Trinidadian Laurie Voss: unbreaking the internet

Last March, an angry software developer deleted a JavaScript code package from the Internet. It doesn’t sound very exciting, but the result was thousands of broken websites, and a cascade of online errors. In stepped Trinidadian Laurie Voss, CTO of the web company npm. Mark Lyndersay tells the story of a coding rescue mission

Photo courtesy npm, Inc.

In March 2016, the Internet shook, when a small, fairly straightforward, but widely used snippet of JavaScript code disappeared from the code dependencies of hundreds of online apps and software connections. And at the centre of the controversy that arose was a Trinidadian software programmer, Laurie Voss, who had to take dramatic and unprecedented steps to restore functionality to broken online software.

Voss is officially the chief technical officer (CTO) of npm, a code packager and repository for the JavaScript language that adds functionality and capability to thousands of online services and apps. The software company was a hobby project started by Voss and Isaac Schlueter, who met at Yahoo in 2008. After they both left the search company, Schlueter became involved in Node.js, a JavaScript runtime built using the Chrome Engine.

The project took off in 2009 with the creation of npm, which packages and archives the code snippets created by developers, and by 2013 Schlueter reached out to Voss to evolve npm Inc from a serious hobby into a business. Voss had been working in the world of the startup, and signed on as CTO.

The road to that point had been a long one for Laurie Voss. As a child, he would make fake computers out of cardboard and play with them. His abstract fascination entered the world of reality at age eleven, when he got a computer of his own, something that was quite rare at the time. “I was mostly just playing around with it until I was fifteen, when Internet access arrived in Trinidad, and I started building web pages,” Voss says. “The attraction of the web was how powerful it was, what an equaliser it was: I, a kid in Trinidad, was capable of making a web page just as good as some kid in America.

“That had never been true before, and it’s still true. Every little thing you add to the web makes the whole world better, in some tiny but real way. I think that’s an amazing thing,” he adds, “and I still get excited every time I think about it.”

The npm project is described as “the largest ecosystem of open source libraries in the world,” an indispensible resource of packages of the JavaScript code that essentially runs the Internet. In the open-source model of software development, successful code is offered to the developer community for its use and adaptation, and npm is the leading spot to find code packages that expand functionality or make the development process a bit easier. Instead of writing the code that’s necessary to do a particular thing, you download or reference the package of software that’s already been proven to do it efficiently.

The npm project has four million users globally, who contribute, adapt, and access code packages continuously. Think of the whole process as a software version of Jenga blocks, and you begin to get the idea. That’s also a good way to understand what went wrong in March — and it all began with a name.

Kik is a new instant messaging app. It’s also the name of an unrelated code module written by Azer Koçulu, one of many that he’s contributed to the npm repository.

The Kik app developers began a correspondence with the author of the code module about renaming his software, because it intended to publish its own open source code to the repository. That infuriated Koçulu, and the annoyed programmer withdrew his kik module along with the other 272 he had published with npm. Among them was a popular code package called left-pad. In March 2016 alone, left-pad was fetched 2,486,696 times.

According to a blog of clarification published by npm, “Shortly after 2.30 pm (Pacific Time) on Tuesday, March 22, we began observing hundreds of failures per minute, as dependent projects — and their dependents — all failed when requesting the now-unpublished package.” A replacement package (called a fork, a branch development of the original code) was added to the repository within ten minutes, but the code failures continued, because the unpublished left-pad package was being called by a specific version number, which was no longer available.

Two and a half hours later, the problem had been sorted out, after a suitable version was un-unpublished (technology breeds strange grammar) from a backup. “It was a sign,” Voss recalls, “of how popular and essential to JavaScript development npm has become that even one popular package missing for a couple of hours caused a lot of disruption.

“To prevent that kind of problem in future, we’ve now made the process of unpublishing a package a lot slower, so it can’t take everybody by surprise,” he says. “We’re also taking steps to correct the bad policy we had that made Azer get so mad at us in the first place.

“Unpublishing,” Voss says, “happens all the time. This event, unpublishing a really popular package that had been around a long time, was unprecedented, which is why it caused so much disruption.”

It was a different kind of excitement for Voss, who is currently acting CEO of npm while Isaac Schlueter is on paternity leave. “My title is CTO,” Voss explains, “but my role hasn’t stayed the same for more than three months in a row since we started the company.

“I was writing code, then I was architecting, then I was recruiting, then I was managing, then I was analysing data, then I was project managing, then I was defining product direction.

“Ask me again in three months and it’ll be different again, I’m sure.”