The NPM organisation, a for-profit company, has just demonstrated that it doesn’t care about the IP rights of contributors. As a organisation built entirely on the contributions of others, this is a worrying precedent.
Azer Koçulu had developed and distributed, via NPM, a module called
left-pad. It’s a simple library, consisting of 11 lines of code, that does what it says on the box – pads a string by adding spaces to the left.
This module then got picked up and used by lots of other modules. Apparently it had been downloaded nearly 2,500,000 times in the last month.
Koçulu had another module, called Kik. He received a cease-and-desist order from a lawyer complaining about trademark violation. He disputed that, and the lawyer then went to NPM. NPM decided to transfer the ownership of the Kik module – not remove it, but to assign ownership to a third-party.
Not surprisingly, Koçulu was annoyed by this. So he yanked all of his modules – about 250 of them – from NPM. Including
This broke lots of things – heaps of projects around the world started to see failures due to the missing dependency on
left-pad. In many cases, these were secondary dependencies – where ProjectA breaks because it depends on ProjectB, which depends on
There is no question that this is a messy situation. But the fix that NPM decided on was worse. They un-unpublished the most recent version of
left-pad, apparently at the request of a new owner.
What NPM should have done
It’s fine that someone can claim the
left-pad module – if it’s been abandoned, it’s up for grabs. Nothing particularly wrong with that.
But the new owner only gets access to the name – they don’t suddenly get rights to the previously published code. Nor can NPM assign them the rights – by their own terms of service, they lose those rights when a module gets unpublished.
The new owner should have taken the couple of minutes it would have taken to fork the
left-pad code base (which, under the WTFPL license used to distribute it, would have been perfectly fine), then packaged it up and submitted to NPM as a new module. They could even have re-used the version number, which would have solved everything.
In the case of Kik, NPM could have expelled the offending module. They could have claimed a safe-harbour provision and left it there. But they should not have assigned ownership to a third-party. And they really should not have double-downed on their transgression by doing it again.
NPM does not care about the IP rights of its contributors. They have shown they are willing to transfer IP to third-parties, and even to transfer IP they’ve explicitly had their rights to distribute removed.
I would suggest not publishing anything to NPM.