The following example shows the consequences of a small package’s build issues, even without malicious intent. On March 23, 2016, developer Azer Koçulu removed 250 modules he had written that were distributed through the NPM channel. One of these modules, left-pad, was a very small piece of code — 11 lines long — that added spaces to the left side of lines of text to fit into a variable definition. That same day, developers all over the world noticed that something was wrong with their JavaScript programs. One of the warnings read: “npm ERR! 404 'left-pad' is not in the npm registry.” This means that a package called left-pad is required to run the project, but it is not available. Many developers were confused as to what was happening, as they had never used such a module. However, other modules might be using it without their knowledge.
was used in thousands of enterprise and commercial czech republic mobile database around the world, including those built using the Babel compiler for Javascript and the Node programming platform. After the left-pad code disappeared from the repositories, thousands of programs stopped working. What seemed like a trivial issue (developers could easily recreate left-pad functionality in their own packages) had a huge impact on the development world.
Universal threat
“I think it’s important to emphasize how pervasive open source is. According to Gartner, 95% of enterprises use it for their internal projects,” says Eng. As modern development increasingly gravitates toward accelerated programming methods like Agile and DevOps, he believes that the only surefire way for enterprises to ensure the best protection is to create an internal team of developers who write their own functions and libraries for the project.