Being 'used by many big companies', the developer manually broke the NPM colors.js and faker.js libraries
Initially, some people surmised that these two NPM libraries were hacked. But in the end the story is much more complicated than that.
It turned out that the developers of the above libraries created an infinite loop that caused thousands of projects that depended on colors and faker to hang, or render meaningless things.
The colors library is downloaded more than 20 million times per week and on npm alone, nearly 19,000 projects depend on it. Meanwhile, faker has 2.8 million downloads per week on npm and has over 2,500 dependent projects.
What is the root cause of this incident?
The developer behind the popular open-source libraries colors (aka colors.js on GitHub) and faker (aka faker.js on GitHub) has intentionally included in them bizarre commits. As a result, thousands of applications that depend on these libraries have been affected.
For example, Amazon's Cloud Development Kit (aws-cdk) displayed meaningless messages on the console. The message begins with three lines of LIBERTY LIBERTY LIBERTY followed by lines of non-ASCII characters. Liberty means freedom.
Why do developers manually sabotage the libraries they create? The most appropriate reason is to retaliate. The developers behind colors.js and faker.js are frustrated with the fact that large corporations and consumer businesses "use" free and community-provided software but do not support it. What support for the community.
In November 2020, developer Marak Squires - one of the people behind the colors.js project - shared that he will no longer support large corporations for free. Instead, Marak advises corporations to consider fork the project and get someone else to work on it or pay him a 6-figure salary a year (in USD).
Mixed feedback from the community
Some people support Mark's actions while others say it is irresponsible behavior.
"If you don't want others to use the temple, don't give it away for free. Your self-destruction of the library not only harms your business, but also affects anyone who uses it. It's irresponsible," said the expert with the nickname. InfoSec's VesOnSecurity shares.
Immediately after the controversy broke out, GitHub temporarily locked Marak's account. This also caused mixed reactions.
"Deleting your own code from (GitHub) also counts as a violation of GitHub's Terms of Service? WTF?" complained software engineer Sergio Gómez.
The case is still controversial and it is still unclear how things will be settled in the end. In the meantime, if you're using the colors and faker libraries for your projects, make sure not to use unsafe versions. Downgrading to older colors (e.g. 1.4.0) and faker versions (e.g. 5.5.3) can be a useful solution.
You should read it
- What is open source software?
- Can open source technology make money?
- What is the difference between open source software and closed source software?
- 10 best open source web browsers
- How to Become an Open Source Enthusiast
- Warning: The number of vulnerabilities in open source software are increasing rapidly
- Cisco Linksys WRT160NL - 'toy' specifically for open source people
- 10 things to know about open source software
- Facebook turns Fizz - a library that enhances security protocols - into open source
- Microsoft unexpectedly shared 60,000 free software patents
- The dominance of open source software (P.1)
- 15 open source tools or to 'manage' Windows
Maybe you are interested
Why are red and green the colors of Christmas?
How to Correct Colors in Gimp
What do the 3 indicator light colors on the AirPods charging box mean?
Google Maps' new colors bother you? Let's switch to satellite view!
How to Invert Colors in MS Paint
Review of Epson EcoTank L1250 color printer: Fast setup, convenient WiFi printing, stable colors