wtf is that
ap0sentada opened this issue Β· 35 comments
Marak is a greedy terrible person that decided to severely screw over his users by introducing malicious code that intentionally breaks colors.js.
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
He also blew up his apartment and apparently beat up his girlfriend.
https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
In other words, do not trust anything from this person.
Marak should NOT be trusted as a developer! Especially after doing this unilaterally without notification.
@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.
@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.
I'm going to call him out for his own actions. He burnt bridges and destroyed any possible trust anybody could have for him.
Fucking not sorry.
If you're using yarn, you can resolve this issue by adding the following to your package.json
:
"resolutions": {
"colors": "1.4.0"
}
@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.
I'm going to call him out for his own actions. He burnt bridges and destroyed any possible trust anybody could have for him.
Fucking not sorry.
It's always our responsibility to make sure we're not using malicious code. Always.
Precisely! It is also our responsibility to call out malicious actions.
Goddamn. I took down our whole infrastructure at work thinking we had been hacked.
Did he think for a second that this was hitting back at the big guys? It wasn't . It just fucked over a lot of us
guys who are regular working slobs who now have to explain to the boss why our deployments imploded.
Fortunately I use chalk.js
Just a reminder that if your project broke because of this, you are using deps unsafely and most likely using a ^
in your package.json versions. In the world of FOSS, this maintainer is free to publish any version they want. Since it is their repository. Beyond the politics or the protest or the broken builds... there exists engineering solutions for this to never effect you and I don't think the solution is to censor or cancel @Marak.
My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best.
can someone fork?
If you read #285 youβll see Iβve already forked and am working to resolve the incident with the relevant parties.
shit
I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...
whatοΌ
Marak crossed a line here. This seriously damages the whole community. If he wants to be paid directly there are sure other possibilities. This should not happen to anyone.
I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...
it is a terrible reason
I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...
it is a terrible reason
Yes, It is...Maybe he is going through a mental breakdown. What he did is wrong no doubt about it.
Ahh the cope in the comments is beautiful. So much third party dependency whining and little action taken, so much to be expected from people who only know how to write npm install
and copy documentation snippets.
If you don't like it, make your own faker.js
If you cannot...then why are you a programmer? Leave and make something else, you clearly aren't suited for technology, consider dumpster diving tho, it might be fun :D
@VentGrey you are missing clearly the point. It's about trust in the community.
NISU! waste my time
People are still using Marak's projects? Damn.
Hi, this is a duplicate of my comment in the other issue
Hi, in case the author will not maintain this project or fix this, I made a fork that restores the normal behaviour. I am not sure if I will maintain this package, but just in case the problem will not be solved and you don't want to be scared when running npm update
...
https://github.com/euberdeveloper/colors.js
In any case I could also suggest passing to the chalk package, which is very good and has a serious and reliable author
It's took me days to debug this issue :'(
If you're using yarn, you can resolve this issue by adding the following to your
package.json
:"resolutions": { "colors": "1.4.0" }
Nice work!
Do we have any fix for npm?
Do we have any fix for npm?
npm already reverted to 1.4.0
"My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best."
Why would you respect someone that doesn't respect you? Nobody is asking anyone to maintain it. Like half the crumbling JS infrastructure, shit gets abandoned. But sabotaging tens of thousands of deployments intentionally is a very different matter.
Its like the cock smokers who hack peoples sites and then blame the victim because they didnt understand an insanely complicated subsystem, its just making excuses for what is fundamentally a malevolent and destructive action that hurts other people for what?
This isnt free-software ideology, its sociopathy.
The worst part is most people who got this implosion never actually did anything to deserve it, or even put it in their packages file, its just there because some dependency of a dependency insists on it.
λλ κΈ°μ¬λ₯Ό μ½μκ³ μ΄ νμμ λνμ¬ μ΄ν΄νλ€.
μμ μ μκ°μ ν¬μνμ¬ λ§λ νλ‘μ νΈλ₯Ό λ§μΉλ μμ λ μ μμκ² μλ€κ³ μκ°νλ€.
