@@tylerbreisacher5841 yep, totally JS math. Not like its just another implementation of IEEE floats and has the same problems as every other language implementing floats. Nope, must be a JS thing.
The correction about why the websites themselves didnt break is not because of caching, it's just that they are already deployed with leftpad still working, and any changes made by npm will not touch the website, and they are not allowed to be deployed again when it cannot be built due to leftpad being missing (simply nobody gets to update their website).
This is correct. Packages are fetched during deployment. Package missing = fail. Sites deployed prior to the deletion of the npm package were not crippled (but would be during a subsequent release)
@@jpaugh64 No it's not. It has nothing to do with the fact that some code was cached on the client side, nor does it have anything to do with a a cache on the infra side. It's simply incorrect lol
if he really wanted to mess with people he should have just modified it by removing one of the brackets to make it so everything underneat it wasnt compiling, It would be a bit more annoying
The real crime here is that someone one day did an `npm install kik` and got some API client to some dumb messenger instead of whatever that package used to do. Name reassignment like that can have the exact same effect as the removal of leftpad did.
Except if you read NPM's blog post following this incident, they were very clear that when a package's ownership gets transferred, the new owner MUST increment the major version number, and the old owner's code will still exist on all of the same version numbers it did before. This means all existing kik-dependent code would download the same version it did before, and you'd have to explicitly ask it to download the new version which was a different package. Not saying NPM was in the right, but they were trying to resolve the situation in a way where nobody's code would break.
this is one of my biggest complaints about npm; they are a company who is ultimately in charge of a good chunk of the free internet. Thats an important note; NPM is a company, not just a repository (who is now owned by Microsoft). It's concerning to me, and i think an open alternative might be wise
@@mechtechpotato4249 you say that now wait til 2025 when Microsoft is somehow claiming the rights to all of these packages and trying to charge royally fees Edit: I meant royalty and could have sworn that's what I typed, oh well
@@TheDeadOfNight37 I think they've already learned from the Windows model that collecting and using user data is more valuable than selling physical copies of Windows. In a worst case scenario, I could see them using the same method here, adding a few lines of a code to an open source code to collect snippets of data, making it closed source, and then pretending like they haven't done anything, while they make millions/billions off more user data.
Well go ahead and be the open source dev to write npm from scratch. You'll see why this is an issue fairly quickly. Open source is time consuming with often little to no reward. Take it from a Linux user.
as a programmer, let's take a second to appreciate the incredible amount of effort it takes to find such a short obscure package instead of writing 10 lines yourself.
There is a NPM package called “is-odd” that does exactly what you think it does. It’s been downloaded like 30 million times and has like 2 million download a month 💀 💀 💀
@@abdelbakiberkati Besides what @badscript said about package grouping, you might spend 5 minutes total writing the actual code, but that's ignoring the five hours you spend second guessing if what you just wrote might have some weird edge-case that breaks it. Instead of taking a package that's so widely used that if it was broken in some weird edge case, someone would have noticed by now.
Just have to say, the explanation of NPM was comically on point. That's, exactly how it works. Except this tower randomly decides to break down even when nothing is wrong because react@16.12.1 cannot be used with @types/react@16.2.2 for whatever reason
well of course not, @types packages define how the exported functions & classes should look like. If you download react@16.12.1 which removed or changed feature X but @types/react@16.2.2 which has the old definition for feature X, you'll be in for a bad time.
@@unicodefox It would make sense. The issue is that I didn't even had typescript installed, nor was a typescript project How a types package ended up there? No idea
@@unicodefox hush, you're making too much sense. Just join the bandwagon and bash JS because there can't possibly be a good reason why JS (and the surrounding ecosystem) is the way it is. Nooo... It must be boiled down to "JS bad, Other language good". Not like you're dealing with different platforms or anything
@@akatsukilevi If you don't use TypeScript, why do you have @types/react installed anyway? unless its a direct dependency, its NEVER going to throw an error; worst case scenario you get a warning in your console from NPM. If your project was broken, its probably a swallowed error somewhere else and nothing to do with the typedef.
@@fahadahaf Two words: Legacy codebase I have no idea who coded that, I have no idea how that thing worked Best day of my life was the day I nuked that git repo
Whats even more interesting about this, is npm enacted a policy forbidding package creators from unpublishing a package with a certain number of downloads. I'm not fully versed in the details but they made some sort of change to prevent this from happening
I have fewer than 1 friend in the World. That's right. Everybody disses me for making bad videos. I think they are perfect though. Who is right? My dissers or me? Which side are you on, dear sha
@@ChubiChan By open source standards, people can technically fork your code and have their own copy or version. You are essentially giving up control. However open source projects are licensed differently and there are a bunch of caveats to this.
@@ChubiChan Yeah, that was always the case. npm is a repository for open-source code only and has a very permissive license (Perl's "Artistic License 2.0"). Once you submit code, anyone can download it, distribute verbatim copies (as long as they include all copyright statements of the original), modify it, and even distribute modified copies (as long as the modifications are clearly described). They can also distribute compiled versions of either (as long as you give instructions on how to access the source code) and aggregated packages including that code as a component. They can even charge a distributor fee to do so. Moreover, the publisher relinquishes all patent claims to any part of their code. Since your code is published under that license, you can't just revoke those permissions.
As a web developer that doesn't regularly use NodeJS (what leftpad was used for) but is familiar with it, the people at my old work place turned it into a joke shortly after this.
@@unknownperson3842 In Denmark, Web-developer is a degree after Computer Science. I'd suggest looking into getting a Computer Science degree, then building on top of that with Web-development :) Though, in my personal opinion, Web-development is little more than a degree unless you actually want to do frontend programming rather than backend :)
All this video did was make me lose respect for the NPM team for not only screwing over an open-source creator who clearly did nothing wrong and used the name WAY before Kik did, but screwed him over twice by reverting it back to published without the creator's consent.
Had it been a bigger package, it could also have been questionable legally. Did they still have the right to distribute his code after he unpublished? ...well, they probably did. They most likely wrote their TOS so they could do this, but it still leaves the question of this kind of TOS being enforceable. Since it is such a small package, it probably won't have any copyright, but it's an interesting question nonetheless.
@@Yotanido It was copyrighted with an open-source license, so it was legal--the license explicitly gave anyone who wanted to permission to redistribute and/or modify the code. So totally legal, just kind of a dick move, but also a dick move for which there weren't any particularly good alternatives.
@@allankcrain The alternative was what NPM apparently ended up doing in the end: writing their own version of leftpad that was way more complicated than it had any right to be and using practices that looked good on paper but actually didn't contribute anything in practice.
Guess it goes to show that you should be nice to everyone, because you never know whose propping the internet up on their back in their free time like Atlas keeping the sky from crashing into Earth.
@@gayrights8315 One should be respectful and kind to anyone, furry or not, in the first place. That's just basic etiquette, isn't it? Besides that, have we all forgotten the idea of the golden rule, which I'm quite sure was drilled into our heads from a young age if you had good parents/teachers, that is? Not to mention, if we're supposed to accept people for who/what they are, isn't isolating/making fun of people because you think they're weird kinda the adverse intention? Plus, it could be reciprocated back, you could think what I do is weird, but I could think something you do is weird as well. Additionally, from my time in the fandom, I've found most people join due to childhood trauma, e.g. parents divorcing/childhood abuse. Before you judge me or anyone else, furry or not, consider thinking, "what's happened in their life that they came out this way?" Also, this wasn't meant to attack you or anyone. Just some thinking points. Please don't take my huge comment as provocative. Other than this section, the word "you" is just used in a general sense, meant to help explain a point. I sincerely hope this doesn't start a huge fight in the comments.
