When it comes to ownership then details count
Last December, GitHub recognized that it hadn’t revisited the dispute policy for npm packages since acquiring NPM in March, 2020, and in February this year, it suspended transfers of abandoned packages until it could come up with a system that’s fair, consistent, and enforceable. The Microsoft-owned company did so because Andrew Sampson, CEO and co-founder of streaming app Rainway, showed that npm’s process was none of those things. Sampson and other contributors created an open source, cross-platform serialization format called Bebop to support the Rainway app. To ensure the chosen name remained the same across multiple programming languages, he proceeded to register the Bebop package name at various package registries like. Net’s NuGet, Rust’s Cargo, and Dart’s pub.dev. The name, however, was taken on npm, the registry frequented by JavaScript, Node.js, and TypeScript developers. At the time, npm’s advice for handling module name disputes was to email the owner of the relevant package and to send a copy of the message to npm’s support address. “After a few weeks, if there’s no resolution, we’ll sort it out,” the now removed dispute policy explains. Sampson emailed the listed address, got no response, and four weeks later was rewarded with a note from npm granting him control of the Bebop name. Github’s npm team shouldn’t have done so because the registry had the wrong email address for the individual who had registered Bebop and had been using it for more than eight years. “As it turns out, the package was not abandoned,” explained Sampson via Twitter. “[ Zach Kelling] published it over eight years ago and used it consistently in that time.” According to Sampson, none of the emails associated with Kelling’s account received the name inquiry and the email address produced by the command npm owner ls bebop wasn’t associated with the package.
