npmjs.org tells me that left-pad is not available (404 page)
silkentrance opened this issue · comments
When building projects on travis, or when searching for left-pad on npmjs.com, both will report that the package cannot be found.
Here is an excerpt from the travis build log
npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm v2.14.7
npm ERR! code E404
npm ERR! 404 Registry returned 404 for GET on https://registry.npmjs.org/left-pad
npm ERR! 404
npm ERR! 404 'left-pad' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'line-numbers'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! Please include the following file with any support request:
npm ERR! /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1
And here is the standard npmjs.com error page https://www.npmjs.com/package/left-pad
However, if I remove left-pad from my local npm cache and then reinstall it using npm it will happily install left-pad@0.0.4.
according to https://registry.npmjs.org/left-pad
unpublished: {
name: "azer",
time: "2016-03-22T21:27:15.696Z",
...
}
It's causing Babel to fail installation
@tonytamps thanks for pointing this out
@azer why? this will break babel based builds on travis...
I'm having the same issue.
Yep, I'm having the same problem.
Seems like https://www.npmjs.com/package/left-pad is up again, but no versions published.
@tonytamps it seems like the registry has updated weirdly
{
"_id": "left-pad",
"_rev": "12-29db2b53680e1c66ee1acc89502fe1b0",
"name": "left-pad",
"time": {
"modified": "2016-03-22T21:42:18.002Z",
"created": "2014-03-14T09:09:20.762Z",
"0.0.0": "2014-03-14T09:09:20.762Z",
"0.0.1": "2014-08-14T03:31:03.146Z",
"0.0.2": "2014-08-15T07:13:09.056Z",
"0.0.3": "2014-08-15T07:14:44.360Z",
"0.0.4": "2015-05-20T04:04:04.473Z",
"1.0.0": "2016-03-22T21:42:18.002Z",
"unpublished": {
"name": "westlac",
"time": "2016-03-22T21:47:25.250Z",
"tags": {
"latest": "1.0.0"
},
Yeah I published a 1.0.0 to try to resolve the dependency. It looks like someone (not me) completely removed left-pad from the npm registry
Is there a way to get all the old versions back again? In my project it's at the end of a fairly long dependency chain...
@azer would know better why it was unpublished (assuming he was the one to unpublish it)
@camwest The package line-numbers is pinned to 0.0.3 specifically, so you'll need to publish that version or someone will have to summon the creator of line-numbers.
Just tried replacing the travis version of npm which is fairly old by a the latest and see what it will do
npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm v3.8.2
npm ERR! No compatible version found: left-pad@0.0.3
npm ERR! Valid install targets:
npm ERR! 0.0.9
npm ERR!
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1
It will now tell me that there is a version 0.0.9... weird.
Will not try to install that one, though, with all the malware going around...
+1 same issue here.
@RongxinZhang try and use the new GitHub reactions instead of the old +1 :)
+1 same issue
@jmcriffey I can't publish 0.0.3 because it's already been published and removed. NPM forbids publishing a version of the same library twice.
See npm/npm-registry-couchapp#148 for context
@lydell is there a way to make line-numbers work again, perhaps an alternate package or by depending on left-pad@1.0.0 instead?
+1... this is messing things up for a lot of ppl.
This pull request needs to be merged and line-numbers needs to be republished
+1 Also broke my stuff
Same
Same - broke my build
This kind of just broke the internet.
It broked our build. Halp pl0x. Demo video for investors needs deploy soon. :-)
My build wants version 0.0.3 back or else it's going to hold me hostage. npm reports the only valid install target is 0.0.9
was about to deploy after weeks of work (to demonstrate to the client) and bam - this issue.
It looks like someone (not me) completely removed left-pad from the npm registry
Time to update your password / credentials?
@jacksonrayhamilton I'm not the original author. When it was removed from npm I just forked this repo and republished it.
Chatting in https://slack.babeljs.io #discussion fyi
Emergency release of babel with line numbers dependency removed incoming soon...
Yep, given that it's unclear when line-numbers will be updated, we're dropping the dependency from babel-code-frame for now until we have more time to resolve.
You can install from github by adding left-pad to your to your package.json.
"dependencies": {
"left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355"
}
I made a pull request to line-numbers that is using this as a dependency if you guys want to thumb that up so he sees it lydell/line-numbers#2 i believe @camwest made one too
@loganfsmyth care to use lodash? https://lodash.com/docs#padStart
Published a new version of babel-code-frame as 6.7.3 that removes line-numbers. Need to backport it to v5.
The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.