I am a node web developer. This Jenga tower analogy is accurate. I work for a huge company (60,000 employees) and we use react which uses hundreds of other packages that we have no idea what they are, so when ome breaks its a scramble
@@benjii_boi my little kiddies here don't know about coding like us and usually use basic packages without even lookin at the codes that make them up, I think our galactic brains work harder than their basic programs which are made by people who don't even know what the program is made of. 😀
@@benjii_boi That's the unlucky part for you when trying to insult others and trying to put them down. Only because you are required to do so, it doesn't mean that others will be required to do so. See the problem is that you assume that everything has to be the same way like you do. But in reality most of the software written is not part of critical infrastructure like the niche example you pointed out. My employer doesn't pay me to check the depencies i put in. They pay me to add features or fix bugs. I can't achive SLAs for my tickets if i have to check every line or every code block. Even a dumb script kiddie would realize this fact :)
I would say the npm explanation is pretty accurate, but did want to correct that people use packages not because they're lazy and don't want to write the code themselves, but there is a general understanding that being a good software engineer means you aren't rewriting what's already been written and figured out, it standardizes things and allows for easier updates across projects.
plus it can be more secure, i’d rather trust a package about cryptography made by people who actually know what they’re doing rather than smthn i throw together
After trying to code everything by myself, I realized that literally any medium sized coding related project is borderline impossible(if you're solo of course) without using other peoples code. You don't reinvent the wheel every time you need it not because you're lazy but because it's just stupid and time consuming to do.
@@shawermusif someone is so insistent on reinventing the wheel. They should code in binary with bitwise operation and creating all sort of stuff leading up to their programmed. After all, all these programming languages with built in functions all trace back to someone was making stuff with binary
I run a site for an obscure, yet historically important 70s punk band called The Normals. Needless to say I get requests from various other "Normals" bands that want to use the site name. The funniest excuse they use for why I should give them the name is that "you're not doing anything with it" (meaning a band from the 70s hasn't put out a record recently). Which is like saying, "these Beatles guys haven't put out a record since the 70s, they don't deserve a presence on the web." They'd rather erase the legacy of others than to put in the mental effort to be more creative with their name (ironic coming from an artist). I ultimately tell them "no", but I do check up on their band later. Not once has one of these bands ever done anything of note and they almost immediately disappear within a few years, and usually within a few months. So if I gave in to these demands, not only would they have themselves done nothing with the name, they also would have taken down a band that actually did do something with the name.
This is why you should think about adding a dependency to your project Yes libraries are almost always better then stuff you write yourself but this is 1 very easy function to just implement yourself and save a dependency.
The problem is that, while it's easy to replace something like leftpad for your own project, it's extremely expensive and more likely to add risk to not use a tool like babel or react, far more complex and valuable libraries with extremely active development and security analyses. Like this video said, applications that relied upon these more complex tools became dependent upon this very simple tool. In general, the pooled security is far more valuable and saves far more money in the long run than avoiding the occasional hiccups using open source projects. In general, having a few bad days each year is nothing compared to trying to recreate React.
left-pad isn't even the worst of it. There's packages that are literally a single line of code and they still get used. Everything surrounding JavaScript, including NPM is a total shitshow.
@@forgottenfamily just throwing this in there as someone with 19 years of CS experience, I've never used react or babel. I actively discourage react usage for anything other than hacks (or 'bodge's as Tom Scott puts it).
Normally when someone makes a video about a topic I know a lot about, the best outcome is, “Well I mean I guess how you could describe it like that if you don’t know anything about it,” but honestly this was a really good explanation. There was only one moment in the video where I thought, “Well I wouldn’t use that word here because it’s not technically accurate, but to be fair anyone who would be confused by it probably already knows what you mean anyway.”
If Kik didn't want to be dicks about it, they should have just said: hey dude, we'll win in court, but here's 1000 dollar for the name so we don't have to go through all that.
From what I recall, they DID offer to pay him for it but he rejected it on principled grounds. Fun fact, open source devs have a major grudge against big corporations. He basically told them to go f*** themselves, and kik, deciding what is one turkish programmer against their billions of dollars, decided they could win and kept escalating.
@@ethanchapman1776 If the emails in the video were actually accurate, it looks like he offered to sell it for $30k, which Kik could have easily afforded.
@@ethanchapman1776 After Bob said "Is there nothing we can do for you that would compensate you for the hassle of changing the name?" Azer replied with: "Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks" which is not entirely unreasonable. 3 letter domain names are in that price range +. Instead of trying to negotiate they escalated straight to npm support 5 minutes later.
Hey, this is our brand already, and for the clarity of recognition we’d like to use our own name just isn’t that unreasonable a request, and they clearly did offer money, he just wanted an absurd amount more than they were offering. Because open source bros are like that.
This is a perfectly reasonable explanation of how NPM works, and suitable for the level of depth this channel demands, but if you want a nitpick for your anniversary mistakes videos, there's more than one package manager. NPM is the de facto standard package manager for JavaScript, which is what much of the Internet is built on, but the illustration at around the 1:20 mark shows other languages which would typically use different package managers. (And tell your animators not to worry about putting the Java logo in cases which are probably meant to be the JavaScript logo - they're different languages, but it's really our bad for letting marketers in the 90s decide to name the latter after the former.)
The problem with adding malware to code, even code you own, is illegal in many countries. Had he actually done that, you can bet all sorts of "Governmental Suits" would have been banging on his door just as quickly as his code was reinstated. Just remember this, no matter how painful Corporate Suits can make your life, at least they can't legally kidnap you, chuck you in a hole somewhere, and forget about you. No, pulling a Cartman by taking his coding ball away and going home was the best way to bring light to this. He was fully in his rights to do so, and it's not his problem that things broke.
For a company dealing in open source packages, it seems like this could've been avoided in a far more adult manner. Reserve _TM or something as a mandatory suffix for any package names claiming trademark. Then there's no dispute with existing package names. If there's already a kik_TM, that means some other douche canoe already claimed that highly creative collection of 3 letters. Shocking. Well, here's the registration contact info they gave us. Good luck!
Kik the package was probably around before Kik the website so technically the development could claim copyright in the space of code packages and Kik the company couldn't do shit about it.
@@drewjanus4643 Doubt the package predates the company. Both Kik the messenger and npm were released in 2010, roughly 8 months apart. Unless Kik the package just happened to be released on npm in that relatively short timeframe, Kik the company was first.
That's a great idea! In one country only. Also, in America, multiple companies or their products can have similar names as long as there's no chance of confusion. See also: Popeyes the fast food chain & Popeye the cartoon character. Which one gets the single "official" slot in your scheme?
@@klfjoat Given we're talking very literal and specific strings of text, they both get what they want. popeyes gets with an s and popeye gets without. Simple.
@@klfjoatthe one that’s a registered trademark, obviously. Go register Popeyes and let us know how that works out. While you’re at it, make the logo magenta. You’re not offering phone service so I’m sure T-mobile will be super chill about it.
There's always a relevant xkcd when it comes to kerfuffles like this one, and for this instance it's 2347. A more recent example of this would be the gpsd bug last year, and there was also another one back when OpenSSL's Heartbleed issue came to light.
They lost at the second mail at "but" with "We don’t mean to be a dick about it, but [...] our trademark lawyers are going to be [...] taking down your accounts and stuff like that - and we’d have no choice [...] because you have to enforce trademarks [...]." Oh the poor guys with loads of money for trademark lawyers had really no choice but to be dicks. 🤬
Let's not forget that McDonald's failed in court when they tried the same "just defending our trademark" attack on an Irish burger chain called Supermac's. Having a trademark doesn't give you priority.
@@AdrianColley That is a very different case as Mac is a common name so a trademark based on it can only be applied very narrowly, Kik is not a common word and as far I can tell has no meaning outside of internet slang meaning as a trademark it can be applied much more widely.
Whenever you hear about big apps breaking, it always points back to either DNS or an NPM package. This is also why a centralized internet is not a good thing and why I miss the old days where literally 95% of the internet didn't rely on a single source of failure. NPM (really Github but actually Microsoft) could shut down tomorrow and the internet would be FUBAR.
