Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday January 12 2022, @01:05AM   Printer-friendly
from the with-great-responsibility-comes-great-LOLability dept.

From Bleeping Computer

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.

Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.

The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'.

The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

But the target of this action wasn't the end user - but the big corporations...

[...] The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.

"Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Wednesday January 12 2022, @12:38PM (1 child)

    by Anonymous Coward on Wednesday January 12 2022, @12:38PM (#1212083)

    Package management for programming libraries is fundamentally broken. The process should be more akin to linux package managers where development is in a testing repo but releases are manually reviewed and signed by an independent maintainer after they're tagged. This stunt was mostly harmless [github.com] but the next one may not be.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Saturday January 15 2022, @10:44PM

    by Anonymous Coward on Saturday January 15 2022, @10:44PM (#1213022)
    This stunt was yet another warning that will be ignored. The guy warned everyone in November of 2020 - 14 months ago - to either fork it or pay him to work on it.

    Of course he knew nobody was going to pay him to work on it - "why buy the cow when you can get the milk for free", right?

    But that whole free model has always had a cost to the developer. So not surprised that someone has said "fuck it, I've warned everyone, now they can just fuck off."

    He doesn't owe the users anything, same as the users don't owe him anything. Reciprocity at work. You got something for free and it doesn't work? Aw, you're entitled to a full refund of what you paid.

    Still not happy? You can always hire a developer. But the real problem here is WTF are people downloading a javascipt library 20 million times a week for? If your business is reliant on free javascipt libraries you're already fucked.