@maxkostow Thanks,
adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json
fixed my build
@loganfsmyth @kittens thank you very much. YMMD!
The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.
NPM should really not allow removing of previously published versions.... surely?
A relevant place to bring up the npm issue is over here: npm/npm#12012
@ctolkien I think that this is also proving that a small issue can be fixed in a matter of minutes with open source when hundreds of people are having an issue. Definitely much better than calling your oracle rep to submit a ticket for an issue.
FYI Babel 6 is now fixed.
$ npm install babel-core@6
/Users/sebmck/Scratch/fuckkk
└─┬ babel-core@6.7.2
├─┬ babel-generator@6.7.2
│ ├─┬ detect-indent@3.0.1
│ │ ├── get-stdin@4.0.1
│ │ └── minimist@1.2.0
│ ├── is-integer@1.0.6
│ └── trim-right@1.0.1
├── babel-helpers@6.6.0
├── babel-messages@6.7.2
├─┬ babel-register@6.7.2
│ ├── core-js@2.2.1
│ ├─┬ home-or-tmp@1.0.0
│ │ ├── os-tmpdir@1.0.1
│ │ └── user-home@1.1.1
│ ├─┬ mkdirp@0.5.1
│ │ └── minimist@0.0.8
│ └─┬ source-map-support@0.2.10
│ └─┬ source-map@0.1.32
│ └── amdefine@1.0.0
├── babel-template@6.7.0
├─┬ babel-traverse@6.7.3
│ ├── globals@8.18.0
│ └─┬ invariant@2.2.1
│ └── loose-envify@1.1.0
├─┬ babel-types@6.7.2
│ └── to-fast-properties@1.0.2
├── babylon@6.7.0
├── convert-source-map@1.2.0
├─┬ debug@2.2.0
│ └── ms@0.7.1
├── json5@0.4.0
├── lodash@3.10.1
├─┬ minimatch@2.0.10
│ └─┬ brace-expansion@1.1.3
│ ├── balanced-match@0.3.0
│ └── concat-map@0.0.1
├── path-exists@1.0.0
├── path-is-absolute@1.0.0
├── private@0.1.6
├── shebang-regex@1.0.0
├── slash@1.0.0
└── source-map@0.5.3
The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.
The way I see it, the problem is not the modules, but rather reliance on a centralized system.
A relevant place to bring up the npm issue is over here
No, that is not a relevant place to bring up the issue. This is not something over which the npm CLI maintainers have any control or responsibility. It's unfortunate that this package got unpublished, but this is the system behaving as designed.
a way to vendor npm modules would be sweet
The problem is reliance on other people.
If you rely on other people -- for literally anything -- then you can be surprised when they act in ways that you didn't predict.
That goes for relying on other peoples' servers, their code, their ability to show up to their jobs on time, etc.
The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.
@sheki https://docs.npmjs.com/files/package.json#bundleddependencies
This problem was identified and then fixed in minutes. This isn't an example of the small modules philosophy breaking; it's an example of it working.
Wait so what is the fix? Im still getting the error
Upgrading babel isn't trivial
@anauleau This is fixed for Babel 6.x, a fix for 5.x is incoming.
I am using babel 5.x, so ill wait...
The fix from @maxkostow worked for me.
This problem was identified and then fixed in minutes. This isn't an example of the small modules philosophy breaking; it's an example of it working.
@isaacs I completely agree with you, thanks guys!
Hi all,
Sorry about this. I've unpublished all my stuff from NPM.
You can change your dependency to point to azer/left-pad.
If there is any volunteer to take over this module, I'll happily transfer the repo.
Apologizes for inconvenience.
Azer
haha broke my build too. this literally broke major projects like react-native 😄
Seems like a lot of major projects have dependencies on this.
@kittens i would be glad to help too username ccutch
wait nope, there's literally no way to fix this for older versions. you've basically broken every single version of babel. you can't republish over already published packages. babel relies on line-numbers with a fixed version and line-numbers relies on left-pad with a fixed version.
The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.
That's not what I was implying. The JavaScript community is library-based; of course we must and do rely on each other for almost everything.
I was implying some decentralization could make the system more reliable. For instance: If a package can't be downloaded, but is cached, install the cached version? (Maybe resolve this issue?) Or: Replicate (part of) the registry locally or onto your own server, and refuse to delete packages on your server?
@kittens the repo on npm was complety erased and re uploaded making the 0.0.3 release erased.
@azer I read your article on medium.
I think what happened is really sad and we should think of some sort of protection against this kind of things happening.