Worth noting that for JavaScript in particular, a lot of the packages required are just filling in for the lack of common utility functions in JS, especially older editions. So you end up with thousands of NPM packages that aren't really maintained or scrutinized that just provide basic utility that arguably should be included in the language (like how "left pad" now is)
As a techie, you’re gonna have to be more specific. Which one? :P But seriously, these sorts of things happen all the time. Turns out the internet is an incredibly shaky edifice all relying on a handful of projects run by a few guys in their spare time. Statistically speaking most of them are furries. Sorry, I don’t make the rules.
@@loonloon9365 I saw a tweet with a plane full of furries a while back and basically all the comments were about how this was a high risk concentration of critical individuals on one plane and how doomed we’d be if it went down.
I've been a web developer since… well, before anything like a package manager existed, and like the crusty old curmugeonly Gen Xer I am, I have stubbornly refused to ever build anything that uses npm or anything like it. Sure I use plenty of open source code, but I don't build anything with dependencies in this way because it just *feels wrong* to me, and this is a pretty good overview of why that's the case.
Spot on, was a developer but never on websites. When I found out about the Jenga tower (nice image - thanks HAI) that is modern code I was horrified. Disclaimer - I am a boring baby boomer and so totally out of touch and senile and still own a sliderule - but I am right, it deserves to break.
@@hyoroemongaming569 It's just too simple for risking such a catastrophic event. The code for is-even is literally shorter than typing the name of the package (n%2==0) and it's still popular You don't need to reinvent the wheel, but you don't need to import an ice cube from Antarctica.
oh maaaan it's kinda exciting when a topic suggestion I made was picked! I'm almost sure I'm not the only one who suggested this and I forgot the name I typed on the sheet but I really wanted to see your take on this, thanks sam and adam who apparently wrote the vid!
@@UmaROMC All packages are published under a specific license. Most NPM packages (though not remotely all) including leftpad are using the MIT license. The MIT license is generally "do what you want, just don't blame me if something goes wrong". If the original versions were published under the MIT license, then NPM is fully licensed to republish it and it isn't theft. It might be disrespectful, but it's also disrespectful to cause billions of dollars of damage to the economy out of spite because two companies fucked you over (and no, that's not an exaggeration. If it had remained unpublished, it would have been that bad)
The statement that developers just cobble together other people's code is spot on. It's like if everything in the world was made of Lego blocks, including Lego blocks.
This kind of story reminds me of two realities- one, that I am a clueless caveman, and two, the world built around me by the postmodern geniuses is all fairy dust and daydreams held together by baling wire and paper cups.
WebDev here: The “broke the Internet” part is _kinda_ true (used for comedic effect). Websites/services stayed online because it was the building/deployment of _new versions_ of those websites that would be failing (so basically what’s there is still there, but just *frozen into place* and unable to be _updated_ to a newer version) because the retrieval of the package from NPM would have failed during the build phase _prior_ to deployment to production, for example. So, caching (unless we’re talking about local caching of npm repos in the build systems) _probably_ had little to do with it.
Misread it as Elven as I was like, "That's so dope. Someone making the Internet snuck in a LOTR Easter egg and it's actually crucial to the internet working? Awesome." Now my disappointment is immeasurable and my day is ruined.
That makes two people named Azer who broke the internet (the other being the kid who appeared in those videos with Tara and Raven Your Acidbath Princess of the Darkness)
It is just a casual break out of an open-source developer. As not everybody likes to not get paid and just do work for big companies without even getting a credit far from having a donation
2:55 "Much like this video, it didn't require any particular skill or brilliance to write" was the first time you said 'like' in the video, so it made the like button animation happen
It's reasons like this why other big package repositories (e.g. NuGet) do not allow packages to be fully 'unpublished', but they can be 'unlisted'. The difference is subtle, but it means people who are already using a package can continue using it when it becomes unlisted, however new people searching for it will not be able to find it in search. Since Microsoft (owns NuGet) also purchased npm in 2020, they've implemented a similar strategy for popular npm packages with a high number of downloads.
If you paused and read the 3 articles you’ll read that NPM chose ‘kik’ over ‘kik’ because if a user request npm kik NPM wants said user to receive what they are most likely to receive and due to kik being an app with 200 million users they are the most likely to be requested
You summed up everything I hate about web development in a 5 minute video... I've been doing this for over 20 years... The industry is full of stupidity. I worked on a ONE PAGE WEBSITE APPLICATION that used somewhere near 500mb of libraries... THINK THAT OVER, IT'S INSANE.
I'm a web developer and I just want to say that the explanation of what NPM is and what it does is pretty good, considering it's a channel which makes semi-satirical semi-educational 5-10 minute videos with lots of outdated memes and unfunny jokes The pain we get when the Jenga tower of borrowed code breaks is very real and not easy to solve at all
Except for the part you could easily spot the missing package, and since it was used freaking everywhere, you can just rebuild it from one of the millions of copies floating around on the Internet. Like it's 11 lines of code, just make your own package and have it locally.
Yep. `node_modules` isn't some alien artifact, but the entire dependency graph for your project. And when you stop and ponder if some tiny library requires gigabytes of code to run, you realize just how broken this ecosystem is. Why is it not a thing with Python, Go, or C#, but gets so bad with NPM.
@Firstname Lastname deno is trying to solve the problem of shitty packages. If you feel comfortable with node you should try it, it's very refreshing Also it's mostly out of convinience. If you're starting out for example it's easier to use the same language for both frontend and backend rather than learning an entire new ecosystem just to write one app and besides js on backend is actually pretty fast and scalable
It makes me furious when people confuse the web with the internet. Yes, web is part of the internet, but it certainly isn’t the whole internet. There’s over 65k possible types of services that can utilze the internet, which includes e-mail (through a client, such as an e-mail app on your smartphone), P2P, FTP, VoIP, Minecraft servers, etc. None of these things would get affected by this.
@@gavros9636 Probably not. Mail clients may use javascript, but I wouldn't imagine that many mail servers do. Or FTP servers. Or most internet servers. In fact, not many web servers do either, except those using Node.
@@gavros9636 you wouldn't use Node for a production SMTP/IMAP/POP3 server, and certainly wouldn't use it for anything like centralized VOIP servers such as SIP. I've seen Minecraft Servers done in PHP, so I won't say anything about those. But the Internet as a whole does not run on NodeJS and NPM.
Umm one thing about this is incorrect. You claim that they kept working due to caches. Noooo. Prior builds don’t just suddenly break. So even if it wasn’t cashed, the current product version is unharmed. Any project that has left pad as a transitive dependency would just simply be un able to find it and therefore break. But they claim that every time a user goes to a site it compiles and builds is awful lmao
It always depends on how safe you want your code to be for unexpected inputs (especially if the users can enter stuff). In Javascript you don't have static types, so you first might want to make sure that what you are checking is a (whole) number. Then you have the problem that very large numbers in Javascript aren't exact anymore (9007199254740992 is equal to 9007199254740993 and 9007199254740993%2 is 0). So, especially in very large and complex enterprise applications you might want to protect against those cases and fail gracefully instead of hard/invisibly. And that is exactly what isOdd/isEven are doing.
@@I25mI25 This boils down to two problems: Javascript's duck-typing (or whatever they call the horrible type system where everything is an object until it's not), and the borderline insane decision to make all numbers floats (with their inherent imprecision) Or as someone else has put it: Javascript is a shitshow of a language.
@@LeviForWaifu you sure? I did a quick search. There's at least 3 packages that check if a number is odd on npm. They're quite similar in that they perform a couple of checks that what you put in is actually a number and that it's somehow safe(?) to use. Then they return (n % 2) === 1, so apparently your line was already wrong in some cases. There's a reason why they had to invent === and that reason is JS is a terrible language that should've died a long time ago.
It's stuff like this that really makes me realize I honestly have no clue what the heck the internet really even is, only that is usually there and working
Best part, the package, for which they had to take away the name from an innocnet open source dev for no reason, is now removed because it contained malicious code. gj npm...
