On March 22, 2016, software engineer Azer Koçulu took down the left-pad package that he had published to npm (a JavaScript package manager). Koçulu deleted the package following a dispute with Kik Messenger, in which the company forcibly took control of the package name kik. As a result, thousands of software projects that utilized left-pad as a dependency, including the Babel transcompiler and the React web framework, were unable to be built or installed.
Technology corporations including Meta Platforms, PayPal, Netflix and Spotify were potentially affected after the removal of left-pad as their software products utilized the package in some form. Several hours after the package was removed from npm, the company behind the platform, npm, Inc, manually restored the package due to the widespread disruption caused by the incident.
In the aftermath of the disruption, npm disabled the removal of a package if more than 24 hours have elapsed since its publishing date and at least one other project depends on it. The incident also drew widespread media attention and reactions from individuals in the software industry. The removal of left-pad has prompted discussion regarding the intentional self-sabotage of software to promote social justice and brought attention to the elevated possibility of supply chain attacks in modular programming.
© MMXXIII Rich X Search. We shall prevail. All rights reserved. Rich X Search