The Man Who Broke The Internet By Deleting 11 Lines of Code

2/3 parties are at fault so there is still 0.5 apology less that the required number.

or if you're using JavaScript floating point math, 1.499999999999999998 apologies

@@tylerbreisacher5841 Except no, because 0.5 has an exact representation in binary

@@tylerbreisacher5841 yep, totally JS math. Not like its just another implementation of IEEE floats and has the same problems as every other language implementing floats. Nope, must be a JS thing.

@@tylerbreisacher5841 1.5 in binary is just 1.1, so there's no problem there

I just delete this function that does nothing.
Error messages: allow us to introduce our selves.
i am still learning so be nice please

i can vouch, can't tell you the amount of times i accidentally deleted something and then wondering why it doesn't work

if he really wanted to mess with people he should have just modified it by removing one of the brackets to make it so everything underneat it wasnt compiling, It would be a bit more annoying

yep ANYTHING

Even if the bit is useless.

Wanted to say something similar. To keep it short: the internet didn’t break.

This is correct. Packages are fetched during deployment. Package missing = fail. Sites deployed prior to the deletion of the npm package were not crippled (but would be during a subsequent release)

yep. if the build fails its never deployed

Your description of "deployed code" is also a suitable description of "cached code." Whatever. Caching is basically right.

@@jpaugh64 No it's not. It has nothing to do with the fact that some code was cached on the client side, nor does it have anything to do with a a cache on the infra side. It's simply incorrect lol

Except if you read NPM's blog post following this incident, they were very clear that when a package's ownership gets transferred, the new owner MUST increment the major version number, and the old owner's code will still exist on all of the same version numbers it did before. This means all existing kik-dependent code would download the same version it did before, and you'd have to explicitly ask it to download the new version which was a different package.
Not saying NPM was in the right, but they were trying to resolve the situation in a way where nobody's code would break.

That's perfectly pictured in xkcd 1172: every change breaks someone's workflow.

Yep. Especially for such short names it should've been first come first serve without a single question or doubt.

Had it been a bigger package, it could also have been questionable legally. Did they still have the right to distribute his code after he unpublished?
...well, they probably did. They most likely wrote their TOS so they could do this, but it still leaves the question of this kind of TOS being enforceable.
Since it is such a small package, it probably won't have any copyright, but it's an interesting question nonetheless.

@@Yotanido It was copyrighted with an open-source license, so it was legal--the license explicitly gave anyone who wanted to permission to redistribute and/or modify the code. So totally legal, just kind of a dick move, but also a dick move for which there weren't any particularly good alternatives.

@@allankcrain the alternative where to not change the name of the other projekt

@@allankcrain The alternative was what NPM apparently ended up doing in the end: writing their own version of leftpad that was way more complicated than it had any right to be and using practices that looked good on paper but actually didn't contribute anything in practice.

@@blazernitrox6329 How is it even possible to complicate something as simple as adding spaces to a string?

It’s probably finnnneeee.

@@mechtechpotato4249 you say that now wait til 2025 when Microsoft is somehow claiming the rights to all of these packages and trying to charge royally fees
Edit: I meant royalty and could have sworn that's what I typed, oh well

@@TheDeadOfNight37 I think they've already learned from the Windows model that collecting and using user data is more valuable than selling physical copies of Windows. In a worst case scenario, I could see them using the same method here, adding a few lines of a code to an open source code to collect snippets of data, making it closed source, and then pretending like they haven't done anything, while they make millions/billions off more user data.

Yarn is *technically* open source but it's still kinda made by Facebook in 2016, a few months after this incident.. Coincidence? 😅

Well go ahead and be the open source dev to write npm from scratch. You'll see why this is an issue fairly quickly. Open source is time consuming with often little to no reward. Take it from a Linux user.

