The 3rd option is the one Azer describes in the post:
He wants to remove his stuff, but isn't sure what the right way to do it is, so he asks npm. npm provides him with a set of scripts to run to remove his stuff, and he, presuming that it's "ok" if npm told him to go ahead and run them, runs them. The impact isn't especially important to him, But since npm just gave him a set of scripts with an implicit "oh okay you want to remove your stuff, here I wrote you a script you can run to get it done," makes it more of an npm choice to handle it in this manner. npm asked him to handle it this way, so he did.
At a certain point, no, you can't unpublish because the world only has one arrow of time. Imagine if Torvalds decides to unpublish his code in the Linux kernel. It's easy to understand how that would work: His code would remain out there for all time because doing anything else would be a massive disruption and cause people actual problems. People don't just give others a way to hurt them like that if they know what they're doing, even if they got a lot of value from them in the past.
Lesson: Vendor your dependencies, I guess. Although a lot of the ire around left-pad was programmers using a library for something so trivial, but that's a different conversation.
> Although a lot of the ire around left-pad was programmers using a library for something so trivial, but that's a different conversation.
Very true.
Although, from 2012 onwards, up to around the time of the leftpad incident, the trend - and the pressure - was to minimise the amount of work your code was doing and to publish tiny packages that only did one thing or solved one problem, deferring to other tiny packages for anything non-core. I remember colleagues more embedded in the JS world than I was passionately arguing for this in 2012/13.
And it did make some sense: bandwidth matters, particularly on mobile devices (which became a key source of traffic during that period) so why pull in some gigantic do everything library when you only need a handful of functions[0]? Sure, minifying and pruning help but, due to JS's nature, pruning can only get you so far.
But, yes, I think leftpad was something of a teaching moment on the downsides of this approach.
[0] Of course, if you then stick 6 different tracking scripts in all your pages, it's super-easy to undo all the good you've done by minimising your bundle size, but that's a different conversation.
> If NPM would have prevented the depublishing, he would have made a scene and in the worst case, they would have looked bad.
I mean he says he asked them to remove all his packages, expecting them to do so gradually, following whatever mitigation strategy they felt appropriate (e.g. some kind of warning and fadeout process), and instead they gave him a script to do it immediately so he did that.
> That’s precisely why unpublishing an entire package/crate/gem is not a supported operation on any mainstream repository.
Every competent repository has a process for unpublishing. Sooner or later someone will upload something that someone else claims the copyright to, and then either you take it down when you get a DMCA notice or you lose your safe harbour.
Maybe you replace it with some sort of tombstone. Maybe you warn all the reverse dependencies first. But you have to have a way to remove content.
Please. It looks like he was doing dev as a hobby, asked a big company how to handle removing his packages, and did what they told him to. They might not have had the right policy, but that doesn't make a guy who doesn't want to give his packages away to a company just because they're making threats into an asshole. It makes him typical.
He had already given everyone a license to use his software. That’s what FOSS software is - the users are granted a license to use the software and it can’t be revoked, even if the author is throwing a tantrum.
Sure, but that license doesn't include the requirement to host in perpetuity, and anyway, I wouldn't expect a hobbyist to need to worry about this. If I decide to make my gamer-profile private / offline or something and that breaks your crawler, even though I previously granted unrestricted public access to that data, that's really not my problem.
??? I didn't say anybody using npm wants this. I'm saying npm had the wrong policy around deletion, that npm could have handled the situation differently, and also that Azer not knowing or caring about the effects of removing the package doesn't make him an asshole or even negligent (although it also doesn't mean he ISNT an asshole; that's a separate matter).
The point is that Azer didn't owe anybody anything; not even to know what he was doing. npm did.
That said, I'm glad the wake-up call came in such a relatively benign way.
He wants to remove his stuff, but isn't sure what the right way to do it is, so he asks npm. npm provides him with a set of scripts to run to remove his stuff, and he, presuming that it's "ok" if npm told him to go ahead and run them, runs them. The impact isn't especially important to him, But since npm just gave him a set of scripts with an implicit "oh okay you want to remove your stuff, here I wrote you a script you can run to get it done," makes it more of an npm choice to handle it in this manner. npm asked him to handle it this way, so he did.