So if all three parties half-apologized, that's like 1.5 full apologies, which is more than you usually get from this situation.

The correction about why the websites themselves didnt break is not because of caching, it's just that they are already deployed with leftpad still working, and any changes made by npm will not touch the website, and they are not allowed to be deployed again when it cannot be built due to leftpad being missing (simply nobody gets to update their website).

breaking literally everything by modifying a tiny bit of code is extremely accurate

this is one of my biggest complaints about npm; they are a company who is ultimately in charge of a good chunk of the free internet. Thats an important note; NPM is a company, not just a repository (who is now owned by Microsoft). It's concerning to me, and i think an open alternative might be wise

The real crime here is that someone one day did an `npm install kik` and got some API client to some dumb messenger instead of whatever that package used to do. Name reassignment like that can have the exact same effect as the removal of leftpad did.

All this video did was make me lose respect for the NPM team for not only screwing over an open-source creator who clearly did nothing wrong and used the name WAY before Kik did, but screwed him over twice by reverting it back to published without the creator's consent.

as a programmer, let's take a second to appreciate the incredible amount of effort it takes to find such a short obscure package instead of writing 10 lines yourself.

As a web developer that doesn't regularly use NodeJS (what leftpad was used for) but is familiar with it, the people at my old work place turned it into a joke shortly after this.

Just have to say, the explanation of NPM was comically on point. That's, exactly how it works. Except this tower randomly decides to break down even when nothing is wrong because react@16.12.1 cannot be used with @types/react@16.2.2 for whatever reason

Guess it goes to show that you should be nice to everyone, because you never know whose propping the internet up on their back in their free time like Atlas keeping the sky from crashing into Earth.

Whats even more interesting about this, is npm enacted a policy forbidding package creators from unpublishing a package with a certain number of downloads. I'm not fully versed in the details but they made some sort of change to prevent this from happening

"Crashing like Bandicoots" is an expression I'll always use from now on

I am a node web developer. This Jenga tower analogy is accurate. I work for a huge company (60,000 employees) and we use react which uses hundreds of other packages that we have no idea what they are, so when ome breaks its a scramble

If Kik didn't want to be dicks about it, they should have just said: hey dude, we'll win in court, but here's 1000 dollar for the name so we don't have to go through all that.

Once i had a dream about watching one of your videos and it was about italian mice who kill other italian mice

I run a site for an obscure, yet historically important 70s punk band called The Normals. Needless to say I get requests from various other "Normals" bands that want to use the site name. The funniest excuse they use for why I should give them the name is that "you're not doing anything with it" (meaning a band from the 70s hasn't put out a record recently). Which is like saying, "these Beatles guys haven't put out a record since the 70s, they don't deserve a presence on the web." They'd rather erase the legacy of others than to put in the mental effort to be more creative with their name (ironic coming from an artist). I ultimately tell them "no", but I do check up on their band later. Not once has one of these bands ever done anything of note and they almost immediately disappear within a few years, and usually within a few months. So if I gave in to these demands, not only would they have themselves done nothing with the name, they also would have taken down a band that actually did do something with the name.

This is why you should think about adding a dependency to your project Yes libraries are almost always better then stuff you write yourself but this is 1 very easy function to just implement yourself and save a dependency.

Normally when someone makes a video about a topic I know a lot about, the best outcome is, “Well I mean I guess how you could describe it like that if you don’t know anything about it,” but honestly this was a really good explanation. There was only one moment in the video where I thought, “Well I wouldn’t use that word here because it’s not technically accurate, but to be fair anyone who would be confused by it probably already knows what you mean anyway.”

I would say the npm explanation is pretty accurate, but did want to correct that people use packages not because they're lazy and don't want to write the code themselves, but there is a general understanding that being a good software engineer means you aren't rewriting what's already been written and figured out, it standardizes things and allows for easier updates across projects.

This just goes to show that people who are mostly unseen can still have a huge impact on the world.

As a Software Development student, seeing C++ being built on top of Python in the animation almost gave me a heart attack

Great explenation, I only use python but I can imagine, if someone screwed around with numpy we'd all be doomed.

