Another one-line npm package breaks the JavaScript ecosystem



[ad_1]

javascript.png

An update to a small JavaScript library has caused a large part of the JavaScript ecosystem to be in chaos on Saturday, with millions of projects being hit.

Making the whole situation ridiculously absurd is that the whole mess was caused by a “single-line” JavaScript library, marking the second time when a small JavaScript project has caused widespread problems.

The promise of a line

The package at the heart of this weekend’s problems is called is-promise. The library consists of two lines of raw source code, and developers can use it in their projects through a single line call.

Its purpose is to allow developers to test whether a JavaScript object is a “Promise”, with the function that returns a boolean result of yes or no when used in production.

Despite being just two lines of code that perform basic verification, the is-promise library is one of the most popular JavaScript (npm) packages today. According to GitHub, the library is part of more than 3.4 million projects and is used as a dependency by 766 other JavaScript libraries.

Over the weekend, the promised library was updated to receive support for working as an ES module, the standardized module system used by the JavaScript language.

However, the is-promise version v.2.2.0 did not adhere to the appropriate standards of the ES module. As soon as the update came out, projects that used is-promise within their build chain started to fail due to incorrect support of ES module [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

The effect of the bug was felt immediately, impacting some of the largest projects in the JavaScript ecosystem from closed source JavaScript codebases.

This included Facebook’s Create React app (the standard template for creating React apps), Google’s Angular.js framework, Google’s Firebasse tools, Amazon’s AWS Serverless CLI, Nuxt.js, AVA, and more.

The bug didn’t crash existing projects, so there was no actual downtime, but it did prevent developers from compiling new versions of their projects.

The is-promise team released an update, but failed to fix the problem, and finally removed support for the ES module in v2.2.2, released a few hours after the domino began to fail.

It happened before in 2016

This incident marks the second time that a small JavaScript library has caused problems throughout the JavaScript ecosystem. Something similar happened in March 2016, when the author of the left pad JavaScript library (another project with 17 lines of code) decided to un-publish from scratch, breaking thousands of projects similarly.

As happened in 2016, the promise incident promised questions and started discussions about the need to have one-line libraries available in the ecosystem.

The same arguments are raised again, as they were raised in 2016, and in previous years, in the ecosystems of other programming languages.

There is a side to it that modularization goes too far when developers create libraries that only represent a few lines of code, for the most trivial operations.

Then there is the side that argues that the modularization of such elements is necessary, since in this way, “Task A” could be managed within a module, instead of thousands of developers taking care of it in their own projects of different ways.

Discussions about modularization have been raging for years and they will most likely not come to a conclusion any time soon.



[ad_2]