from the with-great-responsibility-comes-great-LOLability dept.
From Bleeping Computer
Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.
The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.
The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.
But the target of this action wasn't the end user - but the big corporations...
[...] The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.
"Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @01:19AM (7 children)
maven is my anti-npm
Doesn't NPM have a way to specify version ranges or pin a specific version (like an LTS)? Does node really just autoupdate everything? That must be a nightmare, sort of like using Windows 10.
(Score: 4, Informative) by NPC-131072 on Wednesday January 12 2022, @01:29AM (1 child)
https://research.swtch.com/npm-colors [swtch.com]
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @02:06AM
Well fuck.
(Score: 3, Informative) by Fnord666 on Wednesday January 12 2022, @02:05AM
NodeJS has the package-lock.json [nodejs.dev] file.
(Score: 4, Interesting) by vux984 on Wednesday January 12 2022, @02:23AM (2 children)
Yes. Of course it does. You can pin to range or specific version. I build docker images and production installs using "npm ci" which ensures the version that is installed is the version that was tested and validated and referenced in the committed package-lock.json. You can also "shrinkwrap" with npm and so on. The issue is that most people don't know what the tools can do or how to use them properly. And that includes me...I'm still learning new things. Who isn't?
The problem is that most people remain ignorant and don't care to get informed. npm install worked on my laptop... deploy to production the same way. That's not a flaw of npm. That's just people who don't know or don't care what they are doing. Eventually it goes boom.
npm has semantic versioning and conventions around issuing new major versions for breaking changes so if you write code that works with major version 6, it should work 6.1. 6.2, and so on, and npm won't automatically pull 7 without a specific command once you've pulled version 6. Not everyone follows the conventions, but by and large things tend to work well enough most of the time that essentially you do have lots of rope to hang yourself if you simply skip using the deployment and publishing tooling, skip testing and CI, etc.
(Score: 2) by Moru on Thursday January 13 2022, @06:09AM (1 child)
Apparently the problem also comes from believing that "npm ci" will save their bacon because it locks the versions. However that apparently only locks the versions you specify, not the second level of libraries pulled in by the things you pull in. And if this library pulls in even more dependencies you are sitting there using things four levels deep that you have no clue what it does with your server or your customers computers/phones. It's a disaster waiting to happen. It's enough with a developer getting an offer they can't refuse / get hacked and publish a cryptominer or something worse.
(I never used npm really because of this fear so don't quote me, this is just what I understood from others using it and getting bitten)
(Score: 2) by vux984 on Friday January 14 2022, @05:39PM
package-lock.json stores the entire dependency tree with all the actually installed versions, and npm ci recreates a node_modules folder with an identical dependency tree. What you are describing doesn't sound correct.
However, in general when you publish a *library*, you don't (and shouldn't) shrinkwrap it. So if your lib pulls package^3.1.2, and you publish it, then when a developer adds your package to their project they get the latest version of package v3 not 3.1.2 as a sub-dependency, and that might be what they are talking about? If there is a breaking bug in 3.1.5 then you will get that bug when they add your package that depends on the now buggy package.
But since this all happens when you add a package to your project, you should have problems in dev/testing; you'll discover and fix it (there are a variety ways -- ranging from overriding your tree to pull the older sub-dependency version to submitting a pull request and getting the problem bug in package 3.1.5 fixed in 3.1.6 and then updating) and when you go to actually publish an application you'll have fully vetted and tested it (right? RIGHT?!), and your application dependency tree is known-good, and then npm ci will replicate that exact tree in production.
The reason the *libraries* don't generally pin their dependency versions when they are published is to allow for point-release bug fixes to make make it downstream, and to minimize the number of copies of the same library with slightly different versions... you don't really need or want a copy of package@ 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6... to satisfy dependencies when they will all happily work with 1.1.6. (especially in browser apps which are already accused of bloat).
That said, if you do want to pin everything, there are solutions; you can fork your top level dependencies and shrinkwrap them. And then any pull of those libraries will get you the same (sub)dependency tree that was committed. I'd argue that this is not appropriate or necessary (and even counter productive) for most mainstream packages, but it definitely has it's place.
All this said, while I do work with it, I don't consider myself an npm expert by any stretch.
(Score: 2) by pgc on Thursday January 13 2022, @12:51AM
Yes, simply don't use the '~' and '^' .
But somehow they prefer the package-lock.json file instead.
