Being 'used by many big companies', the developer manually broke the NPM colors.js and faker.js libraries

Initially, some people surmised that these two NPM libraries were hacked. But in the end the story is much more complicated than that.

It turned out that the developers of the above libraries created an infinite loop that caused thousands of projects that depended on colors and faker to hang, or render meaningless things.

The colors library is downloaded more than 20 million times per week and on npm alone, nearly 19,000 projects depend on it. Meanwhile, faker has 2.8 million downloads per week on npm and has over 2,500 dependent projects.

What is the root cause of this incident?

The developer behind the popular open-source libraries colors (aka colors.js on GitHub) and faker (aka faker.js on GitHub) has intentionally included in them bizarre commits. As a result, thousands of applications that depend on these libraries have been affected.

For example, Amazon's Cloud Development Kit (aws-cdk) displayed meaningless messages on the console. The message begins with three lines of LIBERTY LIBERTY LIBERTY followed by lines of non-ASCII characters. Liberty means freedom.

Picture 1 of Being 'used by many big companies', the developer manually broke the NPM colors.js and faker.js libraries

Why do developers manually sabotage the libraries they create? The most appropriate reason is to retaliate. The developers behind colors.js and faker.js are frustrated with the fact that large corporations and consumer businesses "use" free and community-provided software but do not support it. What support for the community.

In November 2020, developer Marak Squires - one of the people behind the colors.js project - shared that he will no longer support large corporations for free. Instead, Marak advises corporations to consider fork the project and get someone else to work on it or pay him a 6-figure salary a year (in USD).

Mixed feedback from the community

Some people support Mark's actions while others say it is irresponsible behavior.

"If you don't want others to use the temple, don't give it away for free. Your self-destruction of the library not only harms your business, but also affects anyone who uses it. It's irresponsible," said the expert with the nickname. InfoSec's VesOnSecurity shares.

Immediately after the controversy broke out, GitHub temporarily locked Marak's account. This also caused mixed reactions.

Picture 2 of Being 'used by many big companies', the developer manually broke the NPM colors.js and faker.js libraries

"Deleting your own code from (GitHub) also counts as a violation of GitHub's Terms of Service? WTF?" complained software engineer Sergio Gómez.

The case is still controversial and it is still unclear how things will be settled in the end. In the meantime, if you're using the colors and faker libraries for your projects, make sure not to use unsafe versions. Downgrading to older colors (e.g. 1.4.0) and faker versions (e.g. 5.5.3) can be a useful solution.

You May Like Also

  • If you are a Web Developer, don't miss out on these 67 useful tools, libraries and resources!
  • Download Broke Protocol, the 'weird' game between GTA and Minecraft is free on Steam
  • 10 useful and interesting PHP libraries for developers
  • How to Become an iOS Developer
  • Fixed a bug when Libraries folder opened automatically when booting the computer
  • How to use multiple iTunes libraries on one computer?
  • How to add the Developer tab to the Ribbon in Microsoft Word
  • What is Developer Mode on Windows 10? How to activate this mode?
  • How to become a good software developer?
  • How to turn on developer mode on Galaxy S9 / Galaxy S9 +
  • Is the data structure and algorithm necessary for a Web Developer?
  • 13 books of indispensable Developer
  • Score 10 new facial features in Android 11 Beta
  • The Galaxy Note 20, Galaxy Fold 2 and a mysterious Samsung device are revealed in the kernel kernel source code
  • Sony announced the Playstation 5 configuration: Strong as the current PC crisis, but the hardware specifications are still inferior to the Xbox Series X
  • This is how the mouse trackpad works on iPad, different from what we still know
  • Warning: The number of vulnerabilities in open source software are increasing rapidly
  • Open letter from Bill and Melinda Gates in 2019: 9 things that surprised us
  • How to Enable Developer Mode in Windows 10
  • 4 reputable Linux hardware manufacturers for open source enthusiasts
  • Install and configure Mailman (with Postfix) on Debian Squeeze