"Too bad he (Azer) didn't put malwares into his packages instead." - Someone who likes to watch the world burn

Amateur, I don’t even do anything to the code and it breaks

This is a perfectly reasonable explanation of how NPM works, and suitable for the level of depth this channel demands, but if you want a nitpick for your anniversary mistakes videos, there's more than one package manager. NPM is the de facto standard package manager for JavaScript, which is what much of the Internet is built on, but the illustration at around the 1:20 mark shows other languages which would typically use different package managers. (And tell your animators not to worry about putting the Java logo in cases which are probably meant to be the JavaScript logo - they're different languages, but it's really our bad for letting marketers in the 90s decide to name the latter after the former.)

This was genuinely hilarious to watch you explaining everything going to hell- and the fact that it only lasted 10 minutes

As a techie, you’re gonna have to be more specific. Which one? :P But seriously, these sorts of things happen all the time. Turns out the internet is an incredibly shaky edifice all relying on a handful of projects run by a few guys in their spare time. Statistically speaking most of them are furries. Sorry, I don’t make the rules.

lessons of this story: 1) simplest npm packages must become part of the language itself 2) fuck npm for siding with corporation

You guys broadsided me with "crashing like bandicoots" hard lol there. Well done, well done.

Azer: makes kik Kik, the messenger: Unfortunately, history will not see it that way.

I've been a web developer since… well, before anything like a package manager existed, and like the crusty old curmugeonly Gen Xer I am, I have stubbornly refused to ever build anything that uses npm or anything like it. Sure I use plenty of open source code, but I don't build anything with dependencies in this way because it just *feels wrong* to me, and this is a pretty good overview of why that's the case.

For a company dealing in open source packages, it seems like this could've been avoided in a far more adult manner. Reserve _TM or something as a mandatory suffix for any package names claiming trademark. Then there's no dispute with existing package names. If there's already a kik_TM, that means some other douche canoe already claimed that highly creative collection of 3 letters. Shocking. Well, here's the registration contact info they gave us. Good luck!

As a programmer, your explanation as to why we use package managers is 110% accurate

And this is one of the reasons why I hate using dependencies. That doesn't mean I don't use them, I just hate myself for doing it.

Love it when big companies get their way even though they shouldn't

I'm glad that I prefer to copy / paste, rather than use a package that has the same code.

There's always a relevant xkcd when it comes to kerfuffles like this one, and for this instance it's 2347. A more recent example of this would be the gpsd bug last year, and there was also another one back when OpenSSL's Heartbleed issue came to light.

Well, you'll need another video now- "The update which broke the IT infra"

Actually a really good explanation, speaking as a programmer myself

This kind of story reminds me of two realities- one, that I am a clueless caveman, and two, the world built around me by the postmodern geniuses is all fairy dust and daydreams held together by baling wire and paper cups.

That moment when C# and .NET are in a Jenga tower describing JavaScript packages. Ouch

2:56 “Much like this video…” *Like button lights up*

'crashing like bandicoot' best phrase ever made by sam 4:01

2:55 "Much like this video, it didn't require any particular skill or brilliance to write" was the first time you said 'like' in the video, so it made the like button animation happen

Worth noting that for JavaScript in particular, a lot of the packages required are just filling in for the lack of common utility functions in JS, especially older editions. So you end up with thousands of NPM packages that aren't really maintained or scrutinized that just provide basic utility that arguably should be included in the language (like how "left pad" now is)

As someone studying computer science I can say the reason we use packages is exactly as you describe.

Whenever you hear about big apps breaking, it always points back to either DNS or an NPM package. This is also why a centralized internet is not a good thing and why I miss the old days where literally 95% of the internet didn't rely on a single source of failure. NPM (really Github but actually Microsoft) could shut down tomorrow and the internet would be FUBAR.

Kik gets mentioned Omegle bros: "You know, i'm something of a scientist myself"

The fact that so many dependencies relied on 11 lines of code is exactly what's wrong with the javascript ecosystem

Misread it as Elven as I was like, "That's so dope. Someone making the Internet snuck in a LOTR Easter egg and it's actually crucial to the internet working? Awesome." Now my disappointment is immeasurable and my day is ruined.