Also don't forget about a similar thing that happened recently with Marak Squires' faker.js and colors.js. He didn't want fortune 500 companies using his code for free, so he corrupted those files
Me hearing a package was unpublished: "Meh, how bad could it be?" Me hearing the package was left-pad: Eyes widen and with the gravitas of a scientist in a 70s disaster film, "Dear God." And I thought the whole Log4j thing was bad. I mean, it is bad, really bad. But this damn thing (left-pad) is so far down on the stack... *shudders* (And yes, I know Java and JavaScript aren't the same things. But still.)
Yep. It's especially true for things like cryptography and rendering. If you end up writing it without any prior qualification, you'll get a barely working mess. Reusing code is good.
depends on the context though, here node was implied. node devs are notorious for using hundreds of small packages they don't really need and could write themselves in minutes.
@@gab8169 Yeah, most of his commentary on the subject earlier in the video was definitely mostly just him being coy, but with leftpad specifically? Yeah, he ain't wrong about laziness there. It's a ridiculously simple function, it probably takes more time to find, download, and include it than it does to literally just code it yourself.
I don't think the quote that it was "lazy" was said in any real seriousness, to be fair. That said, I'd agree with reusing code, up to a point - don't reinvent the wheel, and save that time to do better things!
I remember that day. It was glorious. I had spent like 6 months trying to convince my company to download packages and host them ourselves and no one saw the benefit. Then this happened and guess who got his on site package hosting the same week.
Literally as this video ended my WiFi dropped out and I can signed out of youtube on my TV and can't get it to sign back in. What are you doing Sam I've been a loyal viewer for years now!?
Guess what's even more common and destructive? *The Cloud*™ comes crashing down to earth. Thanks to some managers calling Technical Debt *Software As A Service"™, each time Amazon, Google, or Microsoft do something dumb to their services, the entire internet breaks. The lesson's learned. Don't rely on a corporation or an 11 line package to do the work for you, unless necessary.
Have you not heard about node-ipc (yes, another Node.js library, what else?)? The guy literally added malware that destroyed people's files to it to protest the war in Ukraine - and Unity actually distributed that malware to its users.
So if all three parties half-apologized, that's like 1.5 full apologies, which is more than you usually get from this situation.
2/3 parties are at fault so there is still 0.5 apology less that the required number.
or if you're using JavaScript floating point math, 1.499999999999999998 apologies
@@tylerbreisacher5841 Except no, because 0.5 has an exact representation in binary
@@tylerbreisacher5841 yep, totally JS math. Not like its just another implementation of IEEE floats and has the same problems as every other language implementing floats. Nope, must be a JS thing.
@@tylerbreisacher5841 1.5 in binary is just 1.1, so there's no problem there
The correction about why the websites themselves didnt break is not because of caching, it's just that they are already deployed with leftpad still working, and any changes made by npm will not touch the website, and they are not allowed to be deployed again when it cannot be built due to leftpad being missing (simply nobody gets to update their website).
Wanted to say something similar. To keep it short: the internet didn’t break.
This is correct. Packages are fetched during deployment. Package missing = fail. Sites deployed prior to the deletion of the npm package were not crippled (but would be during a subsequent release)
yep. if the build fails its never deployed
Your description of "deployed code" is also a suitable description of "cached code." Whatever. Caching is basically right.
@@jpaugh64 No it's not. It has nothing to do with the fact that some code was cached on the client side, nor does it have anything to do with a a cache on the infra side. It's simply incorrect lol
breaking literally everything by modifying a tiny bit of code is extremely accurate
I just delete this function that does nothing.
Error messages: allow us to introduce our selves.
i am still learning so be nice please
i can vouch, can't tell you the amount of times i accidentally deleted something and then wondering why it doesn't work
if he really wanted to mess with people he should have just modified it by removing one of the brackets to make it so everything underneat it wasnt compiling, It would be a bit more annoying
yep ANYTHING
Even if the bit is useless.
The real crime here is that someone one day did an `npm install kik` and got some API client to some dumb messenger instead of whatever that package used to do. Name reassignment like that can have the exact same effect as the removal of leftpad did.
Except if you read NPM's blog post following this incident, they were very clear that when a package's ownership gets transferred, the new owner MUST increment the major version number, and the old owner's code will still exist on all of the same version numbers it did before. This means all existing kik-dependent code would download the same version it did before, and you'd have to explicitly ask it to download the new version which was a different package.
Not saying NPM was in the right, but they were trying to resolve the situation in a way where nobody's code would break.
That's perfectly pictured in xkcd 1172: every change breaks someone's workflow.
Yep. Especially for such short names it should've been first come first serve without a single question or doubt.
this is one of my biggest complaints about npm; they are a company who is ultimately in charge of a good chunk of the free internet. Thats an important note; NPM is a company, not just a repository (who is now owned by Microsoft). It's concerning to me, and i think an open alternative might be wise
It’s probably finnnneeee.
@@mechtechpotato4249 you say that now wait til 2025 when Microsoft is somehow claiming the rights to all of these packages and trying to charge royally fees
Edit: I meant royalty and could have sworn that's what I typed, oh well
@@TheDeadOfNight37 I think they've already learned from the Windows model that collecting and using user data is more valuable than selling physical copies of Windows. In a worst case scenario, I could see them using the same method here, adding a few lines of a code to an open source code to collect snippets of data, making it closed source, and then pretending like they haven't done anything, while they make millions/billions off more user data.
Yarn is *technically* open source but it's still kinda made by Facebook in 2016, a few months after this incident.. Coincidence? 😅
Well go ahead and be the open source dev to write npm from scratch. You'll see why this is an issue fairly quickly. Open source is time consuming with often little to no reward. Take it from a Linux user.
as a programmer, let's take a second to appreciate the incredible amount of effort it takes to find such a short obscure package instead of writing 10 lines yourself.
There is a NPM package called “is-odd” that does exactly what you think it does.
It’s been downloaded like 30 million times and has like 2 million download a month 💀 💀 💀
The 2 hours you spend looking for them is much better than the 5 mins to write them
@@abdelbakiberkati Besides what @badscript said about package grouping, you might spend 5 minutes total writing the actual code, but that's ignoring the five hours you spend second guessing if what you just wrote might have some weird edge-case that breaks it. Instead of taking a package that's so widely used that if it was broken in some weird edge case, someone would have noticed by now.
You don't have to write it yourself: String.prototype.padStart
11 lines bro. i'll write 10 myself, but after that i'm outsourcing lmao
Just have to say, the explanation of NPM was comically on point. That's, exactly how it works. Except this tower randomly decides to break down even when nothing is wrong because react@16.12.1 cannot be used with @types/react@16.2.2 for whatever reason
well of course not, @types packages define how the exported functions & classes should look like. If you download react@16.12.1 which removed or changed feature X but @types/react@16.2.2 which has the old definition for feature X, you'll be in for a bad time.
@@unicodefox It would make sense. The issue is that I didn't even had typescript installed, nor was a typescript project
How a types package ended up there? No idea
@@unicodefox hush, you're making too much sense. Just join the bandwagon and bash JS because there can't possibly be a good reason why JS (and the surrounding ecosystem) is the way it is. Nooo... It must be boiled down to "JS bad, Other language good". Not like you're dealing with different platforms or anything
@@akatsukilevi If you don't use TypeScript, why do you have @types/react installed anyway? unless its a direct dependency, its NEVER going to throw an error; worst case scenario you get a warning in your console from NPM. If your project was broken, its probably a swallowed error somewhere else and nothing to do with the typedef.
@@fahadahaf Two words: Legacy codebase
I have no idea who coded that, I have no idea how that thing worked
Best day of my life was the day I nuked that git repo
Whats even more interesting about this, is npm enacted a policy forbidding package creators from unpublishing a package with a certain number of downloads.
