Besides what @badscript said about package grouping, you might spend 5 minutes total writing the actual code, but that's ignoring the five hours you spend second guessing if what you just wrote might have some weird edge-case that breaks it. Instead of taking a package that's so widely used that if it was broken in some weird edge case, someone would have noticed by now.
Just have to say, the explanation of NPM was comically on point. That's, exactly how it works. Except this tower randomly decides to break down even when nothing is wrong because react@16.12.1 cannot be used with @types/react@16.2.2 for whatever reason
well of course not, @types packages define how the exported functions & classes should look like. If you download react@16.12.1 which removed or changed feature X but @types/react@16.2.2 which has the old definition for feature X, you'll be in for a bad time.
@@unicodefox It would make sense. The issue is that I didn't even had typescript installed, nor was a typescript project How a types package ended up there? No idea
@@unicodefox hush, you're making too much sense. Just join the bandwagon and bash JS because there can't possibly be a good reason why JS (and the surrounding ecosystem) is the way it is. Nooo... It must be boiled down to "JS bad, Other language good". Not like you're dealing with different platforms or anything
@@akatsukilevi If you don't use TypeScript, why do you have @types/react installed anyway? unless its a direct dependency, its NEVER going to throw an error; worst case scenario you get a warning in your console from NPM. If your project was broken, its probably a swallowed error somewhere else and nothing to do with the typedef.
@@fahadahaf Two words: Legacy codebase I have no idea who coded that, I have no idea how that thing worked Best day of my life was the day I nuked that git repo
As a web developer that doesn't regularly use NodeJS (what leftpad was used for) but is familiar with it, the people at my old work place turned it into a joke shortly after this.
@@unknownperson3842 In Denmark, Web-developer is a degree after Computer Science. I'd suggest looking into getting a Computer Science degree, then building on top of that with Web-development :) Though, in my personal opinion, Web-development is little more than a degree unless you actually want to do frontend programming rather than backend :)
Whats even more interesting about this, is npm enacted a policy forbidding package creators from unpublishing a package with a certain number of downloads. I'm not fully versed in the details but they made some sort of change to prevent this from happening
I have fewer than 1 friend in the World. That's right. Everybody disses me for making bad videos. I think they are perfect though. Who is right? My dissers or me? Which side are you on, dear sha
@@ChubiChan By open source standards, people can technically fork your code and have their own copy or version. You are essentially giving up control. However open source projects are licensed differently and there are a bunch of caveats to this.
@@ChubiChan Yeah, that was always the case. npm is a repository for open-source code only and has a very permissive license (Perl's "Artistic License 2.0"). Once you submit code, anyone can download it, distribute verbatim copies (as long as they include all copyright statements of the original), modify it, and even distribute modified copies (as long as the modifications are clearly described). They can also distribute compiled versions of either (as long as you give instructions on how to access the source code) and aggregated packages including that code as a component. They can even charge a distributor fee to do so. Moreover, the publisher relinquishes all patent claims to any part of their code. Since your code is published under that license, you can't just revoke those permissions.
I am a node web developer. This Jenga tower analogy is accurate. I work for a huge company (60,000 employees) and we use react which uses hundreds of other packages that we have no idea what they are, so when ome breaks its a scramble
@@benjii_boi my little kiddies here don't know about coding like us and usually use basic packages without even lookin at the codes that make them up, I think our galactic brains work harder than their basic programs which are made by people who don't even know what the program is made of. 😀
@@benjii_boi That's the unlucky part for you when trying to insult others and trying to put them down. Only because you are required to do so, it doesn't mean that others will be required to do so. See the problem is that you assume that everything has to be the same way like you do. But in reality most of the software written is not part of critical infrastructure like the niche example you pointed out. My employer doesn't pay me to check the depencies i put in. They pay me to add features or fix bugs. I can't achive SLAs for my tickets if i have to check every line or every code block. Even a dumb script kiddie would realize this fact :)
Guess it goes to show that you should be nice to everyone, because you never know whose propping the internet up on their back in their free time like Atlas keeping the sky from crashing into Earth.
@@gayrights8315 One should be respectful and kind to anyone, furry or not, in the first place. That's just basic etiquette, isn't it? Besides that, have we all forgotten the idea of the golden rule, which I'm quite sure was drilled into our heads from a young age if you had good parents/teachers, that is? Not to mention, if we're supposed to accept people for who/what they are, isn't isolating/making fun of people because you think they're weird kinda the adverse intention? Plus, it could be reciprocated back, you could think what I do is weird, but I could think something you do is weird as well. Additionally, from my time in the fandom, I've found most people join due to childhood trauma, e.g. parents divorcing/childhood abuse. Before you judge me or anyone else, furry or not, consider thinking, "what's happened in their life that they came out this way?" Also, this wasn't meant to attack you or anyone. Just some thinking points. Please don't take my huge comment as provocative. Other than this section, the word "you" is just used in a general sense, meant to help explain a point. I sincerely hope this doesn't start a huge fight in the comments.
I would say the npm explanation is pretty accurate, but did want to correct that people use packages not because they're lazy and don't want to write the code themselves, but there is a general understanding that being a good software engineer means you aren't rewriting what's already been written and figured out, it standardizes things and allows for easier updates across projects.
plus it can be more secure, i’d rather trust a package about cryptography made by people who actually know what they’re doing rather than smthn i throw together
After trying to code everything by myself, I realized that literally any medium sized coding related project is borderline impossible(if you're solo of course) without using other peoples code. You don't reinvent the wheel every time you need it not because you're lazy but because it's just stupid and time consuming to do.
@@shawermusif someone is so insistent on reinventing the wheel. They should code in binary with bitwise operation and creating all sort of stuff leading up to their programmed. After all, all these programming languages with built in functions all trace back to someone was making stuff with binary
This is why you should think about adding a dependency to your project Yes libraries are almost always better then stuff you write yourself but this is 1 very easy function to just implement yourself and save a dependency.
The problem is that, while it's easy to replace something like leftpad for your own project, it's extremely expensive and more likely to add risk to not use a tool like babel or react, far more complex and valuable libraries with extremely active development and security analyses. Like this video said, applications that relied upon these more complex tools became dependent upon this very simple tool. In general, the pooled security is far more valuable and saves far more money in the long run than avoiding the occasional hiccups using open source projects. In general, having a few bad days each year is nothing compared to trying to recreate React.
left-pad isn't even the worst of it. There's packages that are literally a single line of code and they still get used. Everything surrounding JavaScript, including NPM is a total shitshow.
@@forgottenfamily just throwing this in there as someone with 19 years of CS experience, I've never used react or babel. I actively discourage react usage for anything other than hacks (or 'bodge's as Tom Scott puts it).
I run a site for an obscure, yet historically important 70s punk band called The Normals. Needless to say I get requests from various other "Normals" bands that want to use the site name. The funniest excuse they use for why I should give them the name is that "you're not doing anything with it" (meaning a band from the 70s hasn't put out a record recently). Which is like saying, "these Beatles guys haven't put out a record since the 70s, they don't deserve a presence on the web." They'd rather erase the legacy of others than to put in the mental effort to be more creative with their name (ironic coming from an artist). I ultimately tell them "no", but I do check up on their band later. Not once has one of these bands ever done anything of note and they almost immediately disappear within a few years, and usually within a few months. So if I gave in to these demands, not only would they have themselves done nothing with the name, they also would have taken down a band that actually did do something with the name.
If Kik didn't want to be dicks about it, they should have just said: hey dude, we'll win in court, but here's 1000 dollar for the name so we don't have to go through all that.
From what I recall, they DID offer to pay him for it but he rejected it on principled grounds. Fun fact, open source devs have a major grudge against big corporations. He basically told them to go f*** themselves, and kik, deciding what is one turkish programmer against their billions of dollars, decided they could win and kept escalating.
@@ethanchapman1776 If the emails in the video were actually accurate, it looks like he offered to sell it for $30k, which Kik could have easily afforded.
@@ethanchapman1776 After Bob said "Is there nothing we can do for you that would compensate you for the hassle of changing the name?" Azer replied with: "Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks" which is not entirely unreasonable. 3 letter domain names are in that price range +. Instead of trying to negotiate they escalated straight to npm support 5 minutes later.
