THE BLOG

How 17 Lines of Code Took Down Silicon Valley's Hottest Startups

03/24/2016 12:31 am ET | Updated Mar 25, 2016

Yesterday at 2:35 PST, one developer clicked one button on a site that broke the codebase of some of the hottest startups in the country.

Rewinding a little bit, a few weeks ago a developer named Azer Koçulu got an email from a patent lawyer asking him to remove one of his open source project from NPM, a directory of Open Source JavaScript code that is used by most JavaScript developers.

Azer wasn't interested in taking the project down and told the lawyer he wouldn't comply.

Ultimately, the lawyer won, convincing NPM to transfer ownership of the Open Source code. While the one project that was transferred wasn't a huge incident, Azer decided to remove all of his work from NPM. He talked about the experience on his medium profile.

This includes one package called left-pad, which happened to have a single file that was exactly 17 lines of code.

Silicon Valley startups are a hotbed of using the state of the art JavaScript tooling. Companies like AirBnB, Netflix, ProductHunt, Facebook and a lot more are using ReactJS. And most are using two other technologies too: WebPack and Babel.

It turns out, in order for Babel-dependent applications to work...left-pad, this silly 17 lines of code, needed to be in NPM. Immediately, tens (if not hundreds) of thousands of developers would be unable to run the command to install their application on any machine.

Laurie Voss, founder of NPM, took to Twitter to explain what the heck was going on.

A ton of developers weren't happy about the situation that had just transpired. They looked toward the open source community and accused NPM of being run in an irresponsible way.

2016-03-23-1458754309-5181470-ScreenShot20160323at1.30.29PM.png

But the fact is, only 42 minutes after the initial report a GitHub user posted a viable work-around for the problem:

2016-03-23-1458754345-4351913-ScreenShot20160322at8.57.09PM.png

And only a minute after that, the contributors at Babel announced that a new version of Babel had been released as an emergency hotfix, allowing projects to work again.

2016-03-23-1458754370-9255113-ScreenShot20160322at8.58.14PM.png

Shortly after this transpired, a new user came to the rescue and uploaded the package back to NPM, fixing the problem. Laurie Voss updated everyone on the situation.

And developers have taken to twitter on the hashtag to discuss the #NPMGate debacle.

Overall though, it is an amazing story about how open source developers, who don't know each other and are perfect strangers, banded together in a remarkably fast time frame to repair the state of the open source community.

The NPM modules have since been hijacked.

The saga now known as #NPMgate goes on.

This post originally appeared on Medium.

CONVERSATIONS