In 2016, one developer deleted 11 lines of JavaScript. Facebook, Netflix, and thousands of companies broke instantly.
But here's the part most people miss.
npm's CEO personally provided the developer with the script to delete everything. The platform facilitated the crisis it then scrambled to fix.
The developer — Azer Koculu — wasn't angry. He was principled. A corporation wanted his package name. npm gave it to them without consent. So he left the platform entirely.
One of his 273 deleted packages was "left-pad." A string-padding function. 2.5 million downloads/month. React depended on it. Babel depended on it. Nobody knew.
The fix? npm restored his code from backup. Without permission. Again.
He was protesting that the platform didn't respect individual developers. And the fix proved him exactly right.
This story isn't about 11 lines of code. It's about who owns open source infrastructure. When millions depend on your unpaid work — do you still own it?
Ten years later, the dependency problem is worse. The average JS project has hundreds of transitive dependencies from strangers with no contracts, no SLAs, no obligations.
Every npm install is an act of blind faith.
Note: Put video link in first comment, not in post body.
Video: [link]
Top comments (0)