(Score: 2, Funny) by Anonymous Coward on Wednesday January 12 2022, @02:02AM (13 children)
These apps are configured just to fetch whatever from wherever and execute it? Don't the app developers have to qualify and release a new version before that happens??
(Score: 4, Funny) by Fnord666 on Wednesday January 12 2022, @02:09AM (8 children)
Unfortunately, many build pipelines and tools will grab the most recent version of a package by default. With continuous integration being a thing, builds can happen multiple times a day. This can be prevented by either locking the particular version of a package using the build tool or having a local package repository that the build pipeline points to and not copying new packages into that repo until they have been vetted.
(Score: 4, Funny) by PiMuNu on Wednesday January 12 2022, @10:53AM (7 children)
The whole point of continuous integration is to support continuous testing. So a test server somewhere gets "bricked".
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @08:35PM (1 child)
Testing... waaahaaahahahahaaha...
oh wait, you're serious?
(Score: 1, Funny) by Anonymous Coward on Wednesday January 12 2022, @11:02PM
Everybody has a testing environment. But strange as it may sound some people are lucky enough to have a production environment.
(Score: 2) by Fnord666 on Friday January 14 2022, @04:37AM (4 children)
If it didn't cause any of the tests to fail, would it go unnoticed?
(Score: 2) by PiMuNu on Friday January 14 2022, @10:38AM (3 children)
Yes, but at least main workflows should be in any reasonable test setup...
(Score: 2) by Fnord666 on Friday January 14 2022, @02:32PM (2 children)
What I meant was that if I introduce new code that does something nefarious but doesn't brak any existing functionality, would it be detected by automated tests? Test driven development, for example, results in tests that will detect changes that break existing functionality, but it won't detect any added functionality. I'm also not sure that source code analyzers, especially static ones, pull in and verify included libraries.
(Score: 2) by PiMuNu on Friday January 14 2022, @03:02PM (1 child)
True. It doesn't seem to be what is happening here (where the new code is just locking up everything downstream).
Are you suggesting bad people can get into the code base and start doing Evil things downstream by manipulating a commonly used (but poorly supported) library?
(Score: 2) by Fnord666 on Friday January 14 2022, @08:54PM
Yes. Either the library changes hands or a developer's account get compromised for example. Evil code gets pushed to the repository and automagically picked up by ACME's build pipeline without anyone validating the new version. Everything is code reuse these days where the first thing developers do is see if there's a library available to do whatever they need so they don't have to do it themselves. Depending on where they are working this code might come from some dodgy web site hosted who knows where.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @05:12AM (2 children)
Well they shouldn't and yes the app developers should qualify explicit version dependency as a good practice. But many don't, some don't know better, some are so tightly wound by their PHB to deliver, deliver, deliver by last week that all the good engineering practice goes out the window. The latter is very common in my neck of the woods and its not just 1 company its almost a local culture so not like you can just switch job.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 12 2022, @12:38PM (1 child)
Package management for programming libraries is fundamentally broken. The process should be more akin to linux package managers where development is in a testing repo but releases are manually reviewed and signed by an independent maintainer after they're tagged. This stunt was mostly harmless [github.com] but the next one may not be.
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @10:44PM
Of course he knew nobody was going to pay him to work on it - "why buy the cow when you can get the milk for free", right?
But that whole free model has always had a cost to the developer. So not surprised that someone has said "fuck it, I've warned everyone, now they can just fuck off."
He doesn't owe the users anything, same as the users don't owe him anything. Reciprocity at work. You got something for free and it doesn't work? Aw, you're entitled to a full refund of what you paid.
Still not happy? You can always hire a developer. But the real problem here is WTF are people downloading a javascipt library 20 million times a week for? If your business is reliant on free javascipt libraries you're already fucked.
(Score: 2) by pgc on Thursday January 13 2022, @01:05AM
Yes, they are
(Score: 4, Insightful) by Fnord666 on Wednesday January 12 2022, @02:14AM (13 children)
(Score: 5, Insightful) by Anonymous Coward on Wednesday January 12 2022, @02:24AM (9 children)
They weren't going too (and hadn't) anyway. The users were always going to Freeload and Scab off the guy forever.
It's also a nice little reminder that the 21st Century's Super Trendy way to do Software Engineering is fscked.
