uWebSockets.js — beware of slander, envious hypocrisy & Manuel Astudillo

When old, wild internet speculation is your only “source” for yet new speculation, we end up with nonsensical conspiracy theories and slanderous allegations. Let’s correct them by using rational thinking and current day observations.

Seven years ago I created this project called “uWS”. Up until version 0.14.8 it lived primarily on NPM. Four years ago I moved it from NPM to GitHub, where it has remained ever since. The project has never been better off. 20 major versions released, all available free of charge for anyone to use. Last release 22 days ago. Over 5000 “GitHub stars”, 70 million downloads and with great performance and security. By any metric possible, the project is in good standing.

Unfortunately, still to this day, almost half a decade later, some people are spreading speculative, nonsensical and slanderous stories regarding this departure from NPM. Even though I have publicly explained all of this before, many still prefer gathering around the sensational speculation and conspiracy-like theories. It seems way more entertaining to subscribe to a sinister conspiracy theory than to think rationally.

You don’t need arguments that logically make sense, when you have endless confidence and total lack of self awareness.

Manuel Astudillo, an avid NPM proponent, has written a very confident post based on nothing but angry Reddit speculation and his personal hatred of me. He is speculating based on a speculation. This is garbage journalism. This is how fake news and slander happen. Unfortunately his post has spread, and has gotten way more attention than what it deserves.

Hang tight for juicy hypocrisy and envious attacks on my customers

Let’s go over his nonsense of a post and correct it by using rational thinking and reliable, credible sources. Who can reliably explain my own reasoning? Me? Or Manuel? Who is Manuel? Did he ever work with the project to begin with? Hilariously, no, he is entirely foreign to the project and has no inside information. Nobody does. He is not a credible source, and neither is an angry Reddit post.

Whomever made the decision to stop using NPM should know why. I made the decision, and I know exactly why I did so. The reason is far more logical and sane, than the reason Manuel Astudillo is presenting:

If you are active in the Node.js community you have probably heard of a dispute between the author of a websocket library called uWS (https://www.npmjs.com/package/uws) and the NPM maintainers.

The dispute arose because the author was not willing to accept one of the core policies in NPM, that is, that all releases must be immutable. Implying that if you happen to screw it up and make a broken release you better do a new release as fast as possible to resolve the problem from the previous one.

The reason for departing from NPM was their Terms of Service. I find it repulsive, from a purely legal standpoint. Further on I find NPM to be a technically inferior platform. Remember five years ago? NPM used to take AGES AND AGES installing anything. That’s why Facebook made Yarn. Today NPM is slightly better, technically, but my decision was not made today and I still find their legal contract unacceptable.

The issue with NPM’s Terms of Service lies in their way of blackmailing publishers — you as publisher are to indemnify NPM without limit, yet you still have to trust NPM to make the right decision for you whenever, if ever, legal trouble comes your way. They ask you to hold a live grenade while their blind dog may or may not try to defuse it, instead of letting you defuse it yourself (which of course may or may not mean simply throwing the grenade to avoid being blown up!).

This alone is the main reason I left their platform. Anything else is made up nonsense and retold Reddit speculation (on Reddit, nonsense with high enough amount of upvotes automatically gets promoted to “truth” even though it’s nothing but a snowballing misunderstanding. People upvote what is already highly upvoted because, well that’s how mob mentality works).

Despite this inconvenience, immutability is a core feature of the npm ecosystem and for good reasons: without it you could not trust any package. How could you be confident of using a given library, if suddenly the version that you are using in your products and services could change in your next deploy? Not only could this break things, it could also introduce malicious code, trojan horses, or viruses. Remember that a npm package has the same restrictions on what code it can execute as your main program depending on it.

Here we can already see Manuel go down a path of arguing for something that nobody is arguing against. He is drawing incorrect conclusions based on incorrect speculation and ends up arguing about something nobody is opposed to.

Nobody here wants mutable releases. Nobody here is proposing mutating releases. This is a failure to comprehend the actual reasoning, and connect the dots properly. Manuel Astudillo is connecting the dots in a short-circuited way, skipping important considerations such as law and legal risk.

uWS’s author, in some kind of childish act of vengeance, tried to consciously break all dependent libraries and services by publishing an empty version of the module, fortunately, the team behind NPM manually removed it and locked the package so that no further damage could be inflicted to its users.

Now we are speculating our pants off. None of this makes any rational sense. What would my motive be? What would I have to win from doing what Manuel claims I did? What would I lose? For “vengeance” to appear there must have been something I lost? What did I lose, Manuel?