There is a NPM package called “is-odd” that does exactly what you think it does.
It’s been downloaded like 30 million times and has like 2 million download a month 💀 💀 💀

The 2 hours you spend looking for them is much better than the 5 mins to write them

@@abdelbakiberkati Besides what @badscript said about package grouping, you might spend 5 minutes total writing the actual code, but that's ignoring the five hours you spend second guessing if what you just wrote might have some weird edge-case that breaks it. Instead of taking a package that's so widely used that if it was broken in some weird edge case, someone would have noticed by now.

You don't have to write it yourself: String.prototype.padStart

11 lines bro. i'll write 10 myself, but after that i'm outsourcing lmao

Yo I'm like 15 yrs old but pretty interested in web developening yk where I can learn smth about it?

@@unknownperson3842 w3 schools is a great place to start for html, css, and javascript

@@unknownperson3842 In Denmark, Web-developer is a degree after Computer Science. I'd suggest looking into getting a Computer Science degree, then building on top of that with Web-development :) Though, in my personal opinion, Web-development is little more than a degree unless you actually want to do frontend programming rather than backend :)

@@richledbetter2123 alright ty bro

nodejs is a joke

I have fewer than 1 friend in the World. That's right. Everybody disses me for making bad videos. I think they are perfect though. Who is right? My dissers or me? Which side are you on, dear sha

So wait, if you submit a package to NPM then, you're effectively giving up control of it down the road, entirely?

@@ChubiChan not really, you just can't remove it from npm.
but yeah npm is a company so don't expect them to be necessary open source friendly

@@ChubiChan By open source standards, people can technically fork your code and have their own copy or version. You are essentially giving up control. However open source projects are licensed differently and there are a bunch of caveats to this.

@@ChubiChan Yeah, that was always the case. npm is a repository for open-source code only and has a very permissive license (Perl's "Artistic License 2.0"). Once you submit code, anyone can download it, distribute verbatim copies (as long as they include all copyright statements of the original), modify it, and even distribute modified copies (as long as the modifications are clearly described). They can also distribute compiled versions of either (as long as you give instructions on how to access the source code) and aggregated packages including that code as a component. They can even charge a distributor fee to do so. Moreover, the publisher relinquishes all patent claims to any part of their code.
Since your code is published under that license, you can't just revoke those permissions.

From what I recall, they DID offer to pay him for it but he rejected it on principled grounds. Fun fact, open source devs have a major grudge against big corporations. He basically told them to go f*** themselves, and kik, deciding what is one turkish programmer against their billions of dollars, decided they could win and kept escalating.

That's basically what they did. I don't know if they put a dollar amount on it, but it was fairly clear that Azer wasn't open to negotiations.

@@ethanchapman1776 If the emails in the video were actually accurate, it looks like he offered to sell it for $30k, which Kik could have easily afforded.

@@ethanchapman1776 After Bob said "Is there nothing we can do for you that would compensate you for the hassle of changing the name?"
Azer replied with:
"Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks"
which is not entirely unreasonable. 3 letter domain names are in that price range +. Instead of trying to negotiate they escalated straight to npm support 5 minutes later.

Hey, this is our brand already, and for the clarity of recognition we’d like to use our own name just isn’t that unreasonable a request, and they clearly did offer money, he just wanted an absurd amount more than they were offering. Because open source bros are like that.

well of course not, @types packages define how the exported functions & classes should look like. If you download react@16.12.1 which removed or changed feature X but @types/react@16.2.2 which has the old definition for feature X, you'll be in for a bad time.

@@unicodefox It would make sense. The issue is that I didn't even had typescript installed, nor was a typescript project
How a types package ended up there? No idea

@@unicodefox hush, you're making too much sense. Just join the bandwagon and bash JS because there can't possibly be a good reason why JS (and the surrounding ecosystem) is the way it is. Nooo... It must be boiled down to "JS bad, Other language good". Not like you're dealing with different platforms or anything

@@akatsukilevi If you don't use TypeScript, why do you have @types/react installed anyway? unless its a direct dependency, its NEVER going to throw an error; worst case scenario you get a warning in your console from NPM. If your project was broken, its probably a swallowed error somewhere else and nothing to do with the typedef.

