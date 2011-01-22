from the with-great-responsibility-comes-great-LOLability dept.
From Bleeping Computer
Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.
The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.
The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.
But the target of this action wasn't the end user - but the big corporations...
[...] The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.
"Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote.
(Score: 0) by Anonymous Coward on Wednesday January 12, @01:19AM (4 children)
maven is my anti-npm
Doesn't NPM have a way to specify version ranges or pin a specific version (like an LTS)? Does node really just autoupdate everything? That must be a nightmare, sort of like using Windows 10.
(Score: 1) by NPC-131072 on Wednesday January 12, @01:29AM (1 child)
https://research.swtch.com/npm-colors [swtch.com]
(Score: 0) by Anonymous Coward on Wednesday January 12, @02:06AM
Well fuck.
(Score: 2) by Fnord666 on Wednesday January 12, @02:05AM
NodeJS has the package-lock.json [nodejs.dev] file.
(Score: 2) by vux984 on Wednesday January 12, @02:23AM
Yes. Of course it does. You can pin to range or specific version. I build docker images and production installs using "npm ci" which ensures the version that is installed is the version that was tested and validated and referenced in the committed package-lock.json. You can also "shrinkwrap" with npm and so on. The issue is that most people don't know what the tools can do or how to use them properly. And that includes me...I'm still learning new things. Who isn't?
The problem is that most people remain ignorant and don't care to get informed. npm install worked on my laptop... deploy to production the same way. That's not a flaw of npm. That's just people who don't know or don't care what they are doing. Eventually it goes boom.
npm has semantic versioning and conventions around issuing new major versions for breaking changes so if you write code that works with major version 6, it should work 6.1. 6.2, and so on, and npm won't automatically pull 7 without a specific command once you've pulled version 6. Not everyone follows the conventions, but by and large things tend to work well enough most of the time that essentially you do have lots of rope to hang yourself if you simply skip using the deployment and publishing tooling, skip testing and CI, etc.
(Score: 0) by Anonymous Coward on Wednesday January 12, @02:02AM (1 child)
These apps are configured just to fetch whatever from wherever and execute it? Don't the app developers have to qualify and release a new version before that happens??
(Score: 2) by Fnord666 on Wednesday January 12, @02:09AM
Unfortunately, many build pipelines and tools will grab the most recent version of a package by default. With continuous integration being a thing, builds can happen multiple times a day. This can be prevented by either locking the particular version of a package using the build tool or having a local package repository that the build pipeline points to and not copying new packages into that repo until they have been vetted.
(Score: 2) by Fnord666 on Wednesday January 12, @02:14AM (1 child)
(Score: 0) by Anonymous Coward on Wednesday January 12, @02:24AM
They weren't going too (and hadn't) anyway. The users were always going to Freeload and Scab off the guy forever.
It's also a nice little reminder that the 21st Century's Super Trendy way to do Software Engineering is fscked.