Hey, this is our brand already, and for the clarity of recognition we’d like to use our own name just isn’t that unreasonable a request, and they clearly did offer money, he just wanted an absurd amount more than they were offering. Because open source bros are like that.
Normally when someone makes a video about a topic I know a lot about, the best outcome is, “Well I mean I guess how you could describe it like that if you don’t know anything about it,” but honestly this was a really good explanation. There was only one moment in the video where I thought, “Well I wouldn’t use that word here because it’s not technically accurate, but to be fair anyone who would be confused by it probably already knows what you mean anyway.”
This is a perfectly reasonable explanation of how NPM works, and suitable for the level of depth this channel demands, but if you want a nitpick for your anniversary mistakes videos, there's more than one package manager. NPM is the de facto standard package manager for JavaScript, which is what much of the Internet is built on, but the illustration at around the 1:20 mark shows other languages which would typically use different package managers. (And tell your animators not to worry about putting the Java logo in cases which are probably meant to be the JavaScript logo - they're different languages, but it's really our bad for letting marketers in the 90s decide to name the latter after the former.)
As a techie, you’re gonna have to be more specific. Which one? :P But seriously, these sorts of things happen all the time. Turns out the internet is an incredibly shaky edifice all relying on a handful of projects run by a few guys in their spare time. Statistically speaking most of them are furries. Sorry, I don’t make the rules.
@@loonloon9365 I saw a tweet with a plane full of furries a while back and basically all the comments were about how this was a high risk concentration of critical individuals on one plane and how doomed we’d be if it went down.
@@UmaROMC All packages are published under a specific license. Most NPM packages (though not remotely all) including leftpad are using the MIT license. The MIT license is generally "do what you want, just don't blame me if something goes wrong". If the original versions were published under the MIT license, then NPM is fully licensed to republish it and it isn't theft. It might be disrespectful, but it's also disrespectful to cause billions of dollars of damage to the economy out of spite because two companies fucked you over (and no, that's not an exaggeration. If it had remained unpublished, it would have been that bad)
For a company dealing in open source packages, it seems like this could've been avoided in a far more adult manner. Reserve _TM or something as a mandatory suffix for any package names claiming trademark. Then there's no dispute with existing package names. If there's already a kik_TM, that means some other douche canoe already claimed that highly creative collection of 3 letters. Shocking. Well, here's the registration contact info they gave us. Good luck!
Kik the package was probably around before Kik the website so technically the development could claim copyright in the space of code packages and Kik the company couldn't do shit about it.
@@drewjanus4643 Doubt the package predates the company. Both Kik the messenger and npm were released in 2010, roughly 8 months apart. Unless Kik the package just happened to be released on npm in that relatively short timeframe, Kik the company was first.
That's a great idea! In one country only. Also, in America, multiple companies or their products can have similar names as long as there's no chance of confusion. See also: Popeyes the fast food chain & Popeye the cartoon character. Which one gets the single "official" slot in your scheme?
@@klfjoat Given we're talking very literal and specific strings of text, they both get what they want. popeyes gets with an s and popeye gets without. Simple.
@@klfjoatthe one that’s a registered trademark, obviously. Go register Popeyes and let us know how that works out. While you’re at it, make the logo magenta. You’re not offering phone service so I’m sure T-mobile will be super chill about it.
The problem with adding malware to code, even code you own, is illegal in many countries. Had he actually done that, you can bet all sorts of "Governmental Suits" would have been banging on his door just as quickly as his code was reinstated. Just remember this, no matter how painful Corporate Suits can make your life, at least they can't legally kidnap you, chuck you in a hole somewhere, and forget about you. No, pulling a Cartman by taking his coding ball away and going home was the best way to bring light to this. He was fully in his rights to do so, and it's not his problem that things broke.
There's always a relevant xkcd when it comes to kerfuffles like this one, and for this instance it's 2347. A more recent example of this would be the gpsd bug last year, and there was also another one back when OpenSSL's Heartbleed issue came to light.
They lost at the second mail at "but" with "We don’t mean to be a dick about it, but [...] our trademark lawyers are going to be [...] taking down your accounts and stuff like that - and we’d have no choice [...] because you have to enforce trademarks [...]." Oh the poor guys with loads of money for trademark lawyers had really no choice but to be dicks. 🤬
Let's not forget that McDonald's failed in court when they tried the same "just defending our trademark" attack on an Irish burger chain called Supermac's. Having a trademark doesn't give you priority.
@@AdrianColley That is a very different case as Mac is a common name so a trademark based on it can only be applied very narrowly, Kik is not a common word and as far I can tell has no meaning outside of internet slang meaning as a trademark it can be applied much more widely.
Whenever you hear about big apps breaking, it always points back to either DNS or an NPM package. This is also why a centralized internet is not a good thing and why I miss the old days where literally 95% of the internet didn't rely on a single source of failure. NPM (really Github but actually Microsoft) could shut down tomorrow and the internet would be FUBAR.
That makes two people named Azer who broke the internet (the other being the kid who appeared in those videos with Tara and Raven Your Acidbath Princess of the Darkness)
@@hyoroemongaming569 It's just too simple for risking such a catastrophic event. The code for is-even is literally shorter than typing the name of the package (n%2==0) and it's still popular You don't need to reinvent the wheel, but you don't need to import an ice cube from Antarctica.
I've been a web developer since… well, before anything like a package manager existed, and like the crusty old curmugeonly Gen Xer I am, I have stubbornly refused to ever build anything that uses npm or anything like it. Sure I use plenty of open source code, but I don't build anything with dependencies in this way because it just *feels wrong* to me, and this is a pretty good overview of why that's the case.
Spot on, was a developer but never on websites. When I found out about the Jenga tower (nice image - thanks HAI) that is modern code I was horrified. Disclaimer - I am a boring baby boomer and so totally out of touch and senile and still own a sliderule - but I am right, it deserves to break.
Yep. `node_modules` isn't some alien artifact, but the entire dependency graph for your project. And when you stop and ponder if some tiny library requires gigabytes of code to run, you realize just how broken this ecosystem is. Why is it not a thing with Python, Go, or C#, but gets so bad with NPM.
@Firstname Lastname deno is trying to solve the problem of shitty packages. If you feel comfortable with node you should try it, it's very refreshing Also it's mostly out of convinience. If you're starting out for example it's easier to use the same language for both frontend and backend rather than learning an entire new ecosystem just to write one app and besides js on backend is actually pretty fast and scalable
Worth noting that for JavaScript in particular, a lot of the packages required are just filling in for the lack of common utility functions in JS, especially older editions. So you end up with thousands of NPM packages that aren't really maintained or scrutinized that just provide basic utility that arguably should be included in the language (like how "left pad" now is)
This kind of story reminds me of two realities- one, that I am a clueless caveman, and two, the world built around me by the postmodern geniuses is all fairy dust and daydreams held together by baling wire and paper cups.
Misread it as Elven as I was like, "That's so dope. Someone making the Internet snuck in a LOTR Easter egg and it's actually crucial to the internet working? Awesome." Now my disappointment is immeasurable and my day is ruined.
2:55 "Much like this video, it didn't require any particular skill or brilliance to write" was the first time you said 'like' in the video, so it made the like button animation happen
I'm a web developer and I just want to say that the explanation of what NPM is and what it does is pretty good, considering it's a channel which makes semi-satirical semi-educational 5-10 minute videos with lots of outdated memes and unfunny jokes The pain we get when the Jenga tower of borrowed code breaks is very real and not easy to solve at all
Except for the part you could easily spot the missing package, and since it was used freaking everywhere, you can just rebuild it from one of the millions of copies floating around on the Internet. Like it's 11 lines of code, just make your own package and have it locally.
WebDev here: The “broke the Internet” part is _kinda_ true (used for comedic effect). Websites/services stayed online because it was the building/deployment of _new versions_ of those websites that would be failing (so basically what’s there is still there, but just *frozen into place* and unable to be _updated_ to a newer version) because the retrieval of the package from NPM would have failed during the build phase _prior_ to deployment to production, for example. So, caching (unless we’re talking about local caching of npm repos in the build systems) _probably_ had little to do with it.
oh maaaan it's kinda exciting when a topic suggestion I made was picked! I'm almost sure I'm not the only one who suggested this and I forgot the name I typed on the sheet but I really wanted to see your take on this, thanks sam and adam who apparently wrote the vid!
