NPM and friends

npm logo[A couple of months ago, the open source community and npm were rocked by an author’s unpublishing of a module called “kik.” This unprecedented action, which brought down scores of projects that were dependent upon the kik module, was the result of a dispute over ownership of the name “kik” itself. Nestor Fedyk has some interesting things to say about this dispute. Read on… — The Editor]

This is a late response to this article about the deletion of the “kik” module from npm. Most people have sided with either Azer Koçulu or npm on in this dispute and it sort of became quite at “the moment .”

Let’s compare rules for package removal from the most popular repositories out there:

Repository Language Status
npm JavaScript Prior to March 29, 2016 – No restrictions on package unpublish.
After March 29, 2016 – if the version is less than 24 hours old, you can unpublish it. After that time it’s still possible to remove package, unless it’s referenced by others.
Maven Java Maintainer cannot unpublish a package. Bugs in packages are handled by creating new version.
Composer PHP It is possible to delete a package when it has only a few downloads (I don’t remember the threshold). For packages with a lot of downloads, there is no button to delete it to avoid mistakes affecting lots of people.
RubyGems Ruby It’s possible to delete a package from repository using gemcutter.
PyPI Python It’s possible to delete a package from repository.

JavaScript is the most popular language for open source projects in GitHub, followed by Java. The ability to code both the front-end and the back-end of your application in one language is appealing to lots of programmers. Most developers encounter exactly the same problems over time, going from application to application and having to extend  the capabilities of the language. Creating and sharing packages is the easiest, best way to work in pure JavaScript.

Like most of developers out there, these days I can’t imagine writing JavaScript code without libraries like underscore and Promise. Since JavaScript projects rely heavily on their dependecies, this “kik” name dispute issue was widely felt and talked about. I’ve seen the same problems encountered in conversations about PyPI packages that have been removed previously – but impact on the Python community was much much less.

I know I will consider having my own repository with copies of all libraries and dependencies before I start my next project. Will you?