(Score: 2, Touché) by khallow on Wednesday January 12 2022, @04:15AM (6 children)
So what? If you're giving it away for free to people who don't subscribe to the gift economy, there you go. I don't see the point of being upset. The expectation that others would contribute wasn't rational in the first place.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @09:34AM (1 child)
Yeah, but they could at least pretend to respect things like ownership and intellectual property. It's his code and his repos, to do with as he wishes, not for ShitHub to decide.
(Score: 2, Insightful) by khallow on Wednesday January 12 2022, @02:19PM
Well, he wished to release the code to the public under license. Restrains his present wishes quite a bit.
(Score: 2) by crafoo on Wednesday January 12 2022, @01:47PM (3 children)
Fine. I don't see any problem what so ever then when people get taken for a cruise down "you should have tested that" fairway.
(Score: 1) by khallow on Wednesday January 12 2022, @02:23PM (2 children)
Because? One inconvenient truth doesn't justify bad behavior.
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @11:03PM (1 child)
Here's an inconvenient truth for ya - he warned people 14 months ago that he wasn't going to support this forever, and that people should fork it.
They didn't? So he broke it? It's no worse than spiking your lunch with laxatives to catxh the office lunch thief. Actually, it's not even as bad …
But either way, if you're not paying for it you don't have any right to complain when shit happens happens. Here's your full refund of your purchase price - $0.00.
Remember the old joke of how if houses were built like software the first woodpecker would end civilization? Depending on a seemingly unlimited supply of free labour from developers isn't going to work during a time of increased and permanent shortages because of the aging population - covid was just gasoline on the fire.
But the software industry is in denial because it doesn't have a viable financial model for open source, and one of the incentives - that contributing developers will have a leg up with potential employers - simply isn't true during times of scarcity, when employers don't want employees to waste time on side projects, and employees can say "fuck you, pay me overtime or I'm going elsewhere."
Even non-unionized workers are realizing that the power balance has shifted. And after outsourcing to India almost bankrupted Boeing, employers play that game at their own risk.
(Score: 1) by khallow on Wednesday January 19 2022, @03:59PM
That's two incredibly dumb arguments. "Spiking your lunch with laxatives" with the expectation that someone will eat it, is something like assault, poisoning, maybe even attempted murder or murder, whatever the harm and felony charges end up being. It's not sane and it's not legal.
Second, as your first paragraph shows, the developer had the legal and respectable choice to just drop support for his software. That would have done it.
(Score: -1, Troll) by Anonymous Coward on Wednesday January 12 2022, @06:56PM
the dumb, mac-using bitch shouldn't have used a bsd style license then.
(Score: 1) by narcc on Thursday January 13 2022, @06:38AM
This. Anyone impacted by this deserves what they get.
Back when ebay was a new idea, I remember website owners getting revenge on jerks 'hot linking' their images for use in ebay auctions by replacing the image with the nastiest porn they could scrape off the bottom of the internet. (In those days, it was some nasty stuff indeed.)
So, yeah, don't make your project dependent on crap from some random kid that can change without notice. They're lucky this is the all that happened. This could have very easily turned in to a "now all of your customers are pwned" situation.
(Score: 5, Funny) by Anonymous Coward on Wednesday January 12 2022, @02:27AM (1 child)
Are the guys running arbitrary code more employable than this author?
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @02:04PM
No, but the guys and girls writing closed source code definitely are. And always have been. Whereas he (and the people who are dependent on his code) are just has-beens.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @05:58AM
I'm pretty sure the federal investigation for the construction of destructive devices probably took care of that first.
(Score: 3, Interesting) by Anonymous Coward on Wednesday January 12 2022, @02:32AM (1 child)
One of those companies prosecutes him under the CFAA
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @11:15PM
I'm sure he'll happily refund them the entire price they paid him. Even though open-source software comes with a standard disclaimer of liability, discamer of fitness for any purpose whatsoever, yadda yadda ...
You agree to use it at your own risk. Right there in the license. Are you arguing that open source licenses aren't legal? No quicker way to shut down open source permanently.
Those of us who have been saying that javascipt is a huge shitshow are happy to once again be proved right. We got popcorn, we got beer, let the bs prosecutions for damaging his own software, which users agreed they were using at their own risk, begin.
(Score: -1, Redundant) by Anonymous Coward on Wednesday January 12 2022, @04:37AM
And stopping the steal.
(Score: 2) by bzipitidoo on Wednesday January 12 2022, @05:24AM (9 children)
Business models suitable for supporting devs are still primitive. That's no reason to break trust and punish users. Did Marak ask for some crowdfunding, before pulling this stunt? No?