@azer While I'm annoyed this has wasted part of my day. I'm okay for the reasons as you've explained. Now to deal with the fallout.
I changed my pull request for line-numbers which is the dependency that babel uses to use lodash over this library lydell/line-numbers#2 please help get this noticed.
@ccutch that wont fix it since babel relies on it as a fixed version rather than a range
Is there really no way to tell npm to re-publish a package that was explicitly unpublished?
@loganfsmyth there sure is - NPM Inc can step in and steal control of this module just like they did the kik module.
Forget my broken build, that's some non-sense!! @azer I totally agree, thank you for your contributions and helping the JS community grow just a little bit more, regardless of this outcome. Cheers buddy!
In my eyes, this is not a waste of time, but a learning experience on dependencies and how open source software is being effected by big companies.
wait nope, there's literally no way to fix this. you've basically broken every single version of babel. you can't republish over already published packages.
If it's not apparent yet, but this exemplifies how NPM and much of the community's use of it is utterly broken.
The Medium article, for those interested.
Forget my broken build, stick it to the man!! @azer I totally agree, thank you for your contributions and helping the JS community grow just a little bit more, regardless of this outcome. Cheers buddy!
yes, who cares about all the peoples time this is wasting am i right
Thanks to @maxkostow - his fix also worked for me.
npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355
Add --save or --save-dev at the end to overwrite your package.json.
FYI I was deploying on Codeship but had to clear their depenency cache.
adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json
Thanks for the fix!
Everyone check out my new npm module called dominospizza™
Managed to publish babel 5.8.36.
IF YOU HAVE YOUR VERSION FIXED THEN YOU WILL NEED TO UPDATE TO ONE OF THE FOLLOWING:
6.7.25.8.38
So ironic that 17 lines of code breaks the internet 🙌
So ironic that 17 lines of code breaks the internet 🙌
We've made a copy of 0.0.3 available for anyone who wants to point to it instead: https://github.com/Automattic/left-pad-0.0.3
Here's how we updated our shrinkwrap file to point to it: Automattic/wp-calypso@a6ab617
I've requested from npm that they restore 0.0.3 on npm since I'm now the owner of the package...
npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 --save
Unfortunately, this does not work behind most corporate firewalls.
Wow. Many hundreds (thousands by the time it's all done?) of man hours were just wasted because someone doesn't understand basic copyright and trademark law. I'm not a lawyer, but as I understand this NPM and the lawyers did exactly what they were legally required to do.
There's no "sticking it to the man" here, this is punishing your fellow node and javascript developers. This is a knee-jerk reaction to a very typical and expected situation (do a Google search for "kik") with no thought at all to the consequences.
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
Thx a ton @maxkostow !!! 👍 You sire are a life-saver!! This works sweet. Installs the so-badly-needed left-pad@0.0.3 version. I am on track now :)
"left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355",
It seems to be working now. Without any hacks or having to manualy install the package.
@paladox I just tried, doesn't work for me. Did you do an npm cache clear before you tried to install?
Someone get kik on the phone, see if they want to take ownership of left-pad
@loudwinston nope.
@paladox Do that and try again. I'm fairly certain its still broken, and will remain so since npm doesn't allow you to republish with the same version number.
@loudwinston if you have a shrinkwrap you need to delete npm_modules, reinstall and regenerate it
@paladox it's not working for me
npm install left-pad@0.0.3
npm ERR! Darwin 15.4.0
npm ERR! argv "node" "/usr/local/bin/npm" "--registry" "https://registry.npmjs.org" "install" "left-pad@0.0.3"
npm ERR! node v0.12.7
npm ERR! npm v2.14.8
npm ERR! version not found: left-pad@0.0.3
and make sure your babel semver lets you install the latest babel
I can confirm this is fixed
@jasonroelofs Reminds me of DNS - also incompatible with the trademark system.
Namespacing might help avoid this, too. We'd probably still have suits over namespaces, but at least kik and azer could probably each have their own kik.
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
@jasonroelofs I dunno, but I got tired of reading changelogs for dozens of semi-maintained deps, so I went back to using Python on the server. Just sayin'
@stavarotti Did you try using git+https://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 ? That works for me behind my corp firewall
Also, why do so many NPM modules depend on so many small, easily inlineable helpers and tools?
not to sound too cynical, but welcome to NPM!
majority of modules are tiny, repeatable simple logic pieces ... it seems as a community we're heavily relying on this pattern.
anyways, not a relevant discussion to this thread, but one I'd like us (as a community) to discus further.
Was broken for my react-native build, is now working with no changes on my part.