npm left-pad incident

As a result, thousands of software projects that used left-pad as a dependency, including the Babel transcompiler and the React web framework, were unable to be built or installed.

This caused widespread disruption, as technology corporations small and large, including Facebook, PayPal, Netflix and Spotify, used left-pad in their software products.

The removal of left-pad has prompted discussion regarding the intentional self-sabotage of software to promote social justice and brought attention to the elevated possibility of supply chain attacks in modular programming.

left-pad was a free and open-source JavaScript package published by Azer Koçulu, an independent software engineer based in Oakland, California.

[4][2] Despite its relative obscurity, left-pad was heavily used; the package was used as a dependency by thousands of other software projects and reached over 15 million downloads prior to its removal.

[1] After Koçulu expressed his disappointment with npm, Inc.'s decision and stated that he no longer wished to be part of the platform, Schlueter provided him with a command to delete all 273 modules that he had registered.

[10] npm changed its policy on the removal of published packages to prevent deletion if more than 24 hours have elapsed since its release date and at least one other project requires it as a dependency.

[2][8][9][1] Many commented on the "move fast and break things" culture of JavaScript development, the unpredictable nature of open-source software, and a perceived over-reliance on modular programming.

In addition to the widely publicized left-pad incident, a number of individuals had immediately hijacked Koçulu's other packages with unknown code after they were removed.

[7] npm released a new policy to prevent malicious takeovers in similar disputes,[3] but the left-pad incident is still cited as an example of over-reliance on external contributors leading to an increased attack surface for software products.