It makes me furious when people confuse the web with the internet. Yes, web is part of the internet, but it certainly isn’t the whole internet. There’s over 65k possible types of services that can utilze the internet, which includes e-mail (through a client, such as an e-mail app on your smartphone), P2P, FTP, VoIP, Minecraft servers, etc. None of these things would get affected by this.
@@gavros9636 Probably not. Mail clients may use javascript, but I wouldn't imagine that many mail servers do. Or FTP servers. Or most internet servers. In fact, not many web servers do either, except those using Node.
@@gavros9636 you wouldn't use Node for a production SMTP/IMAP/POP3 server, and certainly wouldn't use it for anything like centralized VOIP servers such as SIP. I've seen Minecraft Servers done in PHP, so I won't say anything about those. But the Internet as a whole does not run on NodeJS and NPM.
If you paused and read the 3 articles you’ll read that NPM chose ‘kik’ over ‘kik’ because if a user request npm kik NPM wants said user to receive what they are most likely to receive and due to kik being an app with 200 million users they are the most likely to be requested
It is just a casual break out of an open-source developer. As not everybody likes to not get paid and just do work for big companies without even getting a credit far from having a donation
The statement that developers just cobble together other people's code is spot on. It's like if everything in the world was made of Lego blocks, including Lego blocks.
You summed up everything I hate about web development in a 5 minute video... I've been doing this for over 20 years... The industry is full of stupidity. I worked on a ONE PAGE WEBSITE APPLICATION that used somewhere near 500mb of libraries... THINK THAT OVER, IT'S INSANE.
Umm one thing about this is incorrect. You claim that they kept working due to caches. Noooo. Prior builds don’t just suddenly break. So even if it wasn’t cashed, the current product version is unharmed. Any project that has left pad as a transitive dependency would just simply be un able to find it and therefore break. But they claim that every time a user goes to a site it compiles and builds is awful lmao
It's reasons like this why other big package repositories (e.g. NuGet) do not allow packages to be fully 'unpublished', but they can be 'unlisted'. The difference is subtle, but it means people who are already using a package can continue using it when it becomes unlisted, however new people searching for it will not be able to find it in search. Since Microsoft (owns NuGet) also purchased npm in 2020, they've implemented a similar strategy for popular npm packages with a high number of downloads.
Best part, the package, for which they had to take away the name from an innocnet open source dev for no reason, is now removed because it contained malicious code. gj npm...
Me hearing a package was unpublished: "Meh, how bad could it be?" Me hearing the package was left-pad: Eyes widen and with the gravitas of a scientist in a 70s disaster film, "Dear God." And I thought the whole Log4j thing was bad. I mean, it is bad, really bad. But this damn thing (left-pad) is so far down on the stack... *shudders* (And yes, I know Java and JavaScript aren't the same things. But still.)
This reminds me of something that happened during my days as a systems programmer in the 1980s. IBM's OS/370 had a function called GETMAIN, which allocated memory to a user on demand. It had a security problem, because it didn't clear the memory, so users could theoretically peek into each other's code and data (same problem with hard drive space allocation today, which is why Bleachbit; it's also similar to some hacker exploits). So one of our guys wrote some code to fix it. Unfortunately, he didn't get it quite right, because if the amount of memory was an exact multiple of 256, it cleared one extra byte. For a long time, no-one noticed it, until it caused one of my programs to crash, taking our system and all its users down with it.
2 ปีที่แล้ว +17
Based. Everyone uses packages. You make it sound like it's lazy. It's good to reuse code
Yep. It's especially true for things like cryptography and rendering. If you end up writing it without any prior qualification, you'll get a barely working mess. Reusing code is good.
depends on the context though, here node was implied. node devs are notorious for using hundreds of small packages they don't really need and could write themselves in minutes.
@@gab8169 Yeah, most of his commentary on the subject earlier in the video was definitely mostly just him being coy, but with leftpad specifically? Yeah, he ain't wrong about laziness there. It's a ridiculously simple function, it probably takes more time to find, download, and include it than it does to literally just code it yourself.
I don't think the quote that it was "lazy" was said in any real seriousness, to be fair. That said, I'd agree with reusing code, up to a point - don't reinvent the wheel, and save that time to do better things!
Also don't forget about a similar thing that happened recently with Marak Squires' faker.js and colors.js. He didn't want fortune 500 companies using his code for free, so he corrupted those files
It always depends on how safe you want your code to be for unexpected inputs (especially if the users can enter stuff). In Javascript you don't have static types, so you first might want to make sure that what you are checking is a (whole) number. Then you have the problem that very large numbers in Javascript aren't exact anymore (9007199254740992 is equal to 9007199254740993 and 9007199254740993%2 is 0). So, especially in very large and complex enterprise applications you might want to protect against those cases and fail gracefully instead of hard/invisibly. And that is exactly what isOdd/isEven are doing.
@@I25mI25 This boils down to two problems: Javascript's duck-typing (or whatever they call the horrible type system where everything is an object until it's not), and the borderline insane decision to make all numbers floats (with their inherent imprecision) Or as someone else has put it: Javascript is a shitshow of a language.
@@LeviForWaifu you sure? I did a quick search. There's at least 3 packages that check if a number is odd on npm. They're quite similar in that they perform a couple of checks that what you put in is actually a number and that it's somehow safe(?) to use. Then they return (n % 2) === 1, so apparently your line was already wrong in some cases. There's a reason why they had to invent === and that reason is JS is a terrible language that should've died a long time ago.
Funny thing, this story leads into another story. After this whole fiasco happened with leftpad, NPM put in a new policy about unpublishing, that if a package version was depended on by another package, that version cant be unpublished. A dev created a package called everything, which depended on every single NPM package, but also since NPM had a limit of 800 dependencies per package, so they created many subpackages to get past this, but they had no idea of the unpublishing rule so since everything was dependent on.. well.. everything on NPM, and the subpackages were dependent on.. everything.. they accidentally disabled unpublishing for all of NPM.. (i did a horrible job explaining this and left some things out.. just look at a better video for a better explanation.)
Guess what's even more common and destructive? *The Cloud*™ comes crashing down to earth. Thanks to some managers calling Technical Debt *Software As A Service"™, each time Amazon, Google, or Microsoft do something dumb to their services, the entire internet breaks. The lesson's learned. Don't rely on a corporation or an 11 line package to do the work for you, unless necessary.
Have you not heard about node-ipc (yes, another Node.js library, what else?)? The guy literally added malware that destroyed people's files to it to protest the war in Ukraine - and Unity actually distributed that malware to its users.
This is why I write my own code....no matter how trivial, I hate using other people's libraries. I don't even like using the std or collection packages, I've written a dozen "list" templates, I just refuse to use the built-in ones. If I didn't code it, I cannot tell how much bloatware is involved, or safety, security, etc.
The Turkish programmer was totally in the right here. He made an NPM package with the name KIK and it's like creating an Instagram account with the name Google. If Google wanted that Instagram name, they should have offered him a hefty amount of money for it. NPM by giving the name KIK to the company KIK essentially did something like Facebook stealing someone's Instagram account named Google and giving to to the company Google. They totally shouldn't have done that. I am not surprised at all that the developer removed all his packages from NPM and it's probably what I would have done too. Also the "cache" has nothing to do with the Internet working for some people. NPM is a service that (among other things) allows you to download open source packages from their repository, the Turk removed it from NPM and therefore no one could download it anymore, but if some developer has already downloaded that package they would have it on their PC and their app would work just fine. It's with putting the new version of that app on the server is where the trouble begins, because you'd need to download it from NPM once more, but again... if you already had that package downloaded you could just put the files from your PC on which you programmed said app onto the server which would host that app and everything would work just fine.
Yeah you can download it, but most developers especially when doing a live build purge their downloads and caches to update the packages to, I don't know, test things. The live versions were fine, they were already delpoyed. It was the developers doing full clean builds that had an issue.