Hah pathetic, I remove a single parenthesis and my entire computer explodes like an atomic bomb

They lost at the second mail at "but" with "We don’t mean to be a dick about it, but [...] our trademark lawyers are going to be [...] taking down your accounts and stuff like that - and we’d have no choice [...] because you have to enforce trademarks [...]." Oh the poor guys with loads of money for trademark lawyers had really no choice but to be dicks. 🤬

The statement that developers just cobble together other people's code is spot on. It's like if everything in the world was made of Lego blocks, including Lego blocks.

Azer is my neighbor, he’s always bragging about how he literally single handedly broke the internet, but none of our friends really cared.

If architects built buildings like programmers design code, the first woodpecker that comes along would destroy civilization.

NPM is so broken that it is astonishing that it pretty much underpins the modern internet.

And that's why every programmer who's using npm will tell you they hate npm I hate npm

You forgot to mention the Georgian grandmother who broke the internet for all of Armenia.

oh maaaan it's kinda exciting when a topic suggestion I made was picked! I'm almost sure I'm not the only one who suggested this and I forgot the name I typed on the sheet but I really wanted to see your take on this, thanks sam and adam who apparently wrote the vid!

0:03 this sounds absurd, but my device lagged at the exact point where he says: “broken the internet”.

It makes me furious when people confuse the web with the internet. Yes, web is part of the internet, but it certainly isn’t the whole internet. There’s over 65k possible types of services that can utilze the internet, which includes e-mail (through a client, such as an e-mail app on your smartphone), P2P, FTP, VoIP, Minecraft servers, etc. None of these things would get affected by this.

I'm a web developer and I just want to say that the explanation of what NPM is and what it does is pretty good, considering it's a channel which makes semi-satirical semi-educational 5-10 minute videos with lots of outdated memes and unfunny jokes The pain we get when the Jenga tower of borrowed code breaks is very real and not easy to solve at all

"Crashing like bandicoots", I see you HAI.

KZbin recommended this to me right after Crowdstrike.....

"Crashing like Bandicoots". I don't know why that's hilarious to me.

As someone studying computer science and becoming a tech nerd, this video was very helpful.

If you paused and read the 3 articles you’ll read that NPM chose ‘kik’ over ‘kik’ because if a user request npm kik NPM wants said user to receive what they are most likely to receive and due to kik being an app with 200 million users they are the most likely to be requested

It is just a casual break out of an open-source developer. As not everybody likes to not get paid and just do work for big companies without even getting a credit far from having a donation

How are people so lazy, they add a dependency just so they don't have to write 10 lines of code. I am honestly disgusted by modern programmers.

WebDev here: The “broke the Internet” part is _kinda_ true (used for comedic effect). Websites/services stayed online because it was the building/deployment of _new versions_ of those websites that would be failing (so basically what’s there is still there, but just *frozen into place* and unable to be _updated_ to a newer version) because the retrieval of the package from NPM would have failed during the build phase _prior_ to deployment to production, for example. So, caching (unless we’re talking about local caching of npm repos in the build systems) _probably_ had little to do with it.

As my web dev professor described it, the internet is just a giant stack of band aids each failing in its own grand way

Umm one thing about this is incorrect. You claim that they kept working due to caches. Noooo. Prior builds don’t just suddenly break. So even if it wasn’t cashed, the current product version is unharmed. Any project that has left pad as a transitive dependency would just simply be un able to find it and therefore break. But they claim that every time a user goes to a site it compiles and builds is awful lmao

Funny thing, this story leads into another story. After this whole fiasco happened with leftpad, NPM put in a new policy about unpublishing, that if a package version was depended on by another package, that version cant be unpublished. A dev created a package called everything, which depended on every single NPM package, but also since NPM had a limit of 800 dependencies per package, so they created many subpackages to get past this, but they had no idea of the unpublishing rule so since everything was dependent on.. well.. everything on NPM, and the subpackages were dependent on.. everything.. they accidentally disabled unpublishing for all of NPM.. (i did a horrible job explaining this and left some things out.. just look at a better video for a better explanation.)

funfact: JS already has a builtin padding function, but knowing how packages like is-true are downloaded every day, eh.