@@fahadahaf Two words: Legacy codebase
I have no idea who coded that, I have no idea how that thing worked
Best day of my life was the day I nuked that git repo

@Best 🅥 Silence *b o t*

Yeah, fever dreams are bad.

@Best 🅥 a s m r s o a p

Average HAI video

Lol

yep. OpenSSL - literally the thing encrypting most of the internet - was developed by mostly 1 guy with 2k donations a year.

beautiful simile right here,

Atlas? Fake news. It's a huge goldfish.

so true, it's mostly furries, so remember to be nice to them even if you think they're weird

@@gayrights8315 One should be respectful and kind to anyone, furry or not, in the first place. That's just basic etiquette, isn't it?
Besides that, have we all forgotten the idea of the golden rule, which I'm quite sure was drilled into our heads from a young age if you had good parents/teachers, that is?
Not to mention, if we're supposed to accept people for who/what they are, isn't isolating/making fun of people because you think they're weird kinda the adverse intention? Plus, it could be reciprocated back, you could think what I do is weird, but I could think something you do is weird as well.
Additionally, from my time in the fandom, I've found most people join due to childhood trauma, e.g. parents divorcing/childhood abuse. Before you judge me or anyone else, furry or not, consider thinking, "what's happened in their life that they came out this way?"
Also, this wasn't meant to attack you or anyone. Just some thinking points. Please don't take my huge comment as provocative. Other than this section, the word "you" is just used in a general sense, meant to help explain a point. I sincerely hope this doesn't start a huge fight in the comments.

At my workplace someone built a crash logging system and called it "Bandicoot" :P

It took me way too long to get this joke. I think because his name was Crash and not Crashing.

The only innacuracy is that they put Java as more important than C++, fuck java

@@benjii_boi Companies don't pay you to look at every piece of code your project depends on

@@benjii_boi Hahahaha!
Wait you were serious? Let me even laugh harder
HAHAHAHHAAH!

@@benjii_boi my little kiddies here don't know about coding like us and usually use basic packages without even lookin at the codes that make them up, I think our galactic brains work harder than their basic programs which are made by people who don't even know what the program is made of. 😀

@@benjii_boi That's the unlucky part for you when trying to insult others and trying to put them down. Only because you are required to do so, it doesn't mean that others will be required to do so.
See the problem is that you assume that everything has to be the same way like you do.
But in reality most of the software written is not part of critical infrastructure like the niche example you pointed out.
My employer doesn't pay me to check the depencies i put in. They pay me to add features or fix bugs. I can't achive SLAs for my tickets if i have to check every line or every code block.
Even a dumb script kiddie would realize this fact :)

Everything is built on Java, don't you know?

@@jjpaq LMAAOOO

@@jjpaq Java compiles to JavaScript

It's might not be exactly wrong, I wouldn't be surprised if there was some sort of compiler for C++ out there that installs using a Python script lol

same

plus it can be more secure, i’d rather trust a package about cryptography made by people who actually know what they’re doing rather than smthn i throw together

After trying to code everything by myself, I realized that literally any medium sized coding related project is borderline impossible(if you're solo of course) without using other peoples code.
You don't reinvent the wheel every time you need it not because you're lazy but because it's just stupid and time consuming to do.

Not in this case however

Not necessarily standardized, lol, but I get your point.