@Cipheiz It varies depending on the country, as each country has different laws regarding these sorts of things. I admit that Google is a rather unique name, but a name like kik with only 3 letters is not that uncommon. Either way having legal rights to use any name does not give you exclusive rights to use an account with that name on any platform (like Instagram in the example above)
I freeze-framed during the dramatized chat at 2:16. Was that offer of $30.000 real? I mean. Such money is big for a single developer, but pocketchange for a large corporation. If that offer was real and Azer was serious about it, Kit should have accepted that, or at least negotiated that compensation.
The correction about why the websites themselves didnt break is not because of caching, it's just that they are already deployed with leftpad still working, and any changes made by npm will not touch the website, and they are not allowed to be deployed again when it cannot be built due to leftpad being missing (simply nobody gets to update their website).
Wanted to say something similar. To keep it short: the internet didn’t break.
This is correct. Packages are fetched during deployment. Package missing = fail. Sites deployed prior to the deletion of the npm package were not crippled (but would be during a subsequent release)
yep. if the build fails its never deployed
Your description of "deployed code" is also a suitable description of "cached code." Whatever. Caching is basically right.
@@jpaugh64 No it's not. It has nothing to do with the fact that some code was cached on the client side, nor does it have anything to do with a a cache on the infra side. It's simply incorrect lol
So if all three parties half-apologized, that's like 1.5 full apologies, which is more than you usually get from this situation.
2/3 parties are at fault so there is still 0.5 apology less that the required number.
or if you're using JavaScript floating point math, 1.499999999999999998 apologies
@@tylerbreisacher5841 Except no, because 0.5 has an exact representation in binary
@@tylerbreisacher5841 yep, totally JS math. Not like its just another implementation of IEEE floats and has the same problems as every other language implementing floats. Nope, must be a JS thing.
@@tylerbreisacher5841 1.5 in binary is just 1.1, so there's no problem there
breaking literally everything by modifying a tiny bit of code is extremely accurate
I just delete this function that does nothing.
Error messages: allow us to introduce our selves.
i am still learning so be nice please
i can vouch, can't tell you the amount of times i accidentally deleted something and then wondering why it doesn't work
if he really wanted to mess with people he should have just modified it by removing one of the brackets to make it so everything underneat it wasnt compiling, It would be a bit more annoying
yep ANYTHING
Even if the bit is useless.
The real crime here is that someone one day did an `npm install kik` and got some API client to some dumb messenger instead of whatever that package used to do. Name reassignment like that can have the exact same effect as the removal of leftpad did.
Except if you read NPM's blog post following this incident, they were very clear that when a package's ownership gets transferred, the new owner MUST increment the major version number, and the old owner's code will still exist on all of the same version numbers it did before. This means all existing kik-dependent code would download the same version it did before, and you'd have to explicitly ask it to download the new version which was a different package.
Not saying NPM was in the right, but they were trying to resolve the situation in a way where nobody's code would break.
That's perfectly pictured in xkcd 1172: every change breaks someone's workflow.
Yep. Especially for such short names it should've been first come first serve without a single question or doubt.
this is one of my biggest complaints about npm; they are a company who is ultimately in charge of a good chunk of the free internet. Thats an important note; NPM is a company, not just a repository (who is now owned by Microsoft). It's concerning to me, and i think an open alternative might be wise
It’s probably finnnneeee.
@@mechtechpotato4249 you say that now wait til 2025 when Microsoft is somehow claiming the rights to all of these packages and trying to charge royally fees
Edit: I meant royalty and could have sworn that's what I typed, oh well
@@TheDeadOfNight37 I think they've already learned from the Windows model that collecting and using user data is more valuable than selling physical copies of Windows. In a worst case scenario, I could see them using the same method here, adding a few lines of a code to an open source code to collect snippets of data, making it closed source, and then pretending like they haven't done anything, while they make millions/billions off more user data.
Yarn is *technically* open source but it's still kinda made by Facebook in 2016, a few months after this incident.. Coincidence? 😅
Well go ahead and be the open source dev to write npm from scratch. You'll see why this is an issue fairly quickly. Open source is time consuming with often little to no reward. Take it from a Linux user.
All this video did was make me lose respect for the NPM team for not only screwing over an open-source creator who clearly did nothing wrong and used the name WAY before Kik did, but screwed him over twice by reverting it back to published without the creator's consent.
Had it been a bigger package, it could also have been questionable legally. Did they still have the right to distribute his code after he unpublished?
...well, they probably did. They most likely wrote their TOS so they could do this, but it still leaves the question of this kind of TOS being enforceable.
Since it is such a small package, it probably won't have any copyright, but it's an interesting question nonetheless.
@@Yotanido It was copyrighted with an open-source license, so it was legal--the license explicitly gave anyone who wanted to permission to redistribute and/or modify the code. So totally legal, just kind of a dick move, but also a dick move for which there weren't any particularly good alternatives.
@@allankcrain the alternative where to not change the name of the other projekt
@@allankcrain The alternative was what NPM apparently ended up doing in the end: writing their own version of leftpad that was way more complicated than it had any right to be and using practices that looked good on paper but actually didn't contribute anything in practice.
@@blazernitrox6329 How is it even possible to complicate something as simple as adding spaces to a string?
as a programmer, let's take a second to appreciate the incredible amount of effort it takes to find such a short obscure package instead of writing 10 lines yourself.
There is a NPM package called “is-odd” that does exactly what you think it does.
It’s been downloaded like 30 million times and has like 2 million download a month 💀 💀 💀
The 2 hours you spend looking for them is much better than the 5 mins to write them
@@abdelbakiberkati Besides what @badscript said about package grouping, you might spend 5 minutes total writing the actual code, but that's ignoring the five hours you spend second guessing if what you just wrote might have some weird edge-case that breaks it. Instead of taking a package that's so widely used that if it was broken in some weird edge case, someone would have noticed by now.
You don't have to write it yourself: String.prototype.padStart
11 lines bro. i'll write 10 myself, but after that i'm outsourcing lmao
Just have to say, the explanation of NPM was comically on point. That's, exactly how it works. Except this tower randomly decides to break down even when nothing is wrong because react@16.12.1 cannot be used with @types/react@16.2.2 for whatever reason
well of course not, @types packages define how the exported functions & classes should look like. If you download react@16.12.1 which removed or changed feature X but @types/react@16.2.2 which has the old definition for feature X, you'll be in for a bad time.
@@unicodefox It would make sense. The issue is that I didn't even had typescript installed, nor was a typescript project
How a types package ended up there? No idea
@@unicodefox hush, you're making too much sense. Just join the bandwagon and bash JS because there can't possibly be a good reason why JS (and the surrounding ecosystem) is the way it is. Nooo... It must be boiled down to "JS bad, Other language good". Not like you're dealing with different platforms or anything
@@akatsukilevi If you don't use TypeScript, why do you have @types/react installed anyway? unless its a direct dependency, its NEVER going to throw an error; worst case scenario you get a warning in your console from NPM. If your project was broken, its probably a swallowed error somewhere else and nothing to do with the typedef.
@@fahadahaf Two words: Legacy codebase
I have no idea who coded that, I have no idea how that thing worked
Best day of my life was the day I nuked that git repo
As a web developer that doesn't regularly use NodeJS (what leftpad was used for) but is familiar with it, the people at my old work place turned it into a joke shortly after this.
Yo I'm like 15 yrs old but pretty interested in web developening yk where I can learn smth about it?
@@unknownperson3842 w3 schools is a great place to start for html, css, and javascript
@@unknownperson3842 In Denmark, Web-developer is a degree after Computer Science. I'd suggest looking into getting a Computer Science degree, then building on top of that with Web-development :) Though, in my personal opinion, Web-development is little more than a degree unless you actually want to do frontend programming rather than backend :)
@@richledbetter2123 alright ty bro
nodejs is a joke
Whats even more interesting about this, is npm enacted a policy forbidding package creators from unpublishing a package with a certain number of downloads.
I'm not fully versed in the details but they made some sort of change to prevent this from happening
I have fewer than 1 friend in the World. That's right. Everybody disses me for making bad videos. I think they are perfect though. Who is right? My dissers or me? Which side are you on, dear sha
So wait, if you submit a package to NPM then, you're effectively giving up control of it down the road, entirely?