I'm not fully versed in the details but they made some sort of change to prevent this from happening
I have fewer than 1 friend in the World. That's right. Everybody disses me for making bad videos. I think they are perfect though. Who is right? My dissers or me? Which side are you on, dear sha
So wait, if you submit a package to NPM then, you're effectively giving up control of it down the road, entirely?
@@ChubiChan not really, you just can't remove it from npm.
but yeah npm is a company so don't expect them to be necessary open source friendly
@@ChubiChan By open source standards, people can technically fork your code and have their own copy or version. You are essentially giving up control. However open source projects are licensed differently and there are a bunch of caveats to this.
@@ChubiChan Yeah, that was always the case. npm is a repository for open-source code only and has a very permissive license (Perl's "Artistic License 2.0"). Once you submit code, anyone can download it, distribute verbatim copies (as long as they include all copyright statements of the original), modify it, and even distribute modified copies (as long as the modifications are clearly described). They can also distribute compiled versions of either (as long as you give instructions on how to access the source code) and aggregated packages including that code as a component. They can even charge a distributor fee to do so. Moreover, the publisher relinquishes all patent claims to any part of their code.
Since your code is published under that license, you can't just revoke those permissions.
As a web developer that doesn't regularly use NodeJS (what leftpad was used for) but is familiar with it, the people at my old work place turned it into a joke shortly after this.
Yo I'm like 15 yrs old but pretty interested in web developening yk where I can learn smth about it?
@@unknownperson3842 w3 schools is a great place to start for html, css, and javascript
@@unknownperson3842 In Denmark, Web-developer is a degree after Computer Science. I'd suggest looking into getting a Computer Science degree, then building on top of that with Web-development :) Though, in my personal opinion, Web-development is little more than a degree unless you actually want to do frontend programming rather than backend :)
@@richledbetter2123 alright ty bro
nodejs is a joke
All this video did was make me lose respect for the NPM team for not only screwing over an open-source creator who clearly did nothing wrong and used the name WAY before Kik did, but screwed him over twice by reverting it back to published without the creator's consent.
Had it been a bigger package, it could also have been questionable legally. Did they still have the right to distribute his code after he unpublished?
...well, they probably did. They most likely wrote their TOS so they could do this, but it still leaves the question of this kind of TOS being enforceable.
Since it is such a small package, it probably won't have any copyright, but it's an interesting question nonetheless.
@@Yotanido It was copyrighted with an open-source license, so it was legal--the license explicitly gave anyone who wanted to permission to redistribute and/or modify the code. So totally legal, just kind of a dick move, but also a dick move for which there weren't any particularly good alternatives.
@@allankcrain the alternative where to not change the name of the other projekt
@@allankcrain The alternative was what NPM apparently ended up doing in the end: writing their own version of leftpad that was way more complicated than it had any right to be and using practices that looked good on paper but actually didn't contribute anything in practice.
@@blazernitrox6329 How is it even possible to complicate something as simple as adding spaces to a string?
"Crashing like Bandicoots" is an expression I'll always use from now on
At my workplace someone built a crash logging system and called it "Bandicoot" :P
It took me way too long to get this joke. I think because his name was Crash and not Crashing.
Guess it goes to show that you should be nice to everyone, because you never know whose propping the internet up on their back in their free time like Atlas keeping the sky from crashing into Earth.
yep. OpenSSL - literally the thing encrypting most of the internet - was developed by mostly 1 guy with 2k donations a year.
beautiful simile right here,
Atlas? Fake news. It's a huge goldfish.
so true, it's mostly furries, so remember to be nice to them even if you think they're weird
@@gayrights8315 One should be respectful and kind to anyone, furry or not, in the first place. That's just basic etiquette, isn't it?
Besides that, have we all forgotten the idea of the golden rule, which I'm quite sure was drilled into our heads from a young age if you had good parents/teachers, that is?
Not to mention, if we're supposed to accept people for who/what they are, isn't isolating/making fun of people because you think they're weird kinda the adverse intention? Plus, it could be reciprocated back, you could think what I do is weird, but I could think something you do is weird as well.
Additionally, from my time in the fandom, I've found most people join due to childhood trauma, e.g. parents divorcing/childhood abuse. Before you judge me or anyone else, furry or not, consider thinking, "what's happened in their life that they came out this way?"
Also, this wasn't meant to attack you or anyone. Just some thinking points. Please don't take my huge comment as provocative. Other than this section, the word "you" is just used in a general sense, meant to help explain a point. I sincerely hope this doesn't start a huge fight in the comments.
I am a node web developer. This Jenga tower analogy is accurate. I work for a huge company (60,000 employees) and we use react which uses hundreds of other packages that we have no idea what they are, so when ome breaks its a scramble
The only innacuracy is that they put Java as more important than C++, fuck java
@@benjii_boi Companies don't pay you to look at every piece of code your project depends on
@@benjii_boi Hahahaha!
Wait you were serious? Let me even laugh harder
HAHAHAHHAAH!
@@benjii_boi my little kiddies here don't know about coding like us and usually use basic packages without even lookin at the codes that make them up, I think our galactic brains work harder than their basic programs which are made by people who don't even know what the program is made of. 😀
@@benjii_boi That's the unlucky part for you when trying to insult others and trying to put them down. Only because you are required to do so, it doesn't mean that others will be required to do so.
See the problem is that you assume that everything has to be the same way like you do.
But in reality most of the software written is not part of critical infrastructure like the niche example you pointed out.
My employer doesn't pay me to check the depencies i put in. They pay me to add features or fix bugs. I can't achive SLAs for my tickets if i have to check every line or every code block.
Even a dumb script kiddie would realize this fact :)
Once i had a dream about watching one of your videos and it was about italian mice who kill other italian mice
@Best 🅥 Silence *b o t*
Yeah, fever dreams are bad.
@Best 🅥 a s m r s o a p
Average HAI video
Lol
I would say the npm explanation is pretty accurate, but did want to correct that people use packages not because they're lazy and don't want to write the code themselves, but there is a general understanding that being a good software engineer means you aren't rewriting what's already been written and figured out, it standardizes things and allows for easier updates across projects.
plus it can be more secure, i’d rather trust a package about cryptography made by people who actually know what they’re doing rather than smthn i throw together
After trying to code everything by myself, I realized that literally any medium sized coding related project is borderline impossible(if you're solo of course) without using other peoples code.
You don't reinvent the wheel every time you need it not because you're lazy but because it's just stupid and time consuming to do.
Not in this case however
Not necessarily standardized, lol, but I get your point.
@@shawermusif someone is so insistent on reinventing the wheel. They should code in binary with bitwise operation and creating all sort of stuff leading up to their programmed. After all, all these programming languages with built in functions all trace back to someone was making stuff with binary
This just goes to show that people who are mostly unseen can still have a huge impact on the world.
This. When people cite underrated, now I would cite this turkish guy
I run a site for an obscure, yet historically important 70s punk band called The Normals. Needless to say I get requests from various other "Normals" bands that want to use the site name. The funniest excuse they use for why I should give them the name is that "you're not doing anything with it" (meaning a band from the 70s hasn't put out a record recently). Which is like saying, "these Beatles guys haven't put out a record since the 70s, they don't deserve a presence on the web." They'd rather erase the legacy of others than to put in the mental effort to be more creative with their name (ironic coming from an artist).
I ultimately tell them "no", but I do check up on their band later. Not once has one of these bands ever done anything of note and they almost immediately disappear within a few years, and usually within a few months. So if I gave in to these demands, not only would they have themselves done nothing with the name, they also would have taken down a band that actually did do something with the name.
