A few days ago, users of two popular open source libraries, known as colors (colors.js) and faker (faker.js), they saw how the applications that used them began to fail, returning meaningless data and stopping working. Some then thought, according to Bleeping Computer, that these libraries for NPM, the default package management system for the Node.js JavaScript runtime, had been compromised. But things were not so simple: the developer of both, apparently fed up with large corporations used them without him receiving any kind of payment for his work, he was tired and I had decided to corrupt them on purpose.
This affected thousands of applications that used them. The colors library has over 20 million weekly downloads on npm alone, and is used by almost 19,000 projects and applications. As for faker, it has 2.8 million downloads in nom, and there are about 2,500 apps that depend on it.
until its developer, Marak Squires, did not decide to take this drastic measure, there was no problem for anyone who decided to use them. Both small companies and other developers as well as large corporations that are in the Fortune 500 index.
But Squires got fed up with working for nothing and introduced several changes to colors and faker that led applications that use them to print meaningless messages. Among them, the text “liberty liberty liberty” followed by various non-ASCII characters. Additionally, the developer added a “new American flag module” to the colors-js library in its version v1.4.44-liberty-2 that was pushed after Github and npm. This was followed by the tainted versions 1.4.1 and 1.4.2 in npm. The modifications to your code created an infinite loop that would continue to print non-ASCII character sequences to the console of all applications that use colors.
Version 6.6.6 of faker, published on GitHub and npm, was also corrupted, and the developer, who already warned last November that he was not going to continue working on his developments for free, even changed the Readme file of faker on Github for another that would refer to Aaron Swartz. Apparently, to put an end to the problems that both libraries cause with corrupted versions, all you have to do is go back to their previous versions, which are safe: 1.4.0 for colors and 5.5.3 for faker.
New life for faker: it will no longer be maintained by its developer, but by the community
A few days after its creator and maintainer corrupted it, the faker library became the responsibility of a group of open source developers, who wants to make the library an open source community controlled project. As announced on a project website, the witness of its maintenance has been collected by a group of engineers who used faker in their products when the library was corrupted. Today the group has eight people in charge of its maintenance, and they have already taken several steps.
So far they have created a new repository on GitHub for the new faker package, published all previous versions of faker to nom at @faker-js/faker, published the Alpha version of faker 6, created a Twitter account for communicate with the community, they have released the first faker documentation website and are working on migrating it to TypeScript so that DefinitelyTyped doesn’t have to maintain its external @types/faker package. They have also cleaned up tools like Prettier, CI, Netlify Deploy Previews, and GitHub Actions, among other measures.
They have also diverted funding from the project so that its original backers can continue to support its community-driven development in the future. Its original creators, Marak, the one who corrupted it, and Brian, «they have been able to keep the $11,562.69 donated so far to the project«.
At the same time, the decision made by this developer has aroused opinions of all kinds. Some members of the open source community support him, while others are outraged. As to Github has decided to suspend the developer account, which has sparked another controversy over the decision. Apart, of course, from the concerns that have arisen about the use and exploitation that large companies are making of the disinterested work of the open source community, without offering practically anything in return to the volunteers who maintain and develop the projects in their spare time. that they use