ν¬μΆ 500λ κΈ°μ
μμ μ λͺ
μ€ν μμ€ νλ‘μ νΈλ₯Ό μ§μνμ§ μλλ€λ μ¬μ€μ λ ν° μΆ©κ²©μ΄λ€.
μ€ν μμ€κ° λμ ꡬ걸νμ§ μλλ€κ³ νμ§λ§, μμ κ°κ° κ°λμ νλμ΄λ©΄μ μ€ν μμ€μ ν¬μν μ΄μ λ μλ€κ³ μκ°νλ€.
νΌν΄λ₯Ό μ
μ κΈ°μ
μλ μ κ°μ΄μ§λ§, μ΄ μ¬κ±΄μ΄ μ¬κ³ μ μ νμ΄ λκΈ°λ₯Ό λ°λλ€.
λλ κΈ°μ¬λ₯Ό μ½μκ³ μ΄ νμμ λνμ¬ μ΄ν΄νλ€.
μμ μ μκ°μ ν¬μνμ¬ λ§λ νλ‘μ νΈλ₯Ό λ§μΉλ μμ λ μ μμκ² μλ€κ³ μκ°νλ€.
ν¬μΆ 500λ κΈ°μ μμ μ λͺ μ€ν μμ€ νλ‘μ νΈλ₯Ό μ§μνμ§ μλλ€λ μ¬μ€μ λ ν° μΆ©κ²©μ΄λ€.
μ€ν μμ€κ° λμ ꡬ걸νμ§ μλλ€κ³ νμ§λ§, μμ κ°κ° κ°λμ νλμ΄λ©΄μ μ€ν μμ€μ ν¬μν μ΄μ λ μλ€κ³ μκ°νλ€.
νΌν΄λ₯Ό μ μ κΈ°μ μλ μ κ°μ΄μ§λ§, μ΄ μ¬κ±΄μ΄ μ¬κ³ μ μ νμ΄ λκΈ°λ₯Ό λ°λλ€.Used Google Translate to know whats written here, but I must say that - although I agree with the part of author's free will as of project - I strongly disagree that author of project this size is entitled to ruin thousands other projects that has
color.js
as a dependency........I also agree with @shayneoneill above: what @Marak did is sociapathy; if @Marak wanted no longer to maintain
colors.js
he could have created an issue here and announce his plans this way, rather than making all this fuss.
λ΄ μ견μ μλμ λ΄μ€μ κΈ°λ°νλ€.
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
μ νμμ μμ ν λμνμ§λ μλλ€.
νμ§λ§ μ€ν μμ€μ μμ μμ§μ μλ¬΄κ° λꡬμκ² μλκ°?
μ¬μ©μ? μ°½μμ?
λλ μ°½μμμ λμνκ³ μ νλ€.
"My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best."
Why would you respect someone that doesn't respect you? Nobody is asking anyone to maintain it. Like half the crumbling JS infrastructure, shit gets abandoned. But sabotaging tens of thousands of deployments intentionally is a very different matter.
Its like the cock smokers who hack peoples sites and then blame the victim because they didnt understand an insanely complicated subsystem, its just making excuses for what is fundamentally a malevolent and destructive action that hurts other people for what?
This isnt free-software ideology, its sociopathy.
The worst part is most people who got this implosion never actually did anything to deserve it, or even put it in their packages file, its just there because some dependency of a dependency insists on it.
Yes I agree it is on the more dark side of chaotic good personality types... I think Marek was using this as protest which is sometimes done like this to disrupt society in a way where people actually have to listen and pay attention because let's be honest now days there is little room for conversation without action. Cancel culture actually created this situation.
Yes I agree it is on the more dark side of chaotic good personality types... I think Marek was using this as protest which is sometimes done like this to disrupt society in a way where people actually have to listen and pay attention because let's be honest now days there is little room for conversation without action. Cancel culture actually created this situation.
This is too easy. Behave as a berserk erases any good argument.