The project took off in 2009 with the creation of npm, which packages and archives the code snippets created by developers, and by 2013 Schlueter reached out to Voss to evolve npm Inc from a serious hobby into a business. Voss had been working in the world of the startup, and signed on as CTO.
The road to that point had been a long one for Laurie Voss. As a child, he would make fake computers out of cardboard and play with them. His abstract fascination entered the world of reality at age eleven, when he got a computer of his own, something that was quite rare at the time. “I was mostly just playing around with it until I was fifteen, when Internet access arrived in Trinidad, and I started building web pages,” Voss says. “The attraction of the web was how powerful it was, what an equaliser it was: I, a kid in Trinidad, was capable of making a web page just as good as some kid in America.
“That had never been true before, and it’s still true. Every little thing you add to the web makes the whole world better, in some tiny but real way. I think that’s an amazing thing,” he adds, “and I still get excited every time I think about it.”
The npm project has four million users globally, who contribute, adapt, and access code packages continuously. Think of the whole process as a software version of Jenga blocks, and you begin to get the idea. That’s also a good way to understand what went wrong in March — and it all began with a name.
Kik is a new instant messaging app. It’s also the name of an unrelated code module written by Azer Koçulu, one of many that he’s contributed to the npm repository.
The Kik app developers began a correspondence with the author of the code module about renaming his software, because it intended to publish its own open source code to the repository. That infuriated Koçulu, and the annoyed programmer withdrew his kik module along with the other 272 he had published with npm. Among them was a popular code package called left-pad. In March 2016 alone, left-pad was fetched 2,486,696 times.
According to a blog of clarification published by npm, “Shortly after 2.30 pm (Pacific Time) on Tuesday, March 22, we began observing hundreds of failures per minute, as dependent projects — and their dependents — all failed when requesting the now-unpublished package.” A replacement package (called a fork, a branch development of the original code) was added to the repository within ten minutes, but the code failures continued, because the unpublished left-pad package was being called by a specific version number, which was no longer available.
“To prevent that kind of problem in future, we’ve now made the process of unpublishing a package a lot slower, so it can’t take everybody by surprise,” he says. “We’re also taking steps to correct the bad policy we had that made Azer get so mad at us in the first place.
“Unpublishing,” Voss says, “happens all the time. This event, unpublishing a really popular package that had been around a long time, was unprecedented, which is why it caused so much disruption.”
It was a different kind of excitement for Voss, who is currently acting CEO of npm while Isaac Schlueter is on paternity leave. “My title is CTO,” Voss explains, “but my role hasn’t stayed the same for more than three months in a row since we started the company.
“I was writing code, then I was architecting, then I was recruiting, then I was managing, then I was analysing data, then I was project managing, then I was defining product direction.
“Ask me again in three months and it’ll be different again, I’m sure.”