Can Open Source libraries be withdrawn?

A curious example this week is the withdrawal of a piece of code downloaded 2.5 million times per month as reported by The Register which broke builds for many/most NPM (node.js) users.  This is now fixed at least temporarily and NPM are considering their policies for the future.  

Within the software industry there is great hope for faster progress via the automation of updates of shared open-source code.  Continuous Integration techniques, now labelled as DevOps, can download, build, deploy and test updates automatically to speed up the incorporation of software improvements (and conversely the speed of detection of errors, which aims at the same goal – faster fixing and incorporation of solutions).

This assumes that the internet is always-on available but in various cases it is not, this may be due to hacking,  government intervention or other bizarre problems such as this withdrawal of code.

So, a good idea then to avoid too many dependencies in your automated build.. 

Some reporting on this misleadingly suggests the code in question was simple enough that the dependency could be easily avoided, however the truth is more complex since the code may have complex chain of nested dependencies as per the simple example above from the npm core update module.

The compromise solution is an in-house repository such as Nexus in between the in-house development and the internet, such that updates can be incorporated from the internet when available and in a controlled way, but local continuous builds can continue regardless of what is happening on the wider internet.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s