@@shawermusif someone is so insistent on reinventing the wheel. They should code in binary with bitwise operation and creating all sort of stuff leading up to their programmed. After all, all these programming languages with built in functions all trace back to someone was making stuff with binary

This. When people cite underrated, now I would cite this turkish guy

amateur, i dont code and it breaks

@@TheRatsintheWalls “it works on my machine”

or in this case, copy the code into your one program (yes, is in this case legally, you may have to add the name of the original creator)

@@schwingedeshaehers yeah indeed if the license permits

The problem is that, while it's easy to replace something like leftpad for your own project, it's extremely expensive and more likely to add risk to not use a tool like babel or react, far more complex and valuable libraries with extremely active development and security analyses. Like this video said, applications that relied upon these more complex tools became dependent upon this very simple tool. In general, the pooled security is far more valuable and saves far more money in the long run than avoiding the occasional hiccups using open source projects. In general, having a few bad days each year is nothing compared to trying to recreate React.

left-pad isn't even the worst of it. There's packages that are literally a single line of code and they still get used. Everything surrounding JavaScript, including NPM is a total shitshow.

@@forgottenfamily just throwing this in there as someone with 19 years of CS experience, I've never used react or babel. I actively discourage react usage for anything other than hacks (or 'bodge's as Tom Scott puts it).

If someone screwed with numpy academia would collapse

Oh damn. That would be a NIGHTMARE holy crap.

50th like😉

See now that there is a worst case scenario.

How to kill all of machine learning and cryptography in one easy step!

which moment?

Duuuude

@@schwingedeshaehers NPM is only for JavaScript only (someone in the comment said)

If you are so pedantic don't watch videos about this subject

So you're the guy who's not invited to parties that was mentioned in the video!

Many spitful devs have done this. From wiping hard drives of computers with Russian IPs to generating corrupted text instead of placeholders.

The problem with adding malware to code, even code you own, is illegal in many countries. Had he actually done that, you can bet all sorts of "Governmental Suits" would have been banging on his door just as quickly as his code was reinstated. Just remember this, no matter how painful Corporate Suits can make your life, at least they can't legally kidnap you, chuck you in a hole somewhere, and forget about you.
No, pulling a Cartman by taking his coding ball away and going home was the best way to bring light to this. He was fully in his rights to do so, and it's not his problem that things broke.

You mean like the guy who made node-ipc? Yeah, that was a hella fun, huh?

@@rkvkydqf i think the event you are referring to was russian ip addresses, not keyboard layouts, no?

You know what would've been funny and more distruptive? If he made it 2 left spaces rather than 2.

I agree he took the name first

@@alexstone691 More than that, they STOLE frokm the dude. NPM publishing some-one else's work against their wishes?
That's theft man

@@UmaROMC no, the code wash published under a licences that allowed that before

@@UmaROMC All packages are published under a specific license. Most NPM packages (though not remotely all) including leftpad are using the MIT license. The MIT license is generally "do what you want, just don't blame me if something goes wrong". If the original versions were published under the MIT license, then NPM is fully licensed to republish it and it isn't theft. It might be disrespectful, but it's also disrespectful to cause billions of dollars of damage to the economy out of spite because two companies fucked you over (and no, that's not an exaggeration. If it had remained unpublished, it would have been that bad)

right?? how the fuck do you need any amount of code to pad a string? and here i thought JS was considered batteries-included.

I wonder how he'd react if he saw this video.

what a chad

That makes two people named Azer who broke the internet (the other being the kid who appeared in those videos with Tara and Raven Your Acidbath Princess of the Darkness)

Tell him he shouldn't have apologized, he did nothing wrong, not his fault

You dont reinvent what people have figured out

@@hyoroemongaming569 It's just too simple for risking such a catastrophic event. The code for is-even is literally shorter than typing the name of the package (n%2==0) and it's still popular
You don't need to reinvent the wheel, but you don't need to import an ice cube from Antarctica.

What gets me is "we don't mean to be dicks" "but you are being dicks" "wahhh help hes being abusive"

Let's not forget that McDonald's failed in court when they tried the same "just defending our trademark" attack on an Irish burger chain called Supermac's. Having a trademark doesn't give you priority.

