How to Left Pad, for real

So someone removed a bunch of their packages from the node package manager, and this in turn broke a lot of other people's software builds.

There have been 1 million articles written (so far) wherein sweaty-fingered coders tie themselves in predictable knots asking:

  • Does this mean NPM is doomed?
  • Does this mean opensource is doomed?
  • Does this mean opensource wins, because it can respond so quickly?
  • Does this mean micro-dependencies are terrible?
  • Can something still be a knee-jerk reaction even if someone specifically says it's not?
  • Does this show that NPM is an evil corp?
  • Doesn't this mean that you should do a trademark check before publishing anything ever?
  • Should you check in your dependencies? Should your dependencies have checked in their dependencies?
  • Has everyone forgotten how to code all of a sudden?
  • It's like everyone has gone crazy! Has everyone gone crazy!?

...and so on. But I don't want to ponder any of that.

I just want to look, very carefully, at the code itself, in the center of this maelstrom....

function leftpad (str, len, ch) {
  str = String(str);
  var i = -1;
  if (!ch && ch !== 0) ch = ' ';
  len = len - str.length;
  while (++i < len) {
    str = ch + str;
  return str;

I've had left-padding (and right-padding) functions on my brain lately, as they were added to the most recent release of NimbleText. I was curious if this function behaved the same as mine. 11 lines... what could possibly go wrong?

So I grabbed this implementation and tested its behavior.

I was surprised to see it gave different results to my function!

Specifically -- what does the leftpad function do if you give it a string such as 'HELLO' and ask it to left-pad it to a width of 4 characters (i.e. a length that is smaller than the initial string)?

In NimbleText, to answer this question I asked my customers, who uniformly pointed to the behavior of Oracle's LPAD function.

Oracle's LPAD function, if given a len that is smaller than str, will truncate the result.


LPAD("HELLO", 4) returns "HELL".

So that's what I implemented for NimbleText.

But that's not what this function does!


leftpad("HELLO", 4) returns "HELLO".

The difference is minor -- but minor things can have dramatic consequences.

For example if someone assumes that leftpad(someString, 10) has an invariant property that it always produce a string that is 10 characters long, they could soon end up with a security vulnerability.

I mentioned this on Twitter and celebrity whitehat hacker 'OJ' responded with:

I wouldn't want a leftpad() function to trim strings

Which I attribute to a latent desire he has to see more and newer vulnerabilities in code (not that there's any foreseeable shortage of vulnerabilities looming otherwise)

...but anyway -- what would you expect from a leftpad("HELLO",4) ?

Should the package manager maintain a running vote, and the people can decide democratically on every question?

Or should there be... I dunno... what's the dirtiest word in software... A standard?


I'm currently writing a book about how to build your first product. If you want to build your first product, please sign up to be notified when the book is available.

(By the way, I read every comment and often respond.)

Your comment, please?

Your Name
Your Url (optional)
Note: I may edit, reuse or delete your comment. Don't be mean.