@@ChubiChan not really, you just can't remove it from npm.
but yeah npm is a company so don't expect them to be necessary open source friendly
@@ChubiChan By open source standards, people can technically fork your code and have their own copy or version. You are essentially giving up control. However open source projects are licensed differently and there are a bunch of caveats to this.
@@ChubiChan Yeah, that was always the case. npm is a repository for open-source code only and has a very permissive license (Perl's "Artistic License 2.0"). Once you submit code, anyone can download it, distribute verbatim copies (as long as they include all copyright statements of the original), modify it, and even distribute modified copies (as long as the modifications are clearly described). They can also distribute compiled versions of either (as long as you give instructions on how to access the source code) and aggregated packages including that code as a component. They can even charge a distributor fee to do so. Moreover, the publisher relinquishes all patent claims to any part of their code.
Since your code is published under that license, you can't just revoke those permissions.
I am a node web developer. This Jenga tower analogy is accurate. I work for a huge company (60,000 employees) and we use react which uses hundreds of other packages that we have no idea what they are, so when ome breaks its a scramble
The only innacuracy is that they put Java as more important than C++, fuck java
@@benjii_boi Companies don't pay you to look at every piece of code your project depends on
@@benjii_boi Hahahaha!
Wait you were serious? Let me even laugh harder
HAHAHAHHAAH!
@@benjii_boi my little kiddies here don't know about coding like us and usually use basic packages without even lookin at the codes that make them up, I think our galactic brains work harder than their basic programs which are made by people who don't even know what the program is made of. 😀
@@benjii_boi That's the unlucky part for you when trying to insult others and trying to put them down. Only because you are required to do so, it doesn't mean that others will be required to do so.
See the problem is that you assume that everything has to be the same way like you do.
But in reality most of the software written is not part of critical infrastructure like the niche example you pointed out.
My employer doesn't pay me to check the depencies i put in. They pay me to add features or fix bugs. I can't achive SLAs for my tickets if i have to check every line or every code block.
Even a dumb script kiddie would realize this fact :)
Guess it goes to show that you should be nice to everyone, because you never know whose propping the internet up on their back in their free time like Atlas keeping the sky from crashing into Earth.
yep. OpenSSL - literally the thing encrypting most of the internet - was developed by mostly 1 guy with 2k donations a year.
beautiful simile right here,
Atlas? Fake news. It's a huge goldfish.
so true, it's mostly furries, so remember to be nice to them even if you think they're weird
@@gayrights8315 One should be respectful and kind to anyone, furry or not, in the first place. That's just basic etiquette, isn't it?
Besides that, have we all forgotten the idea of the golden rule, which I'm quite sure was drilled into our heads from a young age if you had good parents/teachers, that is?
Not to mention, if we're supposed to accept people for who/what they are, isn't isolating/making fun of people because you think they're weird kinda the adverse intention? Plus, it could be reciprocated back, you could think what I do is weird, but I could think something you do is weird as well.
Additionally, from my time in the fandom, I've found most people join due to childhood trauma, e.g. parents divorcing/childhood abuse. Before you judge me or anyone else, furry or not, consider thinking, "what's happened in their life that they came out this way?"
Also, this wasn't meant to attack you or anyone. Just some thinking points. Please don't take my huge comment as provocative. Other than this section, the word "you" is just used in a general sense, meant to help explain a point. I sincerely hope this doesn't start a huge fight in the comments.
"Crashing like Bandicoots" is an expression I'll always use from now on
At my workplace someone built a crash logging system and called it "Bandicoot" :P
It took me way too long to get this joke. I think because his name was Crash and not Crashing.
Once i had a dream about watching one of your videos and it was about italian mice who kill other italian mice
@Best 🅥 Silence *b o t*
Yeah, fever dreams are bad.
@Best 🅥 a s m r s o a p
Average HAI video
Lol
I would say the npm explanation is pretty accurate, but did want to correct that people use packages not because they're lazy and don't want to write the code themselves, but there is a general understanding that being a good software engineer means you aren't rewriting what's already been written and figured out, it standardizes things and allows for easier updates across projects.
plus it can be more secure, i’d rather trust a package about cryptography made by people who actually know what they’re doing rather than smthn i throw together
After trying to code everything by myself, I realized that literally any medium sized coding related project is borderline impossible(if you're solo of course) without using other peoples code.
You don't reinvent the wheel every time you need it not because you're lazy but because it's just stupid and time consuming to do.
Not in this case however
Not necessarily standardized, lol, but I get your point.
@@shawermusif someone is so insistent on reinventing the wheel. They should code in binary with bitwise operation and creating all sort of stuff leading up to their programmed. After all, all these programming languages with built in functions all trace back to someone was making stuff with binary
This is why you should think about adding a dependency to your project
Yes libraries are almost always better then stuff you write yourself but this is 1 very easy function to just implement yourself and save a dependency.
or in this case, copy the code into your one program (yes, is in this case legally, you may have to add the name of the original creator)
@@schwingedeshaehers yeah indeed if the license permits
The problem is that, while it's easy to replace something like leftpad for your own project, it's extremely expensive and more likely to add risk to not use a tool like babel or react, far more complex and valuable libraries with extremely active development and security analyses. Like this video said, applications that relied upon these more complex tools became dependent upon this very simple tool. In general, the pooled security is far more valuable and saves far more money in the long run than avoiding the occasional hiccups using open source projects. In general, having a few bad days each year is nothing compared to trying to recreate React.
left-pad isn't even the worst of it. There's packages that are literally a single line of code and they still get used. Everything surrounding JavaScript, including NPM is a total shitshow.
@@forgottenfamily just throwing this in there as someone with 19 years of CS experience, I've never used react or babel. I actively discourage react usage for anything other than hacks (or 'bodge's as Tom Scott puts it).
I run a site for an obscure, yet historically important 70s punk band called The Normals. Needless to say I get requests from various other "Normals" bands that want to use the site name. The funniest excuse they use for why I should give them the name is that "you're not doing anything with it" (meaning a band from the 70s hasn't put out a record recently). Which is like saying, "these Beatles guys haven't put out a record since the 70s, they don't deserve a presence on the web." They'd rather erase the legacy of others than to put in the mental effort to be more creative with their name (ironic coming from an artist).
I ultimately tell them "no", but I do check up on their band later. Not once has one of these bands ever done anything of note and they almost immediately disappear within a few years, and usually within a few months. So if I gave in to these demands, not only would they have themselves done nothing with the name, they also would have taken down a band that actually did do something with the name.
Great explenation, I only use python but I can imagine, if someone screwed around with numpy we'd all be doomed.
If someone screwed with numpy academia would collapse
Oh damn. That would be a NIGHTMARE holy crap.
50th like😉
See now that there is a worst case scenario.
How to kill all of machine learning and cryptography in one easy step!
If Kik didn't want to be dicks about it, they should have just said: hey dude, we'll win in court, but here's 1000 dollar for the name so we don't have to go through all that.
From what I recall, they DID offer to pay him for it but he rejected it on principled grounds. Fun fact, open source devs have a major grudge against big corporations. He basically told them to go f*** themselves, and kik, deciding what is one turkish programmer against their billions of dollars, decided they could win and kept escalating.
That's basically what they did. I don't know if they put a dollar amount on it, but it was fairly clear that Azer wasn't open to negotiations.
@@ethanchapman1776 If the emails in the video were actually accurate, it looks like he offered to sell it for $30k, which Kik could have easily afforded.
@@ethanchapman1776 After Bob said "Is there nothing we can do for you that would compensate you for the hassle of changing the name?"
Azer replied with:
"Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks"
which is not entirely unreasonable. 3 letter domain names are in that price range +. Instead of trying to negotiate they escalated straight to npm support 5 minutes later.
Hey, this is our brand already, and for the clarity of recognition we’d like to use our own name just isn’t that unreasonable a request, and they clearly did offer money, he just wanted an absurd amount more than they were offering. Because open source bros are like that.
As a Software Development student, seeing C++ being built on top of Python in the animation almost gave me a heart attack
Everything is built on Java, don't you know?