When you cut and paste internet quotes from different chronological events, with bolted-on context, I can understand your total confusion. You can’t make any sense of it, but you still have this narrative fueled by hatred to complete, so you make up a story that paints a sinister enough picture, even though it falls apart from the slightest reasoning.

You believe not what is logical and rational, but what feels the most accurate to your hatred and disgust of me as a person. Of course you won’t believe a logically sane story about a businessman wanting to minimize legal risk as his product becomes way more popular than he anticipated at first. No because that story would make too much sense.

History clearly shows that I did not lose anything. I still own the NPM account, I control it. If Manuel would take just one second to actually follow his own link he would clearly see this. Who published the last version? What does it say? When was it published?

What happened in reality was that I had decided to stop using NPM, because of above mentioned legal issues. So instead of just leaving without any trace (I had no other social media) — I published a new release containing the README file, saying in big bold black ink “I don’t publish to NPM anymore, find me elsewhere”. Further on I had consulted with Libraries.io, gathering statistics for how many people were on what version. The statistics led me to believe almost everyone was on a fixed version (like they should). Depending on a future version of an NPM package is horrible practice and leaves you wide open to supply chain attacks and breakage. It’s a red flag signalling carelessness — a flag Manuel Astudillo is more than happy to wave.

Snapshot of the verbatim README.md file as rendered on npmjs.com

As you probably can infer, my intention was to keep my user base by letting them know about the change, not to destroy it. Manuel has the story upside down, severely tainted by his sinister, slanderous narrative. Why would I want to destroy something I had built by myself for the last two years? It makes no sense, and the current day outcome does not align with this alleged motive.

This message worked great, many people got it and followed me to the new platform, GitHub. I also got in contact with many companies at this point. All in all I and the project gained a lot from transitioning like this, and most users experienced no issues, like I had planned. Many people have expressed their understanding.

However, a few users blindly shoved my text message in production without doing any kind of A/B testing, review or even a smoke test. So of course they got a temporary outage. These people were utterly irresponsible and I think this outcome speaks more of them and their lacking testing, than what it speaks of me. These are the people who scream the loudest in angry Reddit posts.

In fact, Manuel Astudillo is such a person himself:

I was using uws at the time and saw my product (as many other people) break when upgrading since the author uploaded an empty package […]

Doing not even a basic smoke test of his composition, he blindly shoved my text message uploaded to NPM straight in production. Then he continues to blame others, instead of reconsidering his testing and due diligence practices.

My code is free of charge, comes with no warranty whatsoever, and at the time was known to be of “unstable” status. Sure, my actions were somewhat unorthodox but they worked like magic. You might argue this was a mistake by me, I can agree to some degree, people make mistakes. I wouldn’t do this again, knowing what I know today. The important takeaway is I did what I thought was the best for the project at the time, not the worst.

This event alone says a lot of its author and should be taken as a warning sign in case you get seduced to use any of his libraries.

If anything, this event highlights the complete lack of the most basic testing, due diligence and security considerations, in camp Manuel Astudillo. Blaming others, for one’s own naivety.

Whomever is to blame (no warranty, no liability), this happened four years ago. The majority of uWS has existed after this event. There hasn’t been any hiccup for the last four years and the project is better off now than ever. At some point you will have to let things go.

Some time passed since this incident, and recently a new version of the package, with a complete new API has been released by its same author.

Yes, four years have passed and the project now has 70 million downloads and runs in many successful companies and is widely praised as an excellent project. It keeps on getting new releases at a consistent pace, almost a decade after initial release.

I will not enter in the attitude problems the author has with the people writing issues or simply not agreeing with him. Insults and the like are the norm in his way of treating people, and ultimately he will ban you or delete complete issues if they are exposing any flaws in his library or how he behaves.

I, as owner of the project, will delete anything I find irrelevant, harassing or in any way annoying. It is a complete and utter lie that I would delete reports exposing flaws in the code. I welcome any such report with open arms. The best thing I know is when people find and post well written reports with AddressSanitizer failures. You can find several of those publicly available in the GitHub repository.

The project has received thousands of USD from Google for its open handling of security issues. We have a 95% fuzzing coverage and we use all sanitizers, even the optional ones. All security issues are handled publicly by Google and I have no ability to delete these. We also use LGTM publicly available security scanning tools and reports.

Your claims are entirely pulled from thin air to fit your narrative.

A typical example is with the very first issue https://github.com/uNetworking/uWebSockets.js/issues/155#issuecomment-504773584

Which was deleted when it was pointed out that some measures must be taken in order to have safe installs. With the history track of its author, I think that any measure you take is more than justified, where any production solution that depends on his library is at high risk of breaking at any time, and in worst case scenarios introduce trojan horses, viruses or the like.

