Package manager npm: developers make their own packages unusable

Share your love

The developer of the open source projects colors.js and Faker.js has adapted the associated npm packages so that the latest versions are unusable. The manipulation is probably a protest against large companies that use open source projects without paying the developers adequately.

The Paket colors.js In versions 1.4.1 and 1.4.44-liberty-2, it contains an endless loop. What at first glance looked like an external attack turned out to be a regular addition by the maintainer and developer of the open source project. The addition “Adds new American flag module” can be found on GitHub.

After the three lines of text


however, an endless output follows a wild character string. The alleged bug was noticed, among other things, in the AWS Cloud Development Kit (AWS CDK) an associated issue, which was also drew attention to a tweet.

A look at the rest of the code shows the clearly marked endless loop

for (let i = 666; i < Infinity; i++;) {

the Comments on the line go by “Dependency terrorism?” from “Feel the power from the infinity side” to “my hero”. There are amusing suggestions for improvement for an extra run “Could change to i <= Infinity for 1 extra loop “or to simplify:”while (true) { is the best practice.”

The number of the Antichrist 666 from the Revelation of John, possibly better known in developer circles as “The Number of the Beast” by Iron Maiden, to initialize the variable i is just like the identifier Infinity hardly chosen at random.

Read Also   Not just robots in seal form: What AI brings to care

The same number can be found in the current version of the package faker: The release has the number 6.6.6 and no longer contains any code. The same goes for the associated GitHub repository. Originally the library was used to create pseudo data for different areas such as names or addresses, which should help with testing and developing applications.

In the GitHub repository was found before the complete cleanup der Issue #1046, in which the developer had already complained at the end of 2020 that he no longer wanted to do unpaid work for Fortune 500 companies: “No more free work from Marak – Pay Me or Fork This”. At the time he wrote, “Take this as an opportunity to send me a six-figure annual contract or to fork the project and let someone else work on it.”

The strike of the work robots with Bender in Futurama can only be found in the web archive after the repository has been cleaned up.

Das GitHub-Repository and the npm page from Faker.js no longer contain any code, but the readme refers to the Internet activist Aaron Swartz, who took his own life in 2013 at the age of 26: “What really happened with Aaron Swartz?”

The current incident is reminiscent of the left-pad package removed from npm in 2016. It only had nine lines of code and filled strings on the left side with spaces or other characters to the desired width. Many developers found the help function useful and used the package in their applications. When the developer removed left-pad after a dispute with the package manager service npm, the build of numerous applications failed, including prominent ones such as Node.js and Babel.

The reactions to the approach of the developer of colors.js and Faker.js, who simply calls himself marak on GitHub and Twitter, are mixed. While some already celebrate the infinite loop in the code extension, others find the behavior irresponsible:

GitHub has also reacted and blocked the developer from accessing its repositories, which in turn led to critical reactions. A thread on Twitter shows examples of reactions on both sides: the developer who “freaks out”

and the centralized instance GitHub:

Basically, shortly after the far more serious security gap in Log4j, the procedure again shows how vulnerable projects with numerous dependencies are. The question of whether the operators of open source projects receive too little support from the companies that benefit from them is closely related.

Further details and background information on the incident can be found on bleeping computer and in a blog post at Snyk.


Article Source

Share your love