Open source developer cripples own software, affects unknown amount of projects

Posted by Joel Miller on Monday, January 10, 2022

Reading time: 4 minutes

Listen to this article instead
waveform image for audio

Introduction

The developer of the widely used faker.js and colors.js , Marak Squires, has been accused of intentionally crippling github repos containing the source code for the libraries. They receive millions of downloads each week1 2 to provide code support for a presumably large number of software projects; some of which in commercial use as seen in such software as the Amazon Development Kit3.

Users of these libraries most likely considered they were provided corrupt or compromised versions of the software when they updated, as has been highlighted in recent events4 5.

When running the affected software post-update, users were greeted with an image6 similar to the following:

image of faker.js output

Back in November of 2020, the author was found posting comments indicating their dissatisfaction with the support of those who rely on their library for widespread commercial use:7

Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work.

There isn’t much else to say.

Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

Software supply chain has become a great concern as more and more software dependencies are being targeted to disrupt or cause harm. Events like this will surely change the way companies approach open source software libraries moving forward, as this sort of behavior was likely never anticipated as a potential risk to consider.

Licensing

A very common license used for open source software, including the libraries mentioned in this article, is the MIT8 open source license, which clearly states:

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation …

There’s nothing outright malignant being done by those companies who use the software. They are adhering clearly to the licenses attached to the projects which does not restrict its specific use, commercial or otherwise.

Parody license models have been created such as the DBAD9 license which starts out:

Do whatever you like with the original work, just don’t be a dick.

This beckons the question, if the software is open source, and free, when should one think to consider supporting it? The average completed software bundle likely includes a significant number of open source libraries.

How can you support open source?

Here are just a few of the open source programs that you can join and support:

Updates

According to a tweet10 by the author:

NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz

This has created some controversy surrounding what open source software is and who actually controls the rights to it. As of now, it has been reported that a rollback to a previous version of colors.js has been performed to restore applications that have been built to depend on it.

Conclusion

Open source software has grown to have a significant impact business. Large corporations such as Microsoft are seeing the merits it has on the future of programming and business growth11. While some licensing associated with open source software does not require any sort of compensation for their use, many feel it’s only moral to contribute back to those authors who help make their product successful.

Additional Reading

https://fossa.com/blog/open-source-licenses-101-mit-license/

Sources


  1. https://www.npmjs.com/package/colors  ↩︎

  2. https://www.npmjs.com/package/faker  ↩︎

  3. https://github.com/aws/aws-cdk/issues/18323  ↩︎

  4. https://github.com/faisalman/ua-parser-js/issues/536  ↩︎

  5. https://www.cisa.gov/uscert/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js  ↩︎

  6. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/  ↩︎

  7. http://web.archive.org/web/20210704022108/https:/github.com/Marak/faker.js/issues/1046  ↩︎

  8. https://opensource.org/licenses/MIT  ↩︎

  9. https://dbad-license.org/  ↩︎

  10. https://twitter.com/marak/status/1479200803948830724  ↩︎

  11. https://www.zdnet.com/article/why-microsoft-is-turning-into-an-open-source-company/  ↩︎


comments powered by Disqus