# NPM implodes... again



## hardworkingnewbie (Jan 10, 2022)

Marak Squires is the author of two well known and used libraries on NPM, colors and faker. colors gets 20 million downloads a week with 19.000 projects relying on it, while faker has 2.8 million weekly downloads and 2.500 dependants. 

Suddenly users were startled, because programs using these libraries were printing out garbage, LIBERTY or the American flag. So they thought that NPM might be compsomised - again. 

This is not the case - the changes have been done by the author himself. He already warned last year about not "going to support" big corporations with his free work any longer, and these corporations should either fork his projects or compensate him with a six digit yearly job. 

Since this didn't happen, Squires modified his libraries. VessOnSecurity called this action irresponsible, stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."









						Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
					

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's more to the story.




					www.bleepingcomputer.com


----------



## SirDice (Jan 10, 2022)

hardworkingnewbie said:


> He already warned last year about not "going to support" big corporations with his free work any longer


Is there an open source license that has provisions for this? Something like, may only be used for non-commercial purposes, or something to that extend? But where do you draw the line? A small company with 10 persons is allowed to use it but not if you have 100 or more? Or should it be based on the profits that the company makes (a company with 10 people could make more profit than one with 100)?

I mean, if you slap a GPL or BSD license on it then you are allowing big corporations to use it, whether you like it or not. That is the nature of those licenses.


----------



## hardworkingnewbie (Jan 10, 2022)

Nope, there's not such a thing. Which is probably why the business model of some open source projects is having an open core and offering premium addons on top of it which then are closed source. 

On the other hand up to some degree I can understand him: his work gets used a lot by many companies, but he doesn't profit from it and they don't give back. In former times people with influential projects/stuff were often hired by companies like IBM, RedHat, Oracle, SuSE and such (which is in itself often a good and bad thing at the same time, given the contract and leeway your employer gives you). 

Anyway, it's entirely his own fault for not coming up with a business model which supports his life. When giving stuff away for free people will use it for free, it's that simple.


----------



## jmos (Jan 10, 2022)

The thing I stumbled on: It's called "sabotage".

If I modify my own code in a way I want - how can that be sabotage? Other have to check if my code fits their usage (and this of course for every new version!), and there is also no claim for future versions of my code. It's up to the users to take care; If I'm taking care for others it's just nice for them, but nothing the users can insist on. There is no contract that says "you've given us usable software once, so you have to do this till you die". At least I'm writing open source software for myself - others can use it, too, but: That's it. I can do whatever I want with it.

But hey, you have no clue if you program your code by yourself starting in the green field - use third party instead; Why inventing the wheel etc.; So, that's why: Control.


----------



## mer (Jan 10, 2022)

SirDice said:


> is there an open source license that has provisions for this? Something like, may only be used for non-commercial purposes, or something to that extend?


Not sure open source license, but isn't this the basic model that Qt used for a while?  Over the years I've seen a lot of projects stating this (please don't ask for examples, I'm going by memory), but never gave thought as to how enforceable it would be.
I've seen lots of things released under things like BSD/MIT license then at some point get closed (roughly what Oracle did with Java, Solaris, etc) resulting a hard break.  "before this point in time, open, after closed" so the community keeps the open part alive if it's worthwhile.
Owners of the copyright (code) can change the licensing terms at any point in time but it only affects "from now on" not the past.

My limited knowledge of NPM type of stuff leads me to believe users probably need to range check the version instead of minimum version number.

As for the owner of the code actions, I'm bemused and as jmos says he owns it, he can do whatever he wants with it.


----------



## drhowarddrfine (Jan 10, 2022)

mer said:


> users probably need to range check the version instead of minimum version number.



Users need to learn how to write their own software. Too many people rely on npm and other software that they could write on their own.


----------



## zirias@ (Jan 10, 2022)

Nobody forces you to use some "well-known" license, you can come up with your own licensing terms. I've seen projects in the past that just strictly forbid any commercial usage. Whether that's a good idea is a different discussion.

I think what we see here are symptoms of a "new generation" of opensource devs and users. A lot already went down the drain (software quality), and just throwing libs and frameworks on your own project is done mindlessly. In fact, "teaching people not to upgrade"? This already happened. You see more and more projects that just "bundle" tons of dependencies, cause not doing so would make everything fragile as hell. Nobody can overlook a dependency tree with thousands of packages and really have an idea whether all these packages follow good practices like e.g. semantic versioning. Oh, and many don't.

Just recently, I had to fix something at work. It turned out an opensource package introduced a really hefty breaking change in a patchlevel-release(!), without prior warning. To add insult to injury, there was NO documentation about it, and the commit introducing it was one huge mess with millions of code lines changed. I had to work through this behemoth to understand what's going on. This wasn't possible in github's web interface, the commit was large enough to stall my browser.

I think any sense for quality is slowly getting lost


----------



## mer (Jan 10, 2022)

drhowarddrfine said:


> Users need to learn how to write their own software. Too many people rely on npm and other software that they could write on their own.