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @09:36AM (2 children)
Yeah, he wrote free software just to be a beggar, I'm sure.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 12 2022, @10:13AM (1 child)
If he wrote free software expecting to be wealthy, then he should be classified as insane.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @10:59AM
He was already rich from the free software known as Bitcoin.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 12 2022, @02:11PM (4 children)
Absolutely false. Keeping the source closed and licensing the software works. Ask everyone working for closed source software businesses. So does running code off a server and charging for use. The only one that doesn't work is the open source model, same as RMS.
Too funny.
(Score: 2, Interesting) by shrewdsheep on Wednesday January 12 2022, @03:24PM (1 child)
Well, that is easily disproved. Quite some open source companies around, even "good" ones: collabora, nextcloud, libreoffice companies,... . It is a bit harder, that's for sure, as you have to keep improving software. You cannot just sit there selling the same (or worse) software (like M$).
As for RMS: if he doesn't work, he makes infinite profit, right?
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @06:57PM
Open source development is mostly for suckers nowadays. In the past you could argue that it gave people seeking paid employment some credibility, but not now, not after log4j, this fiasco, and anyone looking for cred with employers can just write an app or a website that does something interesting without disclosing their source.
Even devs gotta eat.
(Score: 2) by bzipitidoo on Wednesday January 12 2022, @03:37PM (1 child)
> Keeping the source closed and licensing the software works.
Yeah, works so well that they have absolutely no piracy "problems" whatsoever!
Nor are users in the least inconvenienced when DRM locks them out of their own property. Or what should be their own property.
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @08:45PM
If you're using closed source software you have the executable - you're not entitled to a lifetime of support at no charge, same as open source. You want support, or new features, then pay the closed source devs to make them. Because at some point open source devs will say "fuck it, I gotta eat."
It's not like the open source community is going to release new versions of software abandoned by developers - the FSF, for example, doesn't actually contribute to updating free abandonware such as emacs.
The various linux distros don't either - they're too busy twiddling with the desktop UI to bother. (Redhat/IBM will, to increase lock-in, which is why we have unnecessary shit like systemd, which most users neither need nor want).
log4j was a symptom of how fragile open source development is. And how inept and lacking in coding chops most devs are today, relying on libraries they neither understand nor can write themselves. Time was, a coder's value was in actually being able to code.
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @11:25PM
Now, what he did is perfectly legal. Read the standard disclaimer that comes with open-source software. The user does bot own it. They merely have a license to use it. This license comes with absolutely no warranty, including no warranty of fitness for use.
The developer i certainly has the right to render his own property non-functional, and that's what they did. because, in the end, the code is their property, not the users.
Anyone who's not happy is free to ask him for a full refund of their purchase price they paid him …
Don't like it? Pay a dev. A real dev. Not a cut-n-paste monkey. Your business model doesn't allow you to do that? Then your business model deserves to die.
(Score: 3, Insightful) by deimtee on Wednesday January 12 2022, @10:33AM (1 child)
Why didn't he just put a distributed crypto miner in it?
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday January 12 2022, @10:50AM
So the US could call him a terrorist and have his home country ship him to an American gulag?
(Score: 3, Funny) by Anonymous Coward on Wednesday January 12 2022, @03:38PM (7 children)
I'm tired of Soylent News and other Fortune 5 companies deriving benefits from my snarky comments. If you guys don't pony up six figures, and maybe a pony now that I've mentioned it, then I'm going to stop posting AC.
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @05:23PM
Uh, did you miss the memo? They're going to start paying us 6 figures next week. Six zeros though... $000,000
(Score: 2) by janrinok on Wednesday January 12 2022, @05:29PM (4 children)
I agree - I've asked around and most of us here think you should receive at least the same remuneration as an Editor, or even as the Editor-in-Chief. We haven't got any ponies but I think we have a few unicorns left - would a couple of those do instead? I'm not sure that it'll make it up to 6 figures though....
Looks like somebody thinks we've made the big time guys!
(Score: 0) by Anonymous Coward on Wednesday January 12 2022, @07:00PM (3 children)
(Score: 3, Interesting) by janrinok on Wednesday January 12 2022, @10:23PM (2 children)
I understand your quip about having to pay extra for a Perl developer, but your comment has a serious side too.