@@jjpaq LMAAOOO
@@jjpaq Java compiles to JavaScript
It's might not be exactly wrong, I wouldn't be surprised if there was some sort of compiler for C++ out there that installs using a Python script lol
same
This just goes to show that people who are mostly unseen can still have a huge impact on the world.
This. When people cite underrated, now I would cite this turkish guy
Normally when someone makes a video about a topic I know a lot about, the best outcome is, “Well I mean I guess how you could describe it like that if you don’t know anything about it,” but honestly this was a really good explanation.
There was only one moment in the video where I thought, “Well I wouldn’t use that word here because it’s not technically accurate, but to be fair anyone who would be confused by it probably already knows what you mean anyway.”
which moment?
Duuuude
@@schwingedeshaehers NPM is only for JavaScript only (someone in the comment said)
If you are so pedantic don't watch videos about this subject
So you're the guy who's not invited to parties that was mentioned in the video!
Amateur, I don’t even do anything to the code and it breaks
amateur, i dont code and it breaks
@@TheRatsintheWalls “it works on my machine”
This is a perfectly reasonable explanation of how NPM works, and suitable for the level of depth this channel demands, but if you want a nitpick for your anniversary mistakes videos, there's more than one package manager. NPM is the de facto standard package manager for JavaScript, which is what much of the Internet is built on, but the illustration at around the 1:20 mark shows other languages which would typically use different package managers. (And tell your animators not to worry about putting the Java logo in cases which are probably meant to be the JavaScript logo - they're different languages, but it's really our bad for letting marketers in the 90s decide to name the latter after the former.)
I was gonna say something about that image(!)
As a techie, you’re gonna have to be more specific. Which one? :P
But seriously, these sorts of things happen all the time. Turns out the internet is an incredibly shaky edifice all relying on a handful of projects run by a few guys in their spare time. Statistically speaking most of them are furries. Sorry, I don’t make the rules.
Yup. Most programmers are furries, trans people, autistic people, or all of the above.
As a wise man once said, "If a furry convention fell into a pit of lava, the world's IT capabilities would plummet into the stone age."
@@loonloon9365 I saw a tweet with a plane full of furries a while back and basically all the comments were about how this was a high risk concentration of critical individuals on one plane and how doomed we’d be if it went down.
@@AnimilesYT they really aren't.
source??? 🤣🤣🤣🤣🤣👎👎👎👎👎
Love it when big companies get their way even though they shouldn't
lessons of this story:
1) simplest npm packages must become part of the language itself
2) fuck npm for siding with corporation
I agree he took the name first
@@alexstone691 More than that, they STOLE frokm the dude. NPM publishing some-one else's work against their wishes?
That's theft man
@@UmaROMC no, the code wash published under a licences that allowed that before
@@UmaROMC All packages are published under a specific license. Most NPM packages (though not remotely all) including leftpad are using the MIT license. The MIT license is generally "do what you want, just don't blame me if something goes wrong". If the original versions were published under the MIT license, then NPM is fully licensed to republish it and it isn't theft. It might be disrespectful, but it's also disrespectful to cause billions of dollars of damage to the economy out of spite because two companies fucked you over (and no, that's not an exaggeration. If it had remained unpublished, it would have been that bad)
right?? how the fuck do you need any amount of code to pad a string? and here i thought JS was considered batteries-included.
For a company dealing in open source packages, it seems like this could've been avoided in a far more adult manner. Reserve _TM or something as a mandatory suffix for any package names claiming trademark. Then there's no dispute with existing package names. If there's already a kik_TM, that means some other douche canoe already claimed that highly creative collection of 3 letters. Shocking. Well, here's the registration contact info they gave us. Good luck!
Kik the package was probably around before Kik the website so technically the development could claim copyright in the space of code packages and Kik the company couldn't do shit about it.
@@drewjanus4643 Doubt the package predates the company. Both Kik the messenger and npm were released in 2010, roughly 8 months apart. Unless Kik the package just happened to be released on npm in that relatively short timeframe, Kik the company was first.
That's a great idea! In one country only. Also, in America, multiple companies or their products can have similar names as long as there's no chance of confusion. See also: Popeyes the fast food chain & Popeye the cartoon character.
Which one gets the single "official" slot in your scheme?
@@klfjoat Given we're talking very literal and specific strings of text, they both get what they want. popeyes gets with an s and popeye gets without. Simple.
@@klfjoatthe one that’s a registered trademark, obviously. Go register Popeyes and let us know how that works out. While you’re at it, make the logo magenta. You’re not offering phone service so I’m sure T-mobile will be super chill about it.
Well, you'll need another video now- "The update which broke the IT infra"
Azer: makes kik
Kik, the messenger: Unfortunately, history will not see it that way.
"Too bad he (Azer) didn't put malwares into his packages instead." - Someone who likes to watch the world burn
Many spitful devs have done this. From wiping hard drives of computers with Russian IPs to generating corrupted text instead of placeholders.
The problem with adding malware to code, even code you own, is illegal in many countries. Had he actually done that, you can bet all sorts of "Governmental Suits" would have been banging on his door just as quickly as his code was reinstated. Just remember this, no matter how painful Corporate Suits can make your life, at least they can't legally kidnap you, chuck you in a hole somewhere, and forget about you.
No, pulling a Cartman by taking his coding ball away and going home was the best way to bring light to this. He was fully in his rights to do so, and it's not his problem that things broke.
You mean like the guy who made node-ipc? Yeah, that was a hella fun, huh?
@@rkvkydqf i think the event you are referring to was russian ip addresses, not keyboard layouts, no?
You know what would've been funny and more distruptive? If he made it 2 left spaces rather than 2.
That moment when C# and .NET are in a Jenga tower describing JavaScript packages. Ouch
And this is one of the reasons why I hate using dependencies. That doesn't mean I don't use them, I just hate myself for doing it.
There's always a relevant xkcd when it comes to kerfuffles like this one, and for this instance it's 2347.
A more recent example of this would be the gpsd bug last year, and there was also another one back when OpenSSL's Heartbleed issue came to light.
I was thinking of that xkcd the whole time!
Now we have xz to add to the pile!
As a programmer, your explanation as to why we use package managers is 110% accurate
This was genuinely hilarious to watch you explaining everything going to hell- and the fact that it only lasted 10 minutes
They lost at the second mail at "but" with "We don’t mean to be a dick about it, but [...] our trademark lawyers are going to be [...] taking down your accounts and stuff like that - and we’d have no choice [...] because you have to enforce trademarks [...]."
Oh the poor guys with loads of money for trademark lawyers had really no choice but to be dicks. 🤬
What gets me is "we don't mean to be dicks" "but you are being dicks" "wahhh help hes being abusive"
Let's not forget that McDonald's failed in court when they tried the same "just defending our trademark" attack on an Irish burger chain called Supermac's. Having a trademark doesn't give you priority.
@@AdrianColley That is a very different case as Mac is a common name so a trademark based on it can only be applied very narrowly, Kik is not a common word and as far I can tell has no meaning outside of internet slang meaning as a trademark it can be applied much more widely.
I'm glad that I prefer to copy / paste, rather than use a package that has the same code.
Whenever you hear about big apps breaking, it always points back to either DNS or an NPM package. This is also why a centralized internet is not a good thing and why I miss the old days where literally 95% of the internet didn't rely on a single source of failure. NPM (really Github but actually Microsoft) could shut down tomorrow and the internet would be FUBAR.
*Laughs in native code*
Azer is my neighbor, he’s always bragging about how he literally single handedly broke the internet, but none of our friends really cared.
I wonder how he'd react if he saw this video.
what a chad
That makes two people named Azer who broke the internet (the other being the kid who appeared in those videos with Tara and Raven Your Acidbath Princess of the Darkness)
Tell him he shouldn't have apologized, he did nothing wrong, not his fault
Actually a really good explanation, speaking as a programmer myself
I was suprised by how extremely well he must have researched this. Everything seems on point to me.
You guys broadsided me with "crashing like bandicoots" hard lol there. Well done, well done.
The fact that so many dependencies relied on 11 lines of code is exactly what's wrong with the javascript ecosystem
You dont reinvent what people have figured out
@@hyoroemongaming569 It's just too simple for risking such a catastrophic event. The code for is-even is literally shorter than typing the name of the package (n%2==0) and it's still popular
You don't need to reinvent the wheel, but you don't need to import an ice cube from Antarctica.