I don't disagree with this at all.  But here I am relying on FreeBSD that someone else wrote   I'm kidding, that was just a joke, sarcasm, making fun of all of us.  Over reliance on third party software simply because "it's easier" is the bane of writing software.  There is a balance between the "Not Invented Here" mindset and the "use whatever you find" that may be different for every project.  And some folks may not actually be able to write what they need but they at least need to understand how to vet what they use from others.



Zirias said:


> I think any sense for quality is slowly getting lost


I'm not so sure "slowly" is accurate anymore.  I think in general "quality" has been redefined downwards and "as quick as you can" is the operative phrase.


----------



## ct85711 (Jan 10, 2022)

While I have mixed feeling to what the person did; it is the part later on in the article that is worrying.  The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.


----------



## mer (Jan 10, 2022)

ct85711 said:


> The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.


Yep that is pure evil, but seems to the the trend in hosting companies.


----------



## Crivens (Jan 10, 2022)

They should be happy he did this, instead of adding all sorts of malware droppers and miners which would have been an even bigger headache to find and clean up...


----------



## hardworkingnewbie (Jan 10, 2022)

ct85711 said:


> While I have mixed feeling to what the person did; it is the part later on in the article that is worrying.  The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.


I mean it's Microsoft, what else to expect?


----------



## Crivens (Jan 11, 2022)

hardworkingnewbie said:


> I mean it's Microsoft, what else to expect?


I think that somewhere at at least one of these corporations the risc assesment department is now thinking as I did before, putting a price tag on the malware dropper case, guestimating the probability of that case and passing the result to the bean counters as "cost of using all the free stuff without giving anything back". If it can happen, it will happen.


----------



## unitrunker (Jan 11, 2022)

Hypocrisy and possibly criminal ...





__





						Bait-and-switch - Wikipedia
					






					en.wikipedia.org
				




I don't think this meets the threshold but it's dangerously close.









						What Makes Bait and Switch Fraud - LAWS.com
					

What Makes Bait and Switch Fraud - Understand What Makes Bait and Switch Fraud, Fraud, its processes, and crucial Fraud information needed.



					fraud.laws.com
				




Here's the original license straight off GH:









						colors.js/LICENSE at master · Marak/colors.js
					

get colors in your node.js console. Contribute to Marak/colors.js development by creating an account on GitHub.




					github.com


----------



## Jose (Jan 11, 2022)

SirDice said:


> Is there an open source license that has provisions for this?


Closest I can think of is the Server Side Public License. Elasticsearch went to it recently, and Opensearch was born:








						What is OpenSearch and the OpenSearch Dashboard?
					

OpenSearch and Elasticsearch are not the same. Learn about the differences between OpenSearch & Elasticsearch and OpenSearch Dashboards & Kibana.




					www.elastic.co
				











						Frequently Asked Questions
					






					opensearch.org
				




I think this analysis is spot on:


> Pure OSS vendors are under constant pressure since their business model needs to subsidize their development and their margins are tight. Indeed, many OSS vendors are forced to an open core approach while they hold back functionality from the community (Cloudera), provide some of the closed-source functionality as a service (Databricks) or even making a complete U-turn, back to closed-source software (DataStax).



I have no idea how this is going to fall out, but will be following developments with interest.


----------



## msplsh (Jan 11, 2022)

I get this guy's frustration, but there is no technical solution for a social problem.  You don't "own" your NPM or GitHub accounts and the license plus their control over the platforms allows them to do what they did.

For people saying fraud.  What fraud?  It's in very big capital letters in the MIT License that you can't claim anything of the sort.  "npm update" doesn't guarantee any rights.

If he had chosen a different license as people are ruminating about in here, the packages would _never_ have been as popular as they are now.  QT tried and eventually converted over.  They leveraged success in business in order to get where they are now.

Finally, did they determine if this was or was not the same guy who got arrested for bomb stuff in his house?  That would explain a lot.


----------



## D-FENS (Jan 11, 2022)

hardworkingnewbie said:


> Marak Squires is the author of two well known and used libraries on NPM, colors and faker. colors gets 20 million downloads a week with 19.000 projects relying on it, while faker has 2.8 million weekly downloads and 2.500 dependants.
> 
> Suddenly users were startled, because programs using these libraries were printing out garbage, LIBERTY or the American flag. So they thought that NPM might be compsomised - again.
> 
> ...


... and mostly - not to rely on this library anymore, because it's author is unpredictable.


----------



## drhowarddrfine (Jan 11, 2022)

roccobaroccoSC A lot of things with NPM are unpredictable or can be. Unfortunately, too many things,  like online payments, rely on them. Stripe and Braintree payments require their usage though with their own API. But the whole of their usage is through NPM.


----------



## ralphbsz (Jan 12, 2022)

msplsh said:


> Finally, did they determine if this was or was not the same guy who got arrested for bomb stuff in his house?  That would explain a lot.