This is why you should think about adding a dependency to your project
Yes libraries are almost always better then stuff you write yourself but this is 1 very easy function to just implement yourself and save a dependency.
or in this case, copy the code into your one program (yes, is in this case legally, you may have to add the name of the original creator)
@@schwingedeshaehers yeah indeed if the license permits
The problem is that, while it's easy to replace something like leftpad for your own project, it's extremely expensive and more likely to add risk to not use a tool like babel or react, far more complex and valuable libraries with extremely active development and security analyses. Like this video said, applications that relied upon these more complex tools became dependent upon this very simple tool. In general, the pooled security is far more valuable and saves far more money in the long run than avoiding the occasional hiccups using open source projects. In general, having a few bad days each year is nothing compared to trying to recreate React.
left-pad isn't even the worst of it. There's packages that are literally a single line of code and they still get used. Everything surrounding JavaScript, including NPM is a total shitshow.
@@forgottenfamily just throwing this in there as someone with 19 years of CS experience, I've never used react or babel. I actively discourage react usage for anything other than hacks (or 'bodge's as Tom Scott puts it).
Normally when someone makes a video about a topic I know a lot about, the best outcome is, “Well I mean I guess how you could describe it like that if you don’t know anything about it,” but honestly this was a really good explanation.
There was only one moment in the video where I thought, “Well I wouldn’t use that word here because it’s not technically accurate, but to be fair anyone who would be confused by it probably already knows what you mean anyway.”
which moment?
Duuuude
@@schwingedeshaehers NPM is only for JavaScript only (someone in the comment said)
If you are so pedantic don't watch videos about this subject
So you're the guy who's not invited to parties that was mentioned in the video!
Great explenation, I only use python but I can imagine, if someone screwed around with numpy we'd all be doomed.
If someone screwed with numpy academia would collapse
Oh damn. That would be a NIGHTMARE holy crap.
50th like😉
See now that there is a worst case scenario.
How to kill all of machine learning and cryptography in one easy step!
If Kik didn't want to be dicks about it, they should have just said: hey dude, we'll win in court, but here's 1000 dollar for the name so we don't have to go through all that.
From what I recall, they DID offer to pay him for it but he rejected it on principled grounds. Fun fact, open source devs have a major grudge against big corporations. He basically told them to go f*** themselves, and kik, deciding what is one turkish programmer against their billions of dollars, decided they could win and kept escalating.
That's basically what they did. I don't know if they put a dollar amount on it, but it was fairly clear that Azer wasn't open to negotiations.
@@ethanchapman1776 If the emails in the video were actually accurate, it looks like he offered to sell it for $30k, which Kik could have easily afforded.
@@ethanchapman1776 After Bob said "Is there nothing we can do for you that would compensate you for the hassle of changing the name?"
Azer replied with:
"Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks"
which is not entirely unreasonable. 3 letter domain names are in that price range +. Instead of trying to negotiate they escalated straight to npm support 5 minutes later.
Hey, this is our brand already, and for the clarity of recognition we’d like to use our own name just isn’t that unreasonable a request, and they clearly did offer money, he just wanted an absurd amount more than they were offering. Because open source bros are like that.
As a Software Development student, seeing C++ being built on top of Python in the animation almost gave me a heart attack
Everything is built on Java, don't you know?
@@jjpaq LMAAOOO
@@jjpaq Java compiles to JavaScript
It's might not be exactly wrong, I wouldn't be surprised if there was some sort of compiler for C++ out there that installs using a Python script lol
same
Amateur, I don’t even do anything to the code and it breaks
amateur, i dont code and it breaks
@@TheRatsintheWalls “it works on my machine”
This is a perfectly reasonable explanation of how NPM works, and suitable for the level of depth this channel demands, but if you want a nitpick for your anniversary mistakes videos, there's more than one package manager. NPM is the de facto standard package manager for JavaScript, which is what much of the Internet is built on, but the illustration at around the 1:20 mark shows other languages which would typically use different package managers. (And tell your animators not to worry about putting the Java logo in cases which are probably meant to be the JavaScript logo - they're different languages, but it's really our bad for letting marketers in the 90s decide to name the latter after the former.)
I was gonna say something about that image(!)
Love it when big companies get their way even though they shouldn't
"Too bad he (Azer) didn't put malwares into his packages instead." - Someone who likes to watch the world burn
Many spitful devs have done this. From wiping hard drives of computers with Russian IPs to generating corrupted text instead of placeholders.
The problem with adding malware to code, even code you own, is illegal in many countries. Had he actually done that, you can bet all sorts of "Governmental Suits" would have been banging on his door just as quickly as his code was reinstated. Just remember this, no matter how painful Corporate Suits can make your life, at least they can't legally kidnap you, chuck you in a hole somewhere, and forget about you.
No, pulling a Cartman by taking his coding ball away and going home was the best way to bring light to this. He was fully in his rights to do so, and it's not his problem that things broke.
You mean like the guy who made node-ipc? Yeah, that was a hella fun, huh?
@@rkvkydqf i think the event you are referring to was russian ip addresses, not keyboard layouts, no?
You know what would've been funny and more distruptive? If he made it 2 left spaces rather than 2.
That moment when C# and .NET are in a Jenga tower describing JavaScript packages. Ouch
I'm glad that I prefer to copy / paste, rather than use a package that has the same code.
This was genuinely hilarious to watch you explaining everything going to hell- and the fact that it only lasted 10 minutes
For a company dealing in open source packages, it seems like this could've been avoided in a far more adult manner. Reserve _TM or something as a mandatory suffix for any package names claiming trademark. Then there's no dispute with existing package names. If there's already a kik_TM, that means some other douche canoe already claimed that highly creative collection of 3 letters. Shocking. Well, here's the registration contact info they gave us. Good luck!
Kik the package was probably around before Kik the website so technically the development could claim copyright in the space of code packages and Kik the company couldn't do shit about it.
@@drewjanus4643 Doubt the package predates the company. Both Kik the messenger and npm were released in 2010, roughly 8 months apart. Unless Kik the package just happened to be released on npm in that relatively short timeframe, Kik the company was first.
That's a great idea! In one country only. Also, in America, multiple companies or their products can have similar names as long as there's no chance of confusion. See also: Popeyes the fast food chain & Popeye the cartoon character.
Which one gets the single "official" slot in your scheme?
@@klfjoat Given we're talking very literal and specific strings of text, they both get what they want. popeyes gets with an s and popeye gets without. Simple.
@@klfjoatthe one that’s a registered trademark, obviously. Go register Popeyes and let us know how that works out. While you’re at it, make the logo magenta. You’re not offering phone service so I’m sure T-mobile will be super chill about it.
You guys broadsided me with "crashing like bandicoots" hard lol there. Well done, well done.
Azer: makes kik
Kik, the messenger: Unfortunately, history will not see it that way.
There's always a relevant xkcd when it comes to kerfuffles like this one, and for this instance it's 2347.
A more recent example of this would be the gpsd bug last year, and there was also another one back when OpenSSL's Heartbleed issue came to light.
I was thinking of that xkcd the whole time!
Now we have xz to add to the pile!
As a programmer, your explanation as to why we use package managers is 110% accurate
They lost at the second mail at "but" with "We don’t mean to be a dick about it, but [...] our trademark lawyers are going to be [...] taking down your accounts and stuff like that - and we’d have no choice [...] because you have to enforce trademarks [...]."
Oh the poor guys with loads of money for trademark lawyers had really no choice but to be dicks. 🤬
What gets me is "we don't mean to be dicks" "but you are being dicks" "wahhh help hes being abusive"
Let's not forget that McDonald's failed in court when they tried the same "just defending our trademark" attack on an Irish burger chain called Supermac's. Having a trademark doesn't give you priority.
@@AdrianColley That is a very different case as Mac is a common name so a trademark based on it can only be applied very narrowly, Kik is not a common word and as far I can tell has no meaning outside of internet slang meaning as a trademark it can be applied much more widely.
Well, you'll need another video now- "The update which broke the IT infra"
Actually a really good explanation, speaking as a programmer myself
I was suprised by how extremely well he must have researched this. Everything seems on point to me.
And this is one of the reasons why I hate using dependencies. That doesn't mean I don't use them, I just hate myself for doing it.
As someone studying computer science I can say the reason we use packages is exactly as you describe.