It's reasons like this why other big package repositories (e.g. NuGet) do not allow packages to be fully 'unpublished', but they can be 'unlisted'. The difference is subtle, but it means people who are already using a package can continue using it when it becomes unlisted, however new people searching for it will not be able to find it in search. Since Microsoft (owns NuGet) also purchased npm in 2020, they've implemented a similar strategy for popular npm packages with a high number of downloads.

Me hearing a package was unpublished: "Meh, how bad could it be?" Me hearing the package was left-pad: Eyes widen and with the gravitas of a scientist in a 70s disaster film, "Dear God." And I thought the whole Log4j thing was bad. I mean, it is bad, really bad. But this damn thing (left-pad) is so far down on the stack... *shudders* (And yes, I know Java and JavaScript aren't the same things. But still.)

My calculator when I input the equation and I get an error: guess it's all broken

"caching" is doing a lot of heavy lifting here.

Big, dumb company: "We don't want to be dicks about it" Big, dumb company: Are dicks about it

0:12 you forgot the Armenian grandma

So much work went into this video, that I watched and will never think about again for the rest of my life.

TURKIYE BREAKS INTERNET BECAUSE TURKIYE NUMBER ONE

You summed up everything I hate about web development in a 5 minute video... I've been doing this for over 20 years... The industry is full of stupidity. I worked on a ONE PAGE WEBSITE APPLICATION that used somewhere near 500mb of libraries... THINK THAT OVER, IT'S INSANE.

Holy crap he's talking about something I regularly use in my day job!

I would like to see where in the terms of service npm gets the right to republish his code. Unless someone at npm wrote something with the same exact functionality and published it under the same name and that wasn't portrayed in this video.

Best part, the package, for which they had to take away the name from an innocnet open source dev for no reason, is now removed because it contained malicious code. gj npm...

None of you realize that literally the whole internet might be reliant on some little project a small coder might be thanklessly maintaining.

Whoa I actually knew about this, it's a very interesting topic imo

1:19 1)Talking about NPM. 2)Not a single picture is JS(short for JamboScrambo) on the Jenga Tower

Sam breaks the internet.

"So, in my opinion, dinner time is pretty much the best time of the day" WITH THAT SPREAD OF FOOD IT IS

Make a video about Quatumn Physics

As a Python programmer I'm amazed Leftpad is as many as 11 lines of code. That's, like, 7 more than is necessary.

This doesn't surprise me lol, you can break huge projects with a single character

To obsess over accuracy, at the 1:25 mark, you show a Jenga tower with may different languages, but with standard software dependency trees, it's always a single language. You can't add a Python library to a JavaScript project. This issue with kik and left-pad was limited to NPM, which is the package manager for NodeJS, a JavaScript runtime. Only software built for NodeJS was affected. However, the prevalence of NodeJS as a runtime on the modern web made this more widespread.

Discord App imports a library just to check if a number is even or odd. Modern cooders everyone.

"So we know you've been using this name forever, but fuck you, you don't own it anymore because some assholes with money said it's theirs." "Ok, I'm going to take down all my code in protest." "Haha no you won't, you don't own that either." Moral of the story? All it takes is a rich guy, a lawyer and an email to veto your freedom.

I'm surprised this doesn't happen more often xD

The Turkish programmer was totally in the right here. He made an NPM package with the name KIK and it's like creating an Instagram account with the name Google. If Google wanted that Instagram name, they should have offered him a hefty amount of money for it. NPM by giving the name KIK to the company KIK essentially did something like Facebook stealing someone's Instagram account named Google and giving to to the company Google. They totally shouldn't have done that. I am not surprised at all that the developer removed all his packages from NPM and it's probably what I would have done too. Also the "cache" has nothing to do with the Internet working for some people. NPM is a service that (among other things) allows you to download open source packages from their repository, the Turk removed it from NPM and therefore no one could download it anymore, but if some developer has already downloaded that package they would have it on their PC and their app would work just fine. It's with putting the new version of that app on the server is where the trouble begins, because you'd need to download it from NPM once more, but again... if you already had that package downloaded you could just put the files from your PC on which you programmed said app onto the server which would host that app and everything would work just fine.

I'm just so impressed by how good your videos are. They are hilarious! And just like you said.. many big corps take advantage of open source and you knew that! Bravo.. although to the people who created and implemented open source. This is honestly exactly what they wanted.