The NPM organisation, a for-profit company, has just demonstrated that it doesn’t care about the IP rights of contributors. As a organisation built entirely on the contributions of others, this is a worrying precedent.
Background
Azer Koçulu had developed and distributed, via NPM, a module called
left-pad. It’s a simple library, consisting of 11 lines of code, that does what it says on the box – pads a string by adding spaces to the left.
This module then got picked up and used by lots of other modules. Apparently it had been downloaded nearly 2,500,000 times in the last month.
Koçulu had another module, called Kik. He received a cease-and-desist order from a lawyer complaining about trademark violation. He disputed that, and the lawyer then went to NPM. NPM decided to transfer the ownership of the Kik module – not remove it, but to assign ownership to a third-party.
Not surprisingly, Koçulu was annoyed by this. So he yanked all of his modules – about 250 of them – from NPM. Including left-pad.
This broke lots of things – heaps of projects around the world started to see failures due to the missing dependency on left-pad. In many cases, these were secondary dependencies – where ProjectA breaks because it depends on ProjectB, which depends on left-pad.
There is no question that this is a messy situation. But the fix that NPM decided on was worse. They un-unpublished the most recent version of left-pad, apparently at the request of a new owner.
What NPM should have done
It’s fine that someone can claim the left-pad module – if it’s been abandoned, it’s up for grabs. Nothing particularly wrong with that.
But the new owner only gets access to the name – they don’t suddenly get rights to the previously published code. Nor can NPM assign them the rights – by their own terms of service, they lose those rights when a module gets unpublished.
The new owner should have taken the couple of minutes it would have taken to fork the left-pad code base (which, under the WTFPL license used to distribute it, would have been perfectly fine), then packaged it up and submitted to NPM as a new module. They could even have re-used the version number, which would have solved everything.
In the case of Kik, NPM could have expelled the offending module. They could have claimed a safe-harbour provision and left it there. But they should not have assigned ownership to a third-party. And they really should not have double-downed on their transgression by doing it again.
Summary
NPM does not care about the IP rights of its contributors. They have shown they are willing to transfer IP to third-parties, and even to transfer IP they’ve explicitly had their rights to distribute removed.
I would suggest not publishing anything to NPM.
Share this:
Software is too expensive to build cheaply.... 
I wouldn’t suggest not publishing anything to npm. What I would suggest is making life now difficult for them, answering the 2.500,000 emails from people who are now complaining about their broken dependencies. What they did was wrong. What the Kik corporation’s lawyers did was blatantly stupid and short-sighted and should also be punished in the world of open-source. There is such a thing as karma (with a lowercase ‘k’): It’s the collective reactions of society around you when you do something right or something wrong. both Kik corp and NPM both deserve their negative karma in the form of societal punishment now.
I don’t blame Kik-the-messaging-company for trying to enforce their trademark. Wether or not there was any actual infringement would be up to the courts – we’ll never know, as it doesn’t look like it’ll get that far.
I wouldn’t have blamed NPM if they had booted @azerbike’s kik module of the dispute – they’ve got to do what protects them. (Though I would think their safe-harbour status should do that). But turning over the module name without unpublishing the modules was wrong. @azerbike’s response is a bit of a hissy fit, but it was justified. And doubling-down on their wrong move just makes it worse.