I've been a web developer since… well, before anything like a package manager existed, and like the crusty old curmugeonly Gen Xer I am, I have stubbornly refused to ever build anything that uses npm or anything like it. Sure I use plenty of open source code, but I don't build anything with dependencies in this way because it just *feels wrong* to me, and this is a pretty good overview of why that's the case.
It's a good example of why you should use a package manager that locks you to a specific version of a package, and doesn't update unnecessarily.
@@qwertyTRiG And even more, why you shouldn't use packages at all for exceedingly simple code you ought to be able to write yourself.
@@room34 Yes. To be honest, left pad seems like a strange thing to be that popular. (We write in PHP, and use Composer.)
Spot on, was a developer but never on websites. When I found out about the Jenga tower (nice image - thanks HAI) that is modern code I was horrified.
Disclaimer - I am a boring baby boomer and so totally out of touch and senile and still own a sliderule - but I am right, it deserves to break.
Replace "web developer" with "house builder" and "package manager" with "hardware store" and people will declare you insane.
And that's why every programmer who's using npm will tell you they hate npm
I hate npm
Yep. `node_modules` isn't some alien artifact, but the entire dependency graph for your project. And when you stop and ponder if some tiny library requires gigabytes of code to run, you realize just how broken this ecosystem is. Why is it not a thing with Python, Go, or C#, but gets so bad with NPM.
@Firstname Lastname deno is trying to solve the problem of shitty packages. If you feel comfortable with node you should try it, it's very refreshing
Also it's mostly out of convinience. If you're starting out for example it's easier to use the same language for both frontend and backend rather than learning an entire new ecosystem just to write one app and besides js on backend is actually pretty fast and scalable
As someone studying computer science I can say the reason we use packages is exactly as you describe.
Worth noting that for JavaScript in particular, a lot of the packages required are just filling in for the lack of common utility functions in JS, especially older editions. So you end up with thousands of NPM packages that aren't really maintained or scrutinized that just provide basic utility that arguably should be included in the language (like how "left pad" now is)
This kind of story reminds me of two realities- one, that I am a clueless caveman, and two, the world built around me by the postmodern geniuses is all fairy dust and daydreams held together by baling wire and paper cups.
Not even duct tape.
Misread it as Elven as I was like, "That's so dope. Someone making the Internet snuck in a LOTR Easter egg and it's actually crucial to the internet working? Awesome."
Now my disappointment is immeasurable and my day is ruined.
0:03 this sounds absurd, but my device lagged at the exact point where he says: “broken the internet”.
'crashing like bandicoot' best phrase ever made by sam 4:01
2:55 "Much like this video, it didn't require any particular skill or brilliance to write" was the first time you said 'like' in the video, so it made the like button animation happen
I'm a web developer and I just want to say that the explanation of what NPM is and what it does is pretty good, considering it's a channel which makes semi-satirical semi-educational 5-10 minute videos with lots of outdated memes and unfunny jokes
The pain we get when the Jenga tower of borrowed code breaks is very real and not easy to solve at all
Except for the part you could easily spot the missing package, and since it was used freaking everywhere, you can just rebuild it from one of the millions of copies floating around on the Internet. Like it's 11 lines of code, just make your own package and have it locally.
2:56 “Much like this video…”
*Like button lights up*
NPM is so broken that it is astonishing that it pretty much underpins the modern internet.
some people are smart enough not to use it, same with the frameworks that go in and out of style
Npm is probably less broken than any package manager before it. You never had to live through rpm hell, for example
@@lztx that said, less broken is still - fundamentally - broken.
@@jeshweedleon3960 I'm a PHP/Perl developer. Broken is a way of life. 😂😓
python's pip sucks. conda sucks. i use gentoo's portage to manage my python dependencies (jk)
WebDev here: The “broke the Internet” part is _kinda_ true (used for comedic effect). Websites/services stayed online because it was the building/deployment of _new versions_ of those websites that would be failing (so basically what’s there is still there, but just *frozen into place* and unable to be _updated_ to a newer version) because the retrieval of the package from NPM would have failed during the build phase _prior_ to deployment to production, for example. So, caching (unless we’re talking about local caching of npm repos in the build systems) _probably_ had little to do with it.
TH-cam recommended this to me right after Crowdstrike.....
oh maaaan it's kinda exciting when a topic suggestion I made was picked! I'm almost sure I'm not the only one who suggested this and I forgot the name I typed on the sheet but I really wanted to see your take on this, thanks sam and adam who apparently wrote the vid!
It makes me furious when people confuse the web with the internet. Yes, web is part of the internet, but it certainly isn’t the whole internet. There’s over 65k possible types of services that can utilze the internet, which includes e-mail (through a client, such as an e-mail app on your smartphone), P2P, FTP, VoIP, Minecraft servers, etc. None of these things would get affected by this.
deep web for the win
You assume these other things don't also use npm?
Anything using npm was hit hard by this.
@@gavros9636 Probably not. Mail clients may use javascript, but I wouldn't imagine that many mail servers do. Or FTP servers. Or most internet servers. In fact, not many web servers do either, except those using Node.
@@gavros9636 you wouldn't use Node for a production SMTP/IMAP/POP3 server, and certainly wouldn't use it for anything like centralized VOIP servers such as SIP. I've seen Minecraft Servers done in PHP, so I won't say anything about those. But the Internet as a whole does not run on NodeJS and NPM.
@@qwertyTRiG I think you'd be surprised and disappointed how many modern server-side things are written in JS.
If you paused and read the 3 articles you’ll read that NPM chose ‘kik’ over ‘kik’ because if a user request npm kik NPM wants said user to receive what they are most likely to receive and due to kik being an app with 200 million users they are the most likely to be requested
It is just a casual break out of an open-source developer. As not everybody likes to not get paid and just do work for big companies without even getting a credit far from having a donation
The statement that developers just cobble together other people's code is spot on. It's like if everything in the world was made of Lego blocks, including Lego blocks.
funfact: JS already has a builtin padding function, but knowing how packages like is-true are downloaded every day, eh.
So it's a case of people not knowing the language they're paid to know well enough?
padStart wasnt added until ECMAScript 2017, and this happened in 2016
@@mikey9164 oh, my bad.
You summed up everything I hate about web development in a 5 minute video... I've been doing this for over 20 years... The industry is full of stupidity. I worked on a ONE PAGE WEBSITE APPLICATION that used somewhere near 500mb of libraries... THINK THAT OVER, IT'S INSANE.
As someone studying computer science and becoming a tech nerd, this video was very helpful.
Here's something they won't teach you in school that’ll be valuable to you : *Register your copyrights.*
@@NinjaRunningWild Exactly.
Umm one thing about this is incorrect. You claim that they kept working due to caches. Noooo. Prior builds don’t just suddenly break. So even if it wasn’t cashed, the current product version is unharmed. Any project that has left pad as a transitive dependency would just simply be un able to find it and therefore break. But they claim that every time a user goes to a site it compiles and builds is awful lmao
Yeah you'd be surprised that there are idiots that design sites that do that...they usually fail for obvious reasons though.
"caching" is doing a lot of heavy lifting here.
It's reasons like this why other big package repositories (e.g. NuGet) do not allow packages to be fully 'unpublished', but they can be 'unlisted'. The difference is subtle, but it means people who are already using a package can continue using it when it becomes unlisted, however new people searching for it will not be able to find it in search. Since Microsoft (owns NuGet) also purchased npm in 2020, they've implemented a similar strategy for popular npm packages with a high number of downloads.
I remember this well. It basically shut down the startup I worked at which was awesome since we couldn't work so I didn't have to do anything
You forgot to mention the Georgian grandmother who broke the internet for all of Armenia.
the grandmother was also Armenian. her name was Hayastan Shakarian. “Hayastan” literally means “Armenia” in Armenian
This is known in teh biz as "Dependency hell."
No, really.
"Crashing like bandicoots", I see you HAI.
0:12 you forgot the Armenian grandma
None of you realize that literally the whole internet might be reliant on some little project a small coder might be thanklessly maintaining.
