Corrupted NPM libs - Faker and Colors - the dark side of Open Source
Рет қаралды 1,604
Күн бұрынThe last few days were very stressful for many developers. Out of nowhere, right after deployment, their applications were no longer working. The reason was frightening: two very popular JavaScript libraries included via NPM stopped working. The colors.js was printing some gibberish in the console. The faker.js disappeared and was clearly corrupt! Hackers? Mistake? No. The frustrated open-source developer did that on purpose.
In this video you will learn the background story, and what's more important, how to protect your applications from being injected with corrupted libraries!
All about MIT license • MIT Open Source Licens...
NPM colors library www.npmjs.com/package/colors
NPM faker library www.npmjs.com/package/faker
#quadmeup #npm #opensource
0:00 Intro
0:16 What exactly happened to faker and colors NPM libs
2:23 Did the developer have a right to do it?
2:50 What MIT license says about that
4:12 How to protect your application
5:42 Outro
Visit my primary channel / dzikuvx
Facebook / quadmeup
Discord server quadmeup.com/discord
My website quadmeup.com/
Instagram / dzikuvx
@threebadmicefpv 2 жыл бұрын
I guess the industry will wring its hands together for a while ... then blame the developer... then carry on freeloading 🤦
@PSAfterHours 2 жыл бұрын
Of course this is exactly what will happen.
@ChemistTea 2 жыл бұрын
I think it's cool that he did this. I like this guy for it. Also, I haven't used these libraries so it did not affect me.
@typxxilps 2 жыл бұрын
Thanks for the background and explanations. I had only heard it on the floor in a hurrry and did not get behind it, except that someone had intentionally broken the latest version which causes a kind of confusion and how to protect the systems. But I had not time so I missed a lot I guess.
@PSAfterHours 2 жыл бұрын
I think the most important aspects of this are: open source devs can feel used and abused and always pinpoint your npm to a specific version
@raviverma8458 2 жыл бұрын
open source software has got license and most license contains clause of "absolute no warranty" and "no liablity"
@PSAfterHours 2 жыл бұрын
yes, that's why it's 100% legal and we only can discuss the "morality" of the event
@johanrg70 2 жыл бұрын
It's a good idea to pin packages to specific versions for a multitude of reasons, but if you think most teams actually verify that a package doesn't have "unwanted side effects" you're kidding yourself. Just download and use, screw the consequences, is my experience working with different teams unfortunately.
@breakflight 2 жыл бұрын
Legal: Probably. Ethical: No. If he expected compensation, he could have chosen another license. It's not fair to say something is free and then feel bad when someone uses it for free. He lost a lot of trust when doing what he did. As a developer, he needs people to trust him.
@PSAfterHours 2 жыл бұрын
Ethical: depends. As a developer he has to do nothing. It's only about consequences. And this shows a deeper problem with software like npm. You loose control over the code you use. Someone makes a mistake or decides to play a douchebag? Your code breaks. NPM is off? Your code breaks. Never expect others will do your work and appreciate the ones that makes your life simpler
@0x007A 2 жыл бұрын
The developer could have released these libraries under dual licenses, one of which specifically addresses the commercial for-profit use case. The commercial license could state the MIT license is null and void for commercial use.
@FPVUniversity 2 жыл бұрын
@@0x007A That is an option. But it can happen only in the very beginning. If you have a "commercial" license, then your can also release under MIT let's say. But conversion of MIT to "MIT and commercial" will not fly
@0x007A 2 жыл бұрын
@@FPVUniversity yes it is possible to dual license after the original completely "do as you want" license. Post facto dual licensing has happened previously. However, the developer in question is a prick for deliberately breaking a library, as a protest against corporations, which is used by many non-commercial projects. The fact that corporations are notorious bad faith actors is immaterial to the harm created by the software developer by his actions.
@nerdCopter 2 жыл бұрын
+1👍💩
@Server0750 2 жыл бұрын
Same for windows updates, just turn them off. ;)
@PSAfterHours 2 жыл бұрын
Well, in case on windows updates, somebody cure them and we know who: Microsoft. In case of NPM, nobody cure anything
@0x007A 2 жыл бұрын
The deliberate actions of the maintainer should be criminally charged and prosecuted. The license terms are not protective cover for malicious behaviour.
Kirill Multitool
Рет қаралды 74 МЛН
i-shoppers обзоры
Рет қаралды 1,3 МЛН