@@AdrianColley That is a very different case as Mac is a common name so a trademark based on it can only be applied very narrowly, Kik is not a common word and as far I can tell has no meaning outside of internet slang meaning as a trademark it can be applied much more widely.

I was gonna say something about that image(!)

Yep. `node_modules` isn't some alien artifact, but the entire dependency graph for your project. And when you stop and ponder if some tiny library requires gigabytes of code to run, you realize just how broken this ecosystem is. Why is it not a thing with Python, Go, or C#, but gets so bad with NPM.

@Firstname Lastname deno is trying to solve the problem of shitty packages. If you feel comfortable with node you should try it, it's very refreshing
Also it's mostly out of convinience. If you're starting out for example it's easier to use the same language for both frontend and backend rather than learning an entire new ecosystem just to write one app and besides js on backend is actually pretty fast and scalable

some people are smart enough not to use it, same with the frameworks that go in and out of style

Npm is probably less broken than any package manager before it. You never had to live through rpm hell, for example

@@lztx that said, less broken is still - fundamentally - broken.

@@jeshweedleon3960 I'm a PHP/Perl developer. Broken is a way of life. 😂😓

python's pip sucks. conda sucks. i use gentoo's portage to manage my python dependencies (jk)

Kik the package was probably around before Kik the website so technically the development could claim copyright in the space of code packages and Kik the company couldn't do shit about it.

@@drewjanus4643 Doubt the package predates the company. Both Kik the messenger and npm were released in 2010, roughly 8 months apart. Unless Kik the package just happened to be released on npm in that relatively short timeframe, Kik the company was first.

That's a great idea! In one country only. Also, in America, multiple companies or their products can have similar names as long as there's no chance of confusion. See also: Popeyes the fast food chain & Popeye the cartoon character.
Which one gets the single "official" slot in your scheme?

@@klfjoat Given we're talking very literal and specific strings of text, they both get what they want. popeyes gets with an s and popeye gets without. Simple.

@@klfjoatthe one that’s a registered trademark, obviously. Go register Popeyes and let us know how that works out. While you’re at it, make the logo magenta. You’re not offering phone service so I’m sure T-mobile will be super chill about it.

I was thinking of that xkcd the whole time!

Now we have xz to add to the pile!

Not even duct tape.

Yup. Most programmers are furries, trans people, autistic people, or all of the above.

As a wise man once said, "If a furry convention fell into a pit of lava, the world's IT capabilities would plummet into the stone age."

@@loonloon9365 I saw a tweet with a plane full of furries a while back and basically all the comments were about how this was a high risk concentration of critical individuals on one plane and how doomed we’d be if it went down.

@@AnimilesYT they really aren't.

source??? 🤣🤣🤣🤣🤣👎👎👎👎👎

*Laughs in native code*

the grandmother was also Armenian. her name was Hayastan Shakarian. “Hayastan” literally means “Armenia” in Armenian

It's a good example of why you should use a package manager that locks you to a specific version of a package, and doesn't update unnecessarily.

@@qwertyTRiG And even more, why you shouldn't use packages at all for exceedingly simple code you ought to be able to write yourself.

@@room34 Yes. To be honest, left pad seems like a strange thing to be that popular. (We write in PHP, and use Composer.)

Spot on, was a developer but never on websites. When I found out about the Jenga tower (nice image - thanks HAI) that is modern code I was horrified.
Disclaimer - I am a boring baby boomer and so totally out of touch and senile and still own a sliderule - but I am right, it deserves to break.

Replace "web developer" with "house builder" and "package manager" with "hardware store" and people will declare you insane.

Except for the part you could easily spot the missing package, and since it was used freaking everywhere, you can just rebuild it from one of the millions of copies floating around on the Internet. Like it's 11 lines of code, just make your own package and have it locally.

Yes it would be Fun to watch that.

