How not to care about unpublishgate

So, you all heard about #npmgate a.k.a. #unpublishgate. Azer removed left-pad from the official npm registry and all hell broke loose. Most of npm builds in the world are failing today because a tiny (17 lines of js code!), but very popular library was obliterated from a central repository  (which teaches us a lesson about how central repositories should behave, but that’s a topic for another blog post. Teaser – Bintray does it right).

How did it happened that the whole Node.js industry was affected? Artifact repositories, like JFrog Artifactory, while standard in the Java world, aren’t used enough in the JavaScript world. So it’s considered normal for a JavaScript build to go to the central npm registry directly. We heard a lot of rationalization why it’s OK (the dependencies are few, their updates are rare, Artifactory is an overkill), and here we are. So, the organizations that use Artifactory go like:

All the rest wish they had one.

In the meantime, if you’re affected you can use JFrog’s public Artifactory instance. It has the removed artifact (click on the Set Me Up for instructions on how to make npm work with it).