Whenever you hear about big apps breaking, it always points back to either DNS or an NPM package. This is also why a centralized internet is not a good thing and why I miss the old days where literally 95% of the internet didn't rely on a single source of failure. NPM (really Github but actually Microsoft) could shut down tomorrow and the internet would be FUBAR.
*Laughs in native code*
Worth noting that for JavaScript in particular, a lot of the packages required are just filling in for the lack of common utility functions in JS, especially older editions. So you end up with thousands of NPM packages that aren't really maintained or scrutinized that just provide basic utility that arguably should be included in the language (like how "left pad" now is)
As a techie, you’re gonna have to be more specific. Which one? :P
But seriously, these sorts of things happen all the time. Turns out the internet is an incredibly shaky edifice all relying on a handful of projects run by a few guys in their spare time. Statistically speaking most of them are furries. Sorry, I don’t make the rules.
Yup. Most programmers are furries, trans people, autistic people, or all of the above.
As a wise man once said, "If a furry convention fell into a pit of lava, the world's IT capabilities would plummet into the stone age."
@@loonloon9365 I saw a tweet with a plane full of furries a while back and basically all the comments were about how this was a high risk concentration of critical individuals on one plane and how doomed we’d be if it went down.
@@AnimilesYT they really aren't.
source??? 🤣🤣🤣🤣🤣👎👎👎👎👎
I've been a web developer since… well, before anything like a package manager existed, and like the crusty old curmugeonly Gen Xer I am, I have stubbornly refused to ever build anything that uses npm or anything like it. Sure I use plenty of open source code, but I don't build anything with dependencies in this way because it just *feels wrong* to me, and this is a pretty good overview of why that's the case.
It's a good example of why you should use a package manager that locks you to a specific version of a package, and doesn't update unnecessarily.
@@qwertyTRiG And even more, why you shouldn't use packages at all for exceedingly simple code you ought to be able to write yourself.
@@room34 Yes. To be honest, left pad seems like a strange thing to be that popular. (We write in PHP, and use Composer.)
Spot on, was a developer but never on websites. When I found out about the Jenga tower (nice image - thanks HAI) that is modern code I was horrified.
Disclaimer - I am a boring baby boomer and so totally out of touch and senile and still own a sliderule - but I am right, it deserves to break.
Replace "web developer" with "house builder" and "package manager" with "hardware store" and people will declare you insane.
0:03 this sounds absurd, but my device lagged at the exact point where he says: “broken the internet”.
'crashing like bandicoot' best phrase ever made by sam 4:01
2:56 “Much like this video…”
*Like button lights up*
The fact that so many dependencies relied on 11 lines of code is exactly what's wrong with the javascript ecosystem
You dont reinvent what people have figured out
@@hyoroemongaming569 It's just too simple for risking such a catastrophic event. The code for is-even is literally shorter than typing the name of the package (n%2==0) and it's still popular
You don't need to reinvent the wheel, but you don't need to import an ice cube from Antarctica.
oh maaaan it's kinda exciting when a topic suggestion I made was picked! I'm almost sure I'm not the only one who suggested this and I forgot the name I typed on the sheet but I really wanted to see your take on this, thanks sam and adam who apparently wrote the vid!
lessons of this story:
1) simplest npm packages must become part of the language itself
2) fuck npm for siding with corporation
I agree he took the name first
@@alexstone691 More than that, they STOLE frokm the dude. NPM publishing some-one else's work against their wishes?
That's theft man
@@UmaROMC no, the code wash published under a licences that allowed that before
@@UmaROMC All packages are published under a specific license. Most NPM packages (though not remotely all) including leftpad are using the MIT license. The MIT license is generally "do what you want, just don't blame me if something goes wrong". If the original versions were published under the MIT license, then NPM is fully licensed to republish it and it isn't theft. It might be disrespectful, but it's also disrespectful to cause billions of dollars of damage to the economy out of spite because two companies fucked you over (and no, that's not an exaggeration. If it had remained unpublished, it would have been that bad)
right?? how the fuck do you need any amount of code to pad a string? and here i thought JS was considered batteries-included.
The statement that developers just cobble together other people's code is spot on. It's like if everything in the world was made of Lego blocks, including Lego blocks.
NPM is so broken that it is astonishing that it pretty much underpins the modern internet.
some people are smart enough not to use it, same with the frameworks that go in and out of style
Npm is probably less broken than any package manager before it. You never had to live through rpm hell, for example
@@lztx that said, less broken is still - fundamentally - broken.
@@jeshweedleon3960 I'm a PHP/Perl developer. Broken is a way of life. 😂😓
python's pip sucks. conda sucks. i use gentoo's portage to manage my python dependencies (jk)
This kind of story reminds me of two realities- one, that I am a clueless caveman, and two, the world built around me by the postmodern geniuses is all fairy dust and daydreams held together by baling wire and paper cups.
Not even duct tape.
WebDev here: The “broke the Internet” part is _kinda_ true (used for comedic effect). Websites/services stayed online because it was the building/deployment of _new versions_ of those websites that would be failing (so basically what’s there is still there, but just *frozen into place* and unable to be _updated_ to a newer version) because the retrieval of the package from NPM would have failed during the build phase _prior_ to deployment to production, for example. So, caching (unless we’re talking about local caching of npm repos in the build systems) _probably_ had little to do with it.
Misread it as Elven as I was like, "That's so dope. Someone making the Internet snuck in a LOTR Easter egg and it's actually crucial to the internet working? Awesome."
Now my disappointment is immeasurable and my day is ruined.
Azer is my neighbor, he’s always bragging about how he literally single handedly broke the internet, but none of our friends really cared.
I wonder how he'd react if he saw this video.
what a chad
That makes two people named Azer who broke the internet (the other being the kid who appeared in those videos with Tara and Raven Your Acidbath Princess of the Darkness)
Tell him he shouldn't have apologized, he did nothing wrong, not his fault
It is just a casual break out of an open-source developer. As not everybody likes to not get paid and just do work for big companies without even getting a credit far from having a donation
As someone studying computer science and becoming a tech nerd, this video was very helpful.
Here's something they won't teach you in school that’ll be valuable to you : *Register your copyrights.*
@@NinjaRunningWild Exactly.
2:55 "Much like this video, it didn't require any particular skill or brilliance to write" was the first time you said 'like' in the video, so it made the like button animation happen
funfact: JS already has a builtin padding function, but knowing how packages like is-true are downloaded every day, eh.
So it's a case of people not knowing the language they're paid to know well enough?
padStart wasnt added until ECMAScript 2017, and this happened in 2016
@@mikey9164 oh, my bad.
"Crashing like bandicoots", I see you HAI.
RUclips recommended this to me right after Crowdstrike.....
It's reasons like this why other big package repositories (e.g. NuGet) do not allow packages to be fully 'unpublished', but they can be 'unlisted'. The difference is subtle, but it means people who are already using a package can continue using it when it becomes unlisted, however new people searching for it will not be able to find it in search. Since Microsoft (owns NuGet) also purchased npm in 2020, they've implemented a similar strategy for popular npm packages with a high number of downloads.
I remember this well. It basically shut down the startup I worked at which was awesome since we couldn't work so I didn't have to do anything
"Crashing like Bandicoots".
I don't know why that's hilarious to me.
This is known in teh biz as "Dependency hell."
No, really.
If you paused and read the 3 articles you’ll read that NPM chose ‘kik’ over ‘kik’ because if a user request npm kik NPM wants said user to receive what they are most likely to receive and due to kik being an app with 200 million users they are the most likely to be requested
"caching" is doing a lot of heavy lifting here.
You summed up everything I hate about web development in a 5 minute video... I've been doing this for over 20 years... The industry is full of stupidity. I worked on a ONE PAGE WEBSITE APPLICATION that used somewhere near 500mb of libraries... THINK THAT OVER, IT'S INSANE.