Yes it would be Fun

Yep. It's especially true for things like cryptography and rendering. If you end up writing it without any prior qualification, you'll get a barely working mess. Reusing code is good.

depends on the context though, here node was implied. node devs are notorious for using hundreds of small packages they don't really need and could write themselves in minutes.

@@gab8169 one gets malware'd or deleted and the house of cards crumbles

@@gab8169 Yeah, most of his commentary on the subject earlier in the video was definitely mostly just him being coy, but with leftpad specifically? Yeah, he ain't wrong about laziness there. It's a ridiculously simple function, it probably takes more time to find, download, and include it than it does to literally just code it yourself.

I don't think the quote that it was "lazy" was said in any real seriousness, to be fair.
That said, I'd agree with reusing code, up to a point - don't reinvent the wheel, and save that time to do better things!

Yeah you'd be surprised that there are idiots that design sites that do that...they usually fail for obvious reasons though.

So it's a case of people not knowing the language they're paid to know well enough?

padStart wasnt added until ECMAScript 2017, and this happened in 2016

@@mikey9164 oh, my bad.

deep web for the win

You assume these other things don't also use npm?
Anything using npm was hit hard by this.

@@gavros9636 Probably not. Mail clients may use javascript, but I wouldn't imagine that many mail servers do. Or FTP servers. Or most internet servers. In fact, not many web servers do either, except those using Node.

@@gavros9636 you wouldn't use Node for a production SMTP/IMAP/POP3 server, and certainly wouldn't use it for anything like centralized VOIP servers such as SIP. I've seen Minecraft Servers done in PHP, so I won't say anything about those. But the Internet as a whole does not run on NodeJS and NPM.

@@qwertyTRiG I think you'd be surprised and disappointed how many modern server-side things are written in JS.

It does happen quite often. Sometimes packages that are widely used get updated with malware, infecting tons of developer PCs and servers.

Guess what's even more common and destructive? *The Cloud*™ comes crashing down to earth. Thanks to some managers calling Technical Debt *Software As A Service"™, each time Amazon, Google, or Microsoft do something dumb to their services, the entire internet breaks.
The lesson's learned. Don't rely on a corporation or an 11 line package to do the work for you, unless necessary.

Have you not heard about node-ipc (yes, another Node.js library, what else?)? The guy literally added malware that destroyed people's files to it to protest the war in Ukraine - and Unity actually distributed that malware to its users.

Here's something they won't teach you in school that’ll be valuable to you : *Register your copyrights.*

@@NinjaRunningWild Exactly.

@Best 🅥
Say bye to your account, bot

Wouldn't be necessary if JavaScript wasn't such a shitshow of a language.

It always depends on how safe you want your code to be for unexpected inputs (especially if the users can enter stuff). In Javascript you don't have static types, so you first might want to make sure that what you are checking is a (whole) number. Then you have the problem that very large numbers in Javascript aren't exact anymore (9007199254740992 is equal to 9007199254740993 and 9007199254740993%2 is 0). So, especially in very large and complex enterprise applications you might want to protect against those cases and fail gracefully instead of hard/invisibly. And that is exactly what isOdd/isEven are doing.

@@I25mI25 This boils down to two problems: Javascript's duck-typing (or whatever they call the horrible type system where everything is an object until it's not), and the borderline insane decision to make all numbers floats (with their inherent imprecision) Or as someone else has put it: Javascript is a shitshow of a language.

@@jfolz lmafo
If (num % 2 ==0) true
Else false
It's literally that simple with JVM/JS/PY/C and with machine code it's even shorter

@@LeviForWaifu you sure? I did a quick search. There's at least 3 packages that check if a number is odd on npm. They're quite similar in that they perform a couple of checks that what you put in is actually a number and that it's somehow safe(?) to use. Then they return (n % 2) === 1, so apparently your line was already wrong in some cases.
There's a reason why they had to invent === and that reason is JS is a terrible language that should've died a long time ago.

Watch Dylan Beattie's talk _The Art Of Code_