Holy crap he's talking about something I regularly use in my day job!
If architects built buildings like programmers design code, the first woodpecker that comes along would destroy civilization.
Best part, the package, for which they had to take away the name from an innocnet open source dev for no reason, is now removed because it contained malicious code. gj npm...
Kik gets mentioned
Omegle bros: "You know, i'm something of a scientist myself"
Me hearing a package was unpublished: "Meh, how bad could it be?"
Me hearing the package was left-pad: Eyes widen and with the gravitas of a scientist in a 70s disaster film, "Dear God."
And I thought the whole Log4j thing was bad. I mean, it is bad, really bad. But this damn thing (left-pad) is so far down on the stack... *shudders* (And yes, I know Java and JavaScript aren't the same things. But still.)
This reminds me of something that happened during my days as a systems programmer in the 1980s. IBM's OS/370 had a function called GETMAIN, which allocated memory to a user on demand. It had a security problem, because it didn't clear the memory, so users could theoretically peek into each other's code and data (same problem with hard drive space allocation today, which is why Bleachbit; it's also similar to some hacker exploits). So one of our guys wrote some code to fix it. Unfortunately, he didn't get it quite right, because if the amount of memory was an exact multiple of 256, it cleared one extra byte. For a long time, no-one noticed it, until it caused one of my programs to crash, taking our system and all its users down with it.
Based.
Everyone uses packages. You make it sound like it's lazy. It's good to reuse code
Yep. It's especially true for things like cryptography and rendering. If you end up writing it without any prior qualification, you'll get a barely working mess. Reusing code is good.
depends on the context though, here node was implied. node devs are notorious for using hundreds of small packages they don't really need and could write themselves in minutes.
@@gab8169 one gets malware'd or deleted and the house of cards crumbles
@@gab8169 Yeah, most of his commentary on the subject earlier in the video was definitely mostly just him being coy, but with leftpad specifically? Yeah, he ain't wrong about laziness there. It's a ridiculously simple function, it probably takes more time to find, download, and include it than it does to literally just code it yourself.
I don't think the quote that it was "lazy" was said in any real seriousness, to be fair.
That said, I'd agree with reusing code, up to a point - don't reinvent the wheel, and save that time to do better things!
Also don't forget about a similar thing that happened recently with Marak Squires' faker.js and colors.js. He didn't want fortune 500 companies using his code for free, so he corrupted those files
Whoa I actually knew about this, it's a very interesting topic imo
As a Python programmer I'm amazed Leftpad is as many as 11 lines of code. That's, like, 7 more than is necessary.
I know, right?
'hello'.rjust(10)
Discord App imports a library just to check if a number is even or odd.
Modern cooders everyone.
Wouldn't be necessary if JavaScript wasn't such a shitshow of a language.
It always depends on how safe you want your code to be for unexpected inputs (especially if the users can enter stuff). In Javascript you don't have static types, so you first might want to make sure that what you are checking is a (whole) number. Then you have the problem that very large numbers in Javascript aren't exact anymore (9007199254740992 is equal to 9007199254740993 and 9007199254740993%2 is 0). So, especially in very large and complex enterprise applications you might want to protect against those cases and fail gracefully instead of hard/invisibly. And that is exactly what isOdd/isEven are doing.
@@I25mI25 This boils down to two problems: Javascript's duck-typing (or whatever they call the horrible type system where everything is an object until it's not), and the borderline insane decision to make all numbers floats (with their inherent imprecision) Or as someone else has put it: Javascript is a shitshow of a language.
@@jfolz lmafo
If (num % 2 ==0) true
Else false
It's literally that simple with JVM/JS/PY/C and with machine code it's even shorter
@@LeviForWaifu you sure? I did a quick search. There's at least 3 packages that check if a number is odd on npm. They're quite similar in that they perform a couple of checks that what you put in is actually a number and that it's somehow safe(?) to use. Then they return (n % 2) === 1, so apparently your line was already wrong in some cases.
There's a reason why they had to invent === and that reason is JS is a terrible language that should've died a long time ago.
How are people so lazy, they add a dependency just so they don't have to write 10 lines of code. I am honestly disgusted by modern programmers.
Sam breaks the internet.
@Best 🅥
Say bye to your account, bot
Funny thing, this story leads into another story. After this whole fiasco happened with leftpad, NPM put in a new policy about unpublishing, that if a package version was depended on by another package, that version cant be unpublished. A dev created a package called everything, which depended on every single NPM package, but also since NPM had a limit of 800 dependencies per package, so they created many subpackages to get past this, but they had no idea of the unpublishing rule so since everything was dependent on.. well.. everything on NPM, and the subpackages were dependent on.. everything.. they accidentally disabled unpublishing for all of NPM.. (i did a horrible job explaining this and left some things out.. just look at a better video for a better explanation.)
hahahah! I haven't connect the two stories yet
I'm surprised this doesn't happen more often xD
It does happen quite often. Sometimes packages that are widely used get updated with malware, infecting tons of developer PCs and servers.
Guess what's even more common and destructive? *The Cloud*™ comes crashing down to earth. Thanks to some managers calling Technical Debt *Software As A Service"™, each time Amazon, Google, or Microsoft do something dumb to their services, the entire internet breaks.
The lesson's learned. Don't rely on a corporation or an 11 line package to do the work for you, unless necessary.
Have you not heard about node-ipc (yes, another Node.js library, what else?)? The guy literally added malware that destroyed people's files to it to protest the war in Ukraine - and Unity actually distributed that malware to its users.
This doesn't surprise me lol, you can break huge projects with a single character
Actually a pretty decent explanation of NPM. Good job Sam and team!
Make a video about Quatumn Physics
Yes it would be Fun to watch that.
Yes it would be Fun
This is why I write my own code....no matter how trivial, I hate using other people's libraries. I don't even like using the std or collection packages, I've written a dozen "list" templates, I just refuse to use the built-in ones. If I didn't code it, I cannot tell how much bloatware is involved, or safety, security, etc.
The Turkish programmer was totally in the right here. He made an NPM package with the name KIK and it's like creating an Instagram account with the name Google. If Google wanted that Instagram name, they should have offered him a hefty amount of money for it. NPM by giving the name KIK to the company KIK essentially did something like Facebook stealing someone's Instagram account named Google and giving to to the company Google. They totally shouldn't have done that.
I am not surprised at all that the developer removed all his packages from NPM and it's probably what I would have done too. Also the "cache" has nothing to do with the Internet working for some people. NPM is a service that (among other things) allows you to download open source packages from their repository, the Turk removed it from NPM and therefore no one could download it anymore, but if some developer has already downloaded that package they would have it on their PC and their app would work just fine. It's with putting the new version of that app on the server is where the trouble begins, because you'd need to download it from NPM once more, but again... if you already had that package downloaded you could just put the files from your PC on which you programmed said app onto the server which would host that app and everything would work just fine.
Yeah you can download it, but most developers especially when doing a live build purge their downloads and caches to update the packages to, I don't know, test things. The live versions were fine, they were already delpoyed. It was the developers doing full clean builds that had an issue.
@Cipheiz It varies depending on the country, as each country has different laws regarding these sorts of things. I admit that Google is a rather unique name, but a name like kik with only 3 letters is not that uncommon. Either way having legal rights to use any name does not give you exclusive rights to use an account with that name on any platform (like Instagram in the example above)
@@Xershade That's exactly what I was trying to explain
Moral right, but not legal right. And moral right doesn't matter in court.
You actually can't use the name "Google" because it has been trademarked. Probably, KIK also had a trademark on their company name.
"Crashing like Bandicoots".
I don't know why that's hilarious to me.
I freeze-framed during the dramatized chat at 2:16.
Was that offer of $30.000 real?
I mean. Such money is big for a single developer, but pocketchange for a large corporation.
If that offer was real and Azer was serious about it, Kit should have accepted that, or at least negotiated that compensation.
So much work went into this video, that I watched and will never think about again for the rest of my life.
npm actually stands for "npm is not an acronym", not "node package manager", which i think is a 100% better acronym
Yet another form of dependency hell basically.
TURKIYE BREAKS INTERNET BECAUSE TURKIYE NUMBER ONE