I'm a web developer and I just want to say that the explanation of what NPM is and what it does is pretty good, considering it's a channel which makes semi-satirical semi-educational 5-10 minute videos with lots of outdated memes and unfunny jokes
The pain we get when the Jenga tower of borrowed code breaks is very real and not easy to solve at all
Except for the part you could easily spot the missing package, and since it was used freaking everywhere, you can just rebuild it from one of the millions of copies floating around on the Internet. Like it's 11 lines of code, just make your own package and have it locally.
That "Incredibles" nod at the beginning was fantastic!
And that's why every programmer who's using npm will tell you they hate npm
I hate npm
Yep. `node_modules` isn't some alien artifact, but the entire dependency graph for your project. And when you stop and ponder if some tiny library requires gigabytes of code to run, you realize just how broken this ecosystem is. Why is it not a thing with Python, Go, or C#, but gets so bad with NPM.
@Firstname Lastname deno is trying to solve the problem of shitty packages. If you feel comfortable with node you should try it, it's very refreshing
Also it's mostly out of convinience. If you're starting out for example it's easier to use the same language for both frontend and backend rather than learning an entire new ecosystem just to write one app and besides js on backend is actually pretty fast and scalable
Kik gets mentioned
Omegle bros: "You know, i'm something of a scientist myself"
Holy crap he's talking about something I regularly use in my day job!
So much work went into this video, that I watched and will never think about again for the rest of my life.
It makes me furious when people confuse the web with the internet. Yes, web is part of the internet, but it certainly isn’t the whole internet. There’s over 65k possible types of services that can utilze the internet, which includes e-mail (through a client, such as an e-mail app on your smartphone), P2P, FTP, VoIP, Minecraft servers, etc. None of these things would get affected by this.
deep web for the win
You assume these other things don't also use npm?
Anything using npm was hit hard by this.
@@gavros9636 Probably not. Mail clients may use javascript, but I wouldn't imagine that many mail servers do. Or FTP servers. Or most internet servers. In fact, not many web servers do either, except those using Node.
@@gavros9636 you wouldn't use Node for a production SMTP/IMAP/POP3 server, and certainly wouldn't use it for anything like centralized VOIP servers such as SIP. I've seen Minecraft Servers done in PHP, so I won't say anything about those. But the Internet as a whole does not run on NodeJS and NPM.
@@qwertyTRiG I think you'd be surprised and disappointed how many modern server-side things are written in JS.
I love that you happened to post this on a day where RUclips is broken.
Umm one thing about this is incorrect. You claim that they kept working due to caches. Noooo. Prior builds don’t just suddenly break. So even if it wasn’t cashed, the current product version is unharmed. Any project that has left pad as a transitive dependency would just simply be un able to find it and therefore break. But they claim that every time a user goes to a site it compiles and builds is awful lmao
Yeah you'd be surprised that there are idiots that design sites that do that...they usually fail for obvious reasons though.
I like the call back you did to the incredibles scene where the superhoes are dead.
Whoa I actually knew about this, it's a very interesting topic imo
I actually do remember that specific day, thank you very much.
You forgot to mention the Georgian grandmother who broke the internet for all of Armenia.
the grandmother was also Armenian. her name was Hayastan Shakarian. “Hayastan” literally means “Armenia” in Armenian
Actually a pretty decent explanation of NPM. Good job Sam and team!
Make a video about Quatumn Physics
Yes it would be Fun to watch that.
Yes it would be Fun
That Jenga description of package managers is a pretty good metaphor
0:12 you forgot the Armenian grandma
If architects built buildings like programmers design code, the first woodpecker that comes along would destroy civilization.
Discord App imports a library just to check if a number is even or odd.
Modern cooders everyone.
Wouldn't be necessary if JavaScript wasn't such a shitshow of a language.
It always depends on how safe you want your code to be for unexpected inputs (especially if the users can enter stuff). In Javascript you don't have static types, so you first might want to make sure that what you are checking is a (whole) number. Then you have the problem that very large numbers in Javascript aren't exact anymore (9007199254740992 is equal to 9007199254740993 and 9007199254740993%2 is 0). So, especially in very large and complex enterprise applications you might want to protect against those cases and fail gracefully instead of hard/invisibly. And that is exactly what isOdd/isEven are doing.
@@I25mI25 This boils down to two problems: Javascript's duck-typing (or whatever they call the horrible type system where everything is an object until it's not), and the borderline insane decision to make all numbers floats (with their inherent imprecision) Or as someone else has put it: Javascript is a shitshow of a language.
@@jfolz lmafo
If (num % 2 ==0) true
Else false
It's literally that simple with JVM/JS/PY/C and with machine code it's even shorter
@@LeviForWaifu you sure? I did a quick search. There's at least 3 packages that check if a number is odd on npm. They're quite similar in that they perform a couple of checks that what you put in is actually a number and that it's somehow safe(?) to use. Then they return (n % 2) === 1, so apparently your line was already wrong in some cases.
There's a reason why they had to invent === and that reason is JS is a terrible language that should've died a long time ago.
It's stuff like this that really makes me realize I honestly have no clue what the heck the internet really even is, only that is usually there and working
Best part, the package, for which they had to take away the name from an innocnet open source dev for no reason, is now removed because it contained malicious code. gj npm...
Also don't forget about a similar thing that happened recently with Marak Squires' faker.js and colors.js. He didn't want fortune 500 companies using his code for free, so he corrupted those files
Me hearing a package was unpublished: "Meh, how bad could it be?"
Me hearing the package was left-pad: Eyes widen and with the gravitas of a scientist in a 70s disaster film, "Dear God."
And I thought the whole Log4j thing was bad. I mean, it is bad, really bad. But this damn thing (left-pad) is so far down on the stack... *shudders* (And yes, I know Java and JavaScript aren't the same things. But still.)
Yet another form of dependency hell basically.
Based.
Everyone uses packages. You make it sound like it's lazy. It's good to reuse code
Yep. It's especially true for things like cryptography and rendering. If you end up writing it without any prior qualification, you'll get a barely working mess. Reusing code is good.
depends on the context though, here node was implied. node devs are notorious for using hundreds of small packages they don't really need and could write themselves in minutes.
@@gab8169 one gets malware'd or deleted and the house of cards crumbles
@@gab8169 Yeah, most of his commentary on the subject earlier in the video was definitely mostly just him being coy, but with leftpad specifically? Yeah, he ain't wrong about laziness there. It's a ridiculously simple function, it probably takes more time to find, download, and include it than it does to literally just code it yourself.
I don't think the quote that it was "lazy" was said in any real seriousness, to be fair.
That said, I'd agree with reusing code, up to a point - don't reinvent the wheel, and save that time to do better things!
Ok, but that intro was the most creative thing I’ve seen in a long time!
npm actually stands for "npm is not an acronym", not "node package manager", which i think is a 100% better acronym
I love this illustration of unintended consequences. Fervently.
I remember that day. It was glorious. I had spent like 6 months trying to convince my company to download packages and host them ourselves and no one saw the benefit. Then this happened and guess who got his on site package hosting the same week.
Literally as this video ended my WiFi dropped out and I can signed out of youtube on my TV and can't get it to sign back in.
What are you doing Sam I've been a loyal viewer for years now!?
I'm surprised this doesn't happen more often xD
It does happen quite often. Sometimes packages that are widely used get updated with malware, infecting tons of developer PCs and servers.
Guess what's even more common and destructive? *The Cloud*™ comes crashing down to earth. Thanks to some managers calling Technical Debt *Software As A Service"™, each time Amazon, Google, or Microsoft do something dumb to their services, the entire internet breaks.
The lesson's learned. Don't rely on a corporation or an 11 line package to do the work for you, unless necessary.
Have you not heard about node-ipc (yes, another Node.js library, what else?)? The guy literally added malware that destroyed people's files to it to protest the war in Ukraine - and Unity actually distributed that malware to its users.
Finally, HAI makes a topic I'm acrually knowledgeable about.