Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

When open-source developers go bad
ZDNet ^ | 13 January 2022 | Steven Vaughan-Nichols

Posted on 01/14/2022 7:53:49 AM PST by ShadowAce

Chances are unless you're a JavaScript programmer, you've never heard of the open-source Javascript libraries 'colors.js' and 'faker.js." They're simple programs that respectively let you use colored text on your node.js, a popular JavaScript runtime, console, and create fake data for testing. Faker.js is used with more than 2,500 other Node Package Manager (NPM) programs and is downloaded 2.4 million times per week. Colors.js is built into almost 19,000 other NPM packages and is downloaded 23 million times a week. In short, they're everywhere. And, when their creator, JavaScript developer Marak Squires, fouled them up, tens of thousands of JavaScript programs blew up.

Thanks, guy.

This isn't the first time a developer deliberately sabotaged their own open-source code. Back in 2016, Azer Koçulu deleted a 17-line npm package called 'left-pad, 'which killed thousands of Node.js programs that relied on it to function. Both then and now the actual code was trivial, but because it's used in so many other programs its effects were far greater than users would ever have expected.  

Why did Squires do it? We don't really know. In faker.js's GitHub README file, Squires said, "What really happened with Aaron Swartz?" This is a reference to hacker activist Aaron Swartz who committed suicide in 2013 when he faced criminal charges for allegedly trying to make MIT academic journal articles public.

Your guess is as good as mine as to what this has to do with anything.

What's more likely to be the reason behind his putting an infinite loop into his libraries is that he wanted money. In a since-deleted GitHub post, Squires said, "Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn't much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it."

Excuse me. While open-source developers should be fairly compensated for their work, wrecking your code isn't the way to persuade others to pay you. 

This is a black eye for open-source and its developers. We don't need programmers who crap on their work when they're ticked off at the world.

Another problem behind the problem is that too many developers simply automatically download and deploy code without ever looking at it. This kind of deliberate blindness is just asking for trouble. 

Just because a software package was made by an open-source programmer doesn't mean that it's flawless. Open-source developers make as many mistakes as any other kind of programmer. It's just that in open source's case, you have the opportunity to check it out first for problems. If you choose to not look before you deploy, what happens next is on you.

Some criminal developers are already using people's blind trust to sneak malware into their programs. For example, the DevOps security firm JFrog recently discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user's Discord tokens. These can then be used on the Discord communications and digital distribution platform.

Is that a lot of work? You bet it is. But, there are tools such as NPM audit, GitHub's DependendaBot, and OWASP Dependency-Check that can help make it easier. 

In addition, you can simply make sure that before any code goes into production, you simply run a sanity check on it in your continuous integration/continuous distribution (CI/CD) before deploying it to production. 

I mean, seriously, if you'd simply run either of these libraries in the lab they would have blown up during testing and never, ever make it into the real world. It's not that hard!

In the meantime, GitHub suggests you revert back to older, safer versions. To be exact, that's colors.js 1.40 and faker.js 5.5.3. 

As CodeNotary, a software supply chain company, pointed out in a recent blog post, "Software is never complete and the code base including its dependencies is an always updating document. That automatically means you need to track it, good and bad, keeping in mind that something good can turn bad." Exactly!

Therefore, they continued, "The only real solution here is to be on top of the dependency usage and deployment. Software Bill of Materials (SBOMs) can be a solution to that issue, but they need to be tamper-proof, queryable in a fast and scalable manner, and versioned.

CodeNotary suggests, of course, you use their software, Codenotary Cloud and the vcn command-line tool, for this job. There are other companies and projects that address SBOM as well. If you want to stay safe, moving forward you must -- I repeat must -- use an SBOM. Supply chain attacks, both from within projects and without, are rapidly becoming one of the main security problems of our day.


TOPICS: Computers/Internet
KEYWORDS: javascript; nodejs
Navigation: use the links below to view more comments.
first 1-2021-4041-44 next last

1 posted on 01/14/2022 7:53:49 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

2 posted on 01/14/2022 7:54:02 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The man who sabatoged his own code, should and will be blacklisted from any IT job in the long term.


3 posted on 01/14/2022 7:55:36 AM PST by Lazamataz (I feel like it is 1937 Germany, and my last name is Feinberg.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lazamataz

Agreed. I think he just shot himself in the foot.


4 posted on 01/14/2022 7:56:16 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce
I understand that Javascript is all there is on the browser side, but I don't get the current popularity of node.js on the server side, particularly for serious production systems. There's a reason why languages like Java are strongly typed; it's to catch bugs at compile time instead of at runtime. This is a good thing. I'm sorry programmers feel like it makes their lives harder. Building quality software is hard. Sorry; that's the way it is.

My current project has (some) Javascript on the server-side. We had a bug where -- mysteriously -- some email addresses failed to validate. The issue turned out to be that the JS code was validating them against the regular expression "[Object]" ... I'm not kidding. Email addresses that contained one of the letters in "Object" validated; others didn't.

5 posted on 01/14/2022 8:00:34 AM PST by Campion (What part of "shall not be infringed" don't they understand?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Trust open source libraries only from reputable and established sources like Apache SF, Google, VMware etc. Use anything written by individuals or independent third parties at your own risk.