I remember that issue. You posted about binaries being evil, and fanatically insisted on using NPM instead of the planned solution to use GitHub tags. I banned you because you wouldn’t shut up about your fanatical views of how NPM is the only true distribution channel and that all other ways are “impure”.

I’m sorry you didn’t get the message, but I banned you because you acted like an asshole and annoyed me greatly — not because I wanted to “hide any flaws in the library”. You are a true fanatic and there is no way in reasoning with fanatics. I would ban you again if I could.

Now that we have corrected the initial nonsense of Manuel Astudillo’s post, let’s look at his main argument, the meat of his post:

So without further ado lets go through the main problems. It boils down to this:

Picture copied from Manuel Astudillo’s post. It shows my former installation instructions.

For newer developers this may look like a harmless way of installing a package. However it must be pointed out that this is not installing the package from the NPM registry, but from the private github repository of the package author.

Right, it is not installing from the NPM registry because that was the whole idea of this transition — to not end up with balls-stuck-in-vice as per the NPM Terms of Service. You are correct, I do not publish to NPM.

The main implications of this is that, 1) the repository can be deleted at any time (not very unlikely considering past events), and 2) the tag pointing to a version can be changed to point to a different commit (not very unlikely either since this was the reason for the original dispute with uWS).

Ignoring the fact you haven’t understood the underlying reasoning for moving away from NPM -

Let’s remind ourselves that the above warning is written by a guy who employs security strategies inviting NPM supply chain attacks with open arms.

Immutability, immutability, immutability, oh crap I’m hacked

Arguing that a Git repository can be deleted or changed is like arguing Bitcoin can be deleted or changed. It is like arguing The Pirate Bay can be deleted, or that the files it points to can be modified. I know this takes a few brain cells to comprehend, of which you may be lacking, but the entire idea of Git is to act much like a blockchain — it achieves immutability not by central enforcement but by distributed, cryptographically verifiable clones.

You cannot “delete” or “change” something that is verifiable with a chain of SHA-1 hashes, is distributed and stored to/on every continent on the planet, has thousands of “forks”, is stored 250 meters into an Arctic mountain on Greenland and is used by many companies who have significant stake in it.

I have no intention to remove this GitHub repository, but because of the distributed nature of Git, you don’t have to trust me (or even GitHub). You can simply move your mouse cursor up to the upper right corner and click “fork”. It takes five seconds or less. Now you have your own, distributed clone only you can manage. You are king and dictator of your own clone. Hundreds of people have already done so and you can clone their clones if you need to.

By referencing your own fork instead of mine, you are as safe as can possibly be. Of course you can also simply download the project and ship as part of your app. Nobody is twisting your arm here. The possibilities are endless.

This project is free of charge and you may do whatever you wish with it, as long as you obey the licensing terms. Nobody has an evil complex plan to destroy the world here. If you don’t like it, go away.

Also note, the “No compiler needed” text. The author provides precompiled binaries, which, while being convenient for some users and platforms has the added risk of not knowing if the binaries really correspond to the source code or a specific version of the source code.

Again with the brain cells; believing that binaries are some kind of magical containers of evil, concealment nobody can verify or understand, is exposing your severe incompetence in this, Manuel Astudillo.

You have the source code, you have the binaries. Let’s try and put two and two together here — what happens if you compile your own binary and diff it against the precompiled one? Do you think they will match? Of course you will never try this because you never do research.

The code being sponsored by companies of dubious legal and moral business such as “bitfinex” (https://en.wikipedia.org/wiki/Tether_(cryptocurrency) ) do not make the thing more trustworthy either.

Here Manuel Astudillo is making the argument that being indirectly and partially funded by Tether (Tether -> Bitfinex -> uNetworking AB) makes uWebSockets.js “untrustworthy”.

This while his very own company, Taskforce.sh, has paying customers such as MoonPay which is a company that sells, well you guessed it, Tether.

Do I need to spell it out, the absolute bottomless hypocrisy of Manuel Astudillo?

If you still decide to use uWebsockets.js in production, you can minimize some the risks by:

Fork the main uWebsockets.js repo and its 2 dependencies (uWebsockets and uSockets).

Build the package yourself instead of using the prebuilt binaries.

I agree with you on this, Manuel Astudillo. I would say it is enough to click “fork” as described above, but people are free to make their own decisions here.

Alright, this was fun.

Thanks!

Yeah, I really recommend everybody to read the post above, it states perfectly the nature of the character. Honestly, no pun intended, I think you need to seek for mental help.

Fabulous response, Manuel Astudillo!

I can see that you have blocked me on Medium as well. Great!