Maybe employing a programmer would be a good idea, but that would be a big change from having operated since 2014 with an all-volunteer staff. We would have to increase our income accordingly to pay for the developer, and we would have to get involved in contracts, finances, and possibly sundry benefits too. If the community don't wish to support the increased costs by their own contributions then we have to consider alternative ways of raising that income - advertising? selling our data? Not very likely. they are all part of the reason that we did not support Dice's plans for the original /. and created this site in the first place.
Of course we are aware of the situation that we are in but there is no reason why the software itself should suddenly stop working. We will have to replace the Perl eventually but we still have time to consider what to replace it with. There is not a similar site that we can simply lift up and use. Slash has many thousands of hours of usage and most of the bugs have been found. Writing a new site will undoubtedly result in having to have a team dedicated to writing and testing the replacement while others maintain the current site. Which language to choose for the future site is also an issue. If we are to remain a volunteer organisation then it must be a programming language with sufficient developer support available for many years to come. We have a small but very capable team looking after the hardware systems and they are currently being restructured and simplified to meet our current needs, and we are looking at the options open to us for the future. We know of the frameworks that are out there but they all require a lot of work to change them to our requirements so that we don't simply become another 'framework-based-website' like many, many others already on the web.
This is only my personal view and it does not indicate any specific plan for the future. We are looking at the alternatives within the constraints and limitations of each of us having families, careers, and a real life to live too.
But the biggest problem with volunteer websites is that they depend on volunteers.
(Score: 0) by Anonymous Coward on Thursday January 13 2022, @01:01AM
I'll give you some free advice I also gave some of your staff, Inline::Python
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @09:21PM
Of course, last year would have been a better time - but better late than never. Because perl is like the Monty Python parrot - it's dead.
The economy has permanently changed. Between the aging population and the dumbing down of the population, we are now into long-term (decade, at least) shortages for many jobs - skilled, semi-skilled, and unskilled. We knew this was going to happen with the aging baby boomer population leaving the workforce, many doing so because of infirmity.
A good example of this is Harley-Davidson. A bloated, overpriced, and slow bike in comparison to what Harley owners deride as jap scrap. But let's face it, a Kawasaki Ninja bike is way faster, way more agile, way more dependable, and way cheaper.
Harley owners have always been baby boomers. They stopped publishing the age of their average purchaser back in 2006 when it hit 50. Now it's 65-66. And that age group is starting to have their drivers licenses pulled or restricted because of health problems such as vision deficits.
So there will eventually be a glut of used Harleys on the market, and only other aging baby boomers will be interested in them.
This is the same situation as perl - bow a baby boomer language with limited appeal. Even developers who want to "scratch their itch" by helping would rather just do something from scratch. So you're better off starting with the proposition that the "buck feta" code base is a dead end, and ask for help either identifying an alternative that is maintainable going forward, or looking for volunteers that are willing to develop something not written in perl.
I know if I were offered a million bucks to "do it in perl" I'd say "fuck beta and fuck perl." I've got better things to do with my life.
Oe of the original value propositions for working on open source projects was giving coders street cred, so they could leverage that into a paid job. As this story shows, that is simply no longer true. Doubly so working on anything written in perl. It makes you less employable because you'll pe pigeonholed as an old fart perl developer. Not a good look nowadays. So if you want to attract talent, scrapping perl is necessary, but not sufficient.
"It's not a crisis - just the loss of an illusion. Time to take the red pill."
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @11:29PM
Stupid is as stupid does.
(Score: 2) by Rich on Wednesday January 12 2022, @08:11PM (2 children)
Youthful anger fit. Tsss. He could've just announced "improvements" with generous advance information, and eventually implemented them. With subtle incompatibilities that would only affect a handful of fringe cases that are "using it wrong". Waited until the shit hit the fan. And then maintained the standpoint that the changes are a necessary improvement for the sake of happiness of mankind. Apple gets away with that on every new spin of their OS.
(Score: 0) by Anonymous Coward on Thursday January 13 2022, @01:32AM
You forgot the crucial steps of selling support, whereby one first accepts CC details, under the proviso that one will give a refund if it is an actual bug, and not really a feature / user mistake.
That way one can *always* profit. (MSFT's secret cash cow. Also the cash cow of every small PC shop ever: reinstalling windows for a fee).
Other than that, I thought you were talking about MSFT and not APPL for a bit there. Of course, we've come full circle now, and APPL is taking over from MSFT who previously took over from IBM... I guess that dates me.
(Score: 0) by Anonymous Coward on Saturday January 15 2022, @04:00PM