6 posted on 01/14/2022 8:05:17 AM PST by libh8er
[ Post Reply | Private Reply | To 1 | View Replies]

To: Campion
The issue turned out to be that the JS code was validating them against the regular expression "[Object]" ... I'm not kidding. Email addresses that contained one of the letters in "Object" validated; others didn't.

This is what happens when people who are programming as a second (or third) choice are responsible for essential code. They do not have the mindset to think the way code executes.

And, of course, nobody tests anymore....

7 posted on 01/14/2022 8:07:13 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce
This is a black eye for open-source and its developers.

Apparently the author enjoys exaggeration and hyperbole.
8 posted on 01/14/2022 8:11:11 AM PST by SpaceBar
[ Post Reply | Private Reply | To 1 | View Replies]

To: SpaceBar

“A black eye” is hyperbole?


9 posted on 01/14/2022 8:12:11 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce
And, of course, nobody tests anymore...

Failure to test is one of the biggest contributors to the ongoing backsliding in IT. We have programs roll out to today that clearly show that no one wanted to spend the time nor money on simple tests.

I regularly witness failures for routine things that were resolved two decades ago that anyone with basic skills could prevent.

10 posted on 01/14/2022 8:13:13 AM PST by T.B. Yoits
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

There is so much high quality ‘open source’ code out there that yes, this is hyperbole. It’s like blaming the whole auto industry because one guy welds a coke bottle inside a door panel.


11 posted on 01/14/2022 8:15:16 AM PST by SpaceBar
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce

they send me daily e mails looking for my project for them


12 posted on 01/14/2022 8:15:29 AM PST by bert ( (KE. NP. N.C. +12) California needs Zorro to destroy the neoNobility corruption)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Campion

Node’s main advantage is its simplicity. It’s basically a JavaScript wrapper around core functions written in C++ (chrome v8 engine) so it can be very fast. So even though your backend seems to be written in a front end language like JavaScript, all the heavylifting is actually being done by C++ which is very, very fast. Couple that with how easy it is to learn JavaScript and find JavaScript developers you can see why small companies and startups favor Node. And some big ones too.


13 posted on 01/14/2022 8:21:59 AM PST by libh8er
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

I am delighted to have people use the code I have open sourced and would never think to damage it. If I wanted to be paid for it I wouldn’t have open sourced it. Don’t think anybody would have used it if I tried to sell it anyway, so just decided to be nice and make my own small contribution to open source, since like everybody else I have benefited by others doing the same. And open sourcing may help improve reputation and make it easier to get a good development job...but not if you are the kind of jerk that breaks their stuff to screw others...


14 posted on 01/14/2022 8:23:22 AM PST by AndyTheBear
[ Post Reply | Private Reply | To 1 | View Replies]

To: SpaceBar

Except there’s the whole scope issue. This sabotage effects thousands of programs, possibly millions of users. And of course there’s the problem that open source critics have been pointing to basically this exact “what if” pretty much from day 1. It is a black eye for the industry.


15 posted on 01/14/2022 8:24:37 AM PST by discostu (Like a dog being shown a card trick )
[ Post Reply | Private Reply | To 11 | View Replies]

To: ShadowAce

Since software began the actual programmers have been given Hind Teat. The Managers have wanted to take the bulk of the profits from people who can do what the Managers could never do.

It just goes to show you how truly powerless everyone is. Even the programmers in their personal lives depend on other programmers.

Just look at the last week’s revelation that some guy could control Tesla’s all over the world. And you want to give Amazon the ability to open your garage door? Please...

This complete reliance on Smart This, Smart That and the Cloud is Mass Suicide.


16 posted on 01/14/2022 8:26:59 AM PST by ImJustAnotherOkie (Let's go Brandon)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lazamataz

I guess but I’m not exactly rooting for the woke MegaCorps he’s sticking it to.


17 posted on 01/14/2022 8:33:14 AM PST by jarwulf
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

Node = inject a couple thousand sketchy dependencies in your code.


18 posted on 01/14/2022 8:33:38 AM PST by glorgau
[ Post Reply | Private Reply | To 1 | View Replies]

To: libh8er

The author writes: While open-source developers should be fairly compensated for their work, wrecking your code isn’t the way to persuade others to pay you.

Well, that’s the rub. Shareware devs rarely make any money and regularly put in thousands of hours. While surrounded by FANG devs pulling down million dollar compensation packages. Author makes no attempt to solve that pesky problem. Some devs are going to resent 23 million uses and zero dollars coming in.

And yes, blindly updating to the latest dependencies without testing is foolish— a that can be defeated by only activating after a future date.

Good article.


19 posted on 01/14/2022 8:36:47 AM PST by bhl
[ Post Reply | Private Reply | To 13 | View Replies]

To: ShadowAce

Depending on the damage done he may be open to legal action.


20 posted on 01/14/2022 8:41:23 AM PST by Seruzawa ("The Political left is the Garden of Eden of incompetence" - Marx the Smarter (Groucho))
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-44 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson