Should repository managers ever ‘unpublish’?

As a result of the recent kerfuffle about left-pad being unpublished from the NPM repository, and the subsequent “internet breakage”, I had a twitter discussion with Charles Miller about the right for unpublish to even be an option.

First, let me make something clear: having provided an unpublish option, was ethically, if not legally1, obliged to respect Azer Kuçulo’s decision to unpublish. The fact that this caused downstream problems doesn’t change that. But what this post is about is:

Should the unpublish option have been available?

And yes, I think it should be.

Continue reading “Should repository managers ever ‘unpublish’?”

So… NPM doesn’t care about intellectual property rights?

The NPM organisation, a for-profit company, has just demonstrated that it doesn’t care about the IP rights of contributors. As a organisation built entirely on the contributions of others, this is a worrying precedent.


Azer Koçulu had developed and distributed, via NPM, a module called
left-pad. It’s a simple library, consisting of 11 lines of code, that does what it says on the box – pads a string by adding spaces to the left.

This module then got picked up and used by lots of other modules. Apparently it had been downloaded nearly 2,500,000 times in the last month.

Koçulu had another module, called Kik. He received a cease-and-desist order from a lawyer complaining about trademark violation. He disputed that, and the lawyer then went to NPM. NPM decided to transfer the ownership of the Kik module – not remove it, but to assign ownership to a third-party.

Not surprisingly, Koçulu was annoyed by this. So he yanked all of his modules – about 250 of them – from NPM. Including left-pad.

This broke lots of things – heaps of projects around the world started to see failures due to the missing dependency on left-pad. In many cases, these were secondary dependencies – where ProjectA breaks because it depends on ProjectB, which depends on left-pad.

There is no question that this is a messy situation. But the fix that NPM decided on was worse. They un-unpublished the most recent version of left-pad, apparently at the request of a new owner.

What NPM should have done

It’s fine that someone can claim the left-pad module – if it’s been abandoned, it’s up for grabs. Nothing particularly wrong with that.

But the new owner only gets access to the name – they don’t suddenly get rights to the previously published code. Nor can NPM assign them the rights – by their own terms of service, they lose those rights when a module gets unpublished.

The new owner should have taken the couple of minutes it would have taken to fork the left-pad code base (which, under the WTFPL license used to distribute it, would have been perfectly fine), then packaged it up and submitted to NPM as a new module. They could even have re-used the version number, which would have solved everything.

In the case of Kik, NPM could have expelled the offending module. They could have claimed a safe-harbour provision and left it there. But they should not have assigned ownership to a third-party. And they really should not have double-downed on their transgression by doing it again.


NPM does not care about the IP rights of its contributors. They have shown they are willing to transfer IP to third-parties, and even to transfer IP they’ve explicitly had their rights to distribute removed.

I would suggest not publishing anything to NPM.

Logarithmic Axes for ExtJS Charts

ExtJS includes a number of nice charting options. I mean, it’s no HighCharts or D3, but it’s not bad. But – it can’t do a logarithmic axis.

A logarithmic axis is useful for displaying data with a large range of values. Sometimes these values are already on a log scale – e.g. the Richter scale is a log scale, as is decibels. You can plot this on a normal linear numeric axis. But sometimes your values can’t be easily converted to a log scale. Maybe you’re plotting wealth distribution. Or, in my case, particle size distributions, where the sizes can range from metres down to microns. When dealing with something like this, you need a log axis.

Continue reading “Logarithmic Axes for ExtJS Charts”

AWS SDK 2.2, iOS 9, Xcode 7 – Adventures in Learning

Well, it’s been three-and-a-half years, but I’ve finally got around to getting to a point of writing an iOS app. I wouldn’t hold your breath waiting to get a copy, though – it’s purely for my private use, to aid in monitoring and administering the IES project.

After doing enough tutorials and similar exercises to be comfortable in building the app and the UI, I got around to trying calls to the AWS infrastructure. This proved a bit more difficult than I anticipated – hence this aide-mémoire. This isn’t going to be useful for non-iOS developers, and I doubt it’s going to have anything new for more seasoned iOS developer; only iOS noobs like me need bother.

Continue reading “AWS SDK 2.2, iOS 9, Xcode 7 – Adventures in Learning”

Fashionable ExtJS and Web Services

ExtJS 6 was released at the end of June, and one of the nicest new features in it is a change to their CSS tooling – they’ve replaced Compass with a JavaScript-based implementation of SASS called Fashion. One of the neatest features is “Live Update” – this takes the traditional ‘watch’ approach one step further, and instead of just rebuilding your CSS when you change a SCSS source file, it updates the CSS inside the running browser, without needing a page refresh! This is just awesome, and not something I’ve seen before in my (admittedly limited) experience with web development tools.

But there’s just one problem… you have to use the embedded web server started with the sencha app watch command. Which is fine if all you’ve got is a webpage, but if you’re dealing with web services (as so many web apps do), it’s a bit restricting – at least if you don’t want to configure your app or server to allow cross-site scripting.

But Live Update is too awesome to forego! What to do?

Continue reading “Fashionable ExtJS and Web Services”