The sabotaged versions cause applications to infinitely output strange letters and symbols, beginning with three lines of text that read “LIBERTY LIBERTY LIBERTY.”
Getting :libertarian-approaching: vibes from this
https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fb6
the comments under the commit lol
用我们中国人的话说,你这不道德呀。> In the words of our Chinese, you are immoral.
老铁,你要我们被扣工资过年么? 苦逼啊 > Old iron, do you want us to have our wages deducted for the New Year? hard work
Why should programmers embarrass programmers
It's better to hold high the banner of political correctness and blackmail that company
Someone posted Jiang Zemin resignation speech :michael-laugh:
Even more curiously, the faker.js Readme file has also been changed to “What really happened with Aaron Swartz?”
…
“Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he says. “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”
Organize Open Source now. This person was real close to getting it
Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work
If I did not want leeches leeching off my work I would have simply used the GPL or a compatible license. There’s a reason techbros jerk off to the MIT license, and it’s not in your best interests.
As much as FOSS people circlejerk about it, GPL and other copyleft licenses don't actually prevent giant megacorps from using your code. They'll just do it quietly and dare you to try suing their billion-dollar legal department when you catch them.
Nothing stops Amazon from spinning up millions of instances of some GPL program or library on their own machines and renting access to it. The GPL makes sense for end-user software like a web browser or a word processor, but it is woefully insufficient for middleware and services.
Sooner or later we need power. Laws only go so far and corps and military does routinely ignore licenses. Esp. if those were created by leftists.
I'm a hobbyist programmer and have played around with javascript for personal projects but I've never used npm and I don't really understand it. People just blindly load code written by some rando and set it to auto-update? Whenever I hear about npm it's usually because a package broke a bunch of stuff. Why didn't everybody learn that it was a huge potential security issue and come up with a safer method the first time it broke everything?
In defense of external dependencies: For larger-scale things like applications it's incredibly difficult to do everything you need to do easily and well without relying on 3rd party code — some things I agree are super unnecessary (like the left-pad library that led to the original hoopla over npm) but others, like database clients, XML parsers, webservers, etc are exceptionally difficult to recreate and recreate well. I can tab-complete a basic rails app by myself in a couple hours (rails itself also being an external library) but if I need to dip into C code to write a performant webserver and robust database client every time I need to stand one up, it's going to take a lot more people and time to develop and maintain.
People shouldn't be auto-updating their code in production, but dependencies get re-installed in CI for running tests and sometimes get reinstalled when new code changes are deployed, so any time the current version gets yanked or overwritten it can cause a shitload of problems for the engineers working with that code, even if they're invisible. Part of my job is making sure that tests and builds run smoothly and only have errors when code changes actually cause tests to fail, since new changes can't be made or deployed until tests pass, so I know what sort of a huge disruption things like this can be to business operations.
Well it'd cost money and take time to either not do use it or go back and change it so you're not using it. It'd be easier to convince a suit to slit his grandmother's throat than to get them to not freak out about their devs spending time and money over a vague threat
People just blindly load code written by some rando and set it to auto-update?
Kind of yes and no.
For one, there are actually really useful bots out there that apply a dependency's recent update, run the tests, and create PR. This requires me to click "merge pull request" manually, so not fully automated.
On the other hand, there are tutorials written without a package.json, so they say
import X from 'x'; import Y from 'y'but x and y were versions 2.13 and 4.11 at the time, but a fresh install yields 2.40 and 10.5, and you have no idea why the tutorial isn't working unless you already know too much to need a tutorial.Also IMHO yarn and npm both kind of don't really work 100% correctly in regards to installs and lock files, unless they fixed it very recently.
Also IMHO yarn and npm both kind of don’t really work 100% correctly in regards to installs and lock files, unless they fixed it very recently.
Yarn and NPM are still like the second most broken package ecosystem after Python and maybe Go (haven't checked on that one in awhile but it was super fucky 6 or 7 years ago)
Fucked around: not shipping a competent standard library.
Finding out: the hundreds of supply chain attacks about to be unleashed over the coming years.
Seems like lots of big tech think “why buy the cow when the milk’s free” re FOSS
At least test when packages update. How do those companies still run?
Probably small company or business owner that doesn’t really check, those big Corp that have dedicate team to run and review code probably already nipped out the bud.
those big Corp that have dedicate team to run and review code probably already nipped out the bud
As someone who works for a big company: lmao nobody looks at my code
I know it doesn't work in dev, but approve it anyway, it'll work in prod.
source: Trust me bro.
At a small company I have to beg for review lol, and even then I'm basically just left with a "yeah looks good"
Reminder that this is basically 100% npm's fault because they have no real governance model on monitoring and maintaining packages. Also while it's not what happened this time, many such issues are also node's fault for not including enough functionality in core libraries by default, leading people to use libs like "left-pad".
My god, isn't that functionality included in the standard JS libraries?
It might be now lol. But lodash is still popular and every single thing in it should be part of the standard lib.
With cautious jurisprudence and without reading any more than the headline and the comments, I'm gonna call this one :based-department: BASED because it hurts companies
If they wanted to hurt companies they wouldn't have done it on a Saturday lol
Or they would have done something more disruptive than spamming the logs with zalgo. Hell, they could have taken the time to seek out other disillusioned open source devs who maintain widely used projects and coordinated some action with them
Same, I keep thinking about what a collective of package maintainers might be able to do if they got together, especially if they were all in the same space — like if the maintainers of every webserver client for a given language got together and put their packages on strike or something cooler
