GitHub decided to restore the Faker.js developer account

Darkcrizt

4 minutes

At the beginning of the month we shared here on the blog the news of a developer who sabotaged his own open source project, "Marak Squires", the author of two popular open source libraries, colors.js and faker.js, you intentionally corrupted both libraries.

The developer of these two libraries introduced a file review on GitHub in colours.js which adds a new American flag module, as well as implementing version 6.6.6 of faker.js, which triggers the same event destruction.

Sabotaged versions cause apps to incessantly produce letters and symbols strangers, starting with three lines of text that read "LIBERTY LIBERTY LIBERTY."

It must be said that after the corruption of the libraries, Microsoft quickly suspended your access to GitHub and terminated the projects on npm.

A GitHub spokesperson offered this statement to the actions taken by the framework:

“GitHub is committed to the health and security of the npm registry. We remove the malicious packages and suspend the user account in accordance with npm's Acceptable Use Policy regarding malware as set forth in our Open Source Terms."

The company also released the following security advisory:

“colors is a library for including colored text in node.js consoles. Between January 7 and 9, 2022, color versions 1.4.1, 1.4.2, and 1.4.44-liberty-2 were released that included malicious code that caused a denial of service due to an infinite loop. Software that depended on these versions experienced random characters being printed to the console and an infinite loop resulting in unrelated system resource consumption. Users of color who rely on these specific builds should switch to 1.4.0.”

While this may be obvious to some (the developer pushed a commit with malicious code and GitHub and npm did the right thing to protect your users), a debate has erupted around the rights of a developer to do this, relative to how many projects and dependencies they can have.

“The risk posed by a dependency is high with small dependencies that are more commonly used, by a single unverified developer, installed through a package manager like npm, cargo, pypi or similar. However, when something goes wrong on this side, everyone notices immediately and people ask for funds quickly. However, it is not these dependencies that really sustain our economy. Many of these addictions have become foundational, not because they solve a difficult problem, but because we have collectively begun to embrace laziness above all else. When we focus our funding discussions around these kinds of dependencies, we implicitly distract ourselves from the really important packages."

Any suspension seems unreasonable considering that the code in the repositories belongs to its creator/maintainer. Yes, it's open source in the sense that you can fork and contribute to it, but does that mean GitHub can justify denying you the right to modify or even destroy your own code? Is there a “due process” in this type of decision?

Other issues raised by these events are how to properly reward people for the work they have done on the open source software that underpins other, larger software that enables mega-corporations to make huge profits.

In this case, these JavaScript libraries are used by Amazon's Cloud SDK, which is part of AWS.

Although colors.js and faker.js enjoy sponsorship which aims to ensure that open source communities get paid for the work they do, there is a huge disconnect between the developers who designed and implemented popular packages like colors.js and faker. js receive and its value to companies that reuse their work for free.

Anyway, Marak Squires account was activated again and he wrote this:

“I removed the zalgo infinity error with colours.js v2.2.2 and am waiting to hear back from Github support to get my NPM publishing rights back.

“To the virtuous members of the 69th Medical Social Media Division:

“Thank you for your thoughts and prayers.

“I can assure you that I am healthy in body and mind. I am enclosing a certificate from the Reid Mental Institution, which proves beyond a shadow of a doubt that I, Marak Squires, do not have the brains of an ass.

“Can the members of the 69th Division of Social Network Doctors provide a document that proves that they do not have donkey brains?” »

Related article:
An open source developer sabotaged his own libraries affecting thousands of applications

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   James said
    ago 2 years

    Hello, my name is Jaime del Valle and I work in an EdTech, we are organizing a free event to talk about the subject: Free Software: To what extent should it be free?

    We would like to invite you as a speaker, the tentative date is Tuesday, April 19 at 7 pm in digital format, would you like to participate?

    Reply to Jaime