Yes, judging by what the press says this is the same person as the QAnon follower and amateur bombmaker. To be honest, assuming that what was written about his bomb-making stuff is true, I'm amazed he's not in jail. 



ct85711 said:


> While I have mixed feeling to what the person did; it is the part later on in the article that is worrying.  The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.


On the contrary, I find that completely reasonable. In a nutshell, his software is open sourced. All GitHub and/or NPM did was to create a new forked version of his software (which he explicitly allowed to happen when he released it under an OSS license, in this case the MIT license), and the substitute the forked version for the version he is maintaining.

Each part of this is reasonable and ethical. I can fork any software I want ... the BSD license for example allows me to create a new OS, and call it DSBeerF (just spelling things backwards). All I need to do is to retain the original copyright notice. Nothing prevents me from uploading the new DSBeerF product to GitHub (other than the fact that I don't actually have a GitHub account). Nothing prevents Microsoft=GitHub from renaming the original copy of FreeBSD that is stored on GitHub to old_ugly_FreeBSD_do_not_use and store my new DSBeerF in a directory named FreeBSD. And nothing prevents a packaging/upgrade tool such as NPM to install/deploy my new DSBeerF when people request FreeBSD. Now, if I did that, would Kirk ever talk to me again? Probably not. But I don't think he could stop me (or Microsoft or Github). By the way, I'm obviously not planning to do anything like that.

The important part is this. Lots of people rely on a huge ecosystem of open source software. We can argue that people rely on it too much, that people who use open source need to do a better job of performing quality control on the things they use, but those arguments don't change that today we need this stuff. Given the health of the whole computer software ecosystem, Microsoft/Github and NPM did the right thing, by rejecting certain changes (made by a person of at best questionable mental state and ethics) and publishing a different version.


----------



## unitrunker (Jan 12, 2022)

msplsh said:


> Finally, did they determine if this was or was not the same guy who got arrested for bomb stuff in his house?  That would explain a lot.



Apparently so.









						Developer sabotages his own apps, then claims Aaron Swartz was murdered
					

Developer throws a wrench in thousands of apps after making malicious updates.




					arstechnica.com


----------



## AngryChris (Jan 12, 2022)

mer said:


> Yep that is pure evil, but seems to the the trend in hosting companies.


I can't agree. This guy should be perfectly okay with it. If he feels it's within his right to basically fuck everyone using his free code, code that he's free to do whatever he likes with, then he should be happy that Github is doing whatever they like with the account they graciously allowed him to use for free. And what they're choosing to do with their own platform is remove him from it. If he wants to keep distributing his broken code, he can do it from his own server.


----------



## msplsh (Jan 12, 2022)

unitrunker said:


> Apparently so.


No, this article just states "There’s also evidence."  There was a guy with the same name and a month later he made a fire tweet.  Is it THIS guy?  Maybe...


----------



## unitrunker (Jan 13, 2022)

msplsh said:


> No, this article just states "There’s also evidence."  There was a guy with the same name and a month later he made a fire tweet.  Is it THIS guy?  Maybe...


That's fair. FWIW - I find no record of a criminal conviction.


----------



## ralphbsz (Jan 13, 2022)

unitrunker said:


> FWIW - I find no record of a criminal conviction.


That is a bit disturbing. The press article about the fire at his place, and about his arrest did sound like bomb making materials, and the ATF got involved. Usually, cases like that are taken seriously.


----------



## zirias@ (Jan 13, 2022)

ralphbsz said:


> Nothing prevents Microsoft=GitHub from renaming the original copy of FreeBSD that is stored on GitHub to old_ugly_FreeBSD_do_not_use and store my new DSBeerF in a directory named FreeBSD.


Registered trademarks should prevent them 

But apart from that, fully agreed. Nothing "evil" here, just making sure there's no deliberate harm done on their platforms.


----------



## grahamperrin@ (Jan 13, 2022)

I'm late to this news. A couple of picks from comments captured in the Wayback Machine:

<https://wiki.p2pfoundation.net/Copyfair>
<https://wiki.p2pfoundation.net/Copyfarleft>
Via JavaScript developer screws over own popular npm packages • The Register:

Infinite loop causing Denial of Service in colors · GHSA-5rqg-jm4f-cqx7 · GitHub Advisory Database
Maybe one day I'll have a(nother) security advisory with my name on it. Nothing so disruptive, though 

I'm also late, by nine years and one day, to the linked news about Aaron Swartz.


----------



## msplsh (Jan 13, 2022)

grahamperrin said:


> I'm also late, by nine years and one day


Wow, yes.


----------



## D-FENS (Jan 15, 2022)

drhowarddrfine said:


> roccobaroccoSC A lot of things with NPM are unpredictable or can be. Unfortunately, too many things,  like online payments, rely on them. Stripe and Braintree payments require their usage though with their own API. But the whole of their usage is through NPM.


OMG


----------



## mfjurbala (Jan 15, 2022)

msplsh said:


> Wow, yes.


Same, just read a little about the situation.


----------

