Zalgo issue with `v1.4.44-liberty-2` release

[Marak]

It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors.

Please know we are working right now to fix the situation and will have a resolution shortly.

[Offroaders123]

Woah, crazy bug! Glad to know you are working on it. Just reinstalled the Live Server package because I came across this while trying to host a project over localhost. Tracked my way to the new american.js file here in your project because something related to this issue happened while starting the server. Really freaked me out! 😂

[Offroaders123]

Alright, figured out how to temporarily fix the issue for use with Live Server. The package.json for Live Server has Colors.js set to use the newest possible version available, latest, so I changed it back to the most recent Colors.js version that didn't have the issue, 1.4.0. Just thought I'd share a fix for anyone else that may also run into this too 👍

[niknbr]

👋 Hi Seems like it was introduced because of this infinite loop

[Marak]

Still trying to figure out what happened. I think we may have tried to upgrade to JavaScript 6 but the CI system only supports JavaScript 5 and lower.

[legendary0001]

[Offroaders123]

Is it an option that, in the meantime, you could revert your project back to 1.4.0, the release before the new change was introduced? This seemed to fix all of the issues on my end. A lot of large projects appear to be requiring your dependency, and they have the version number set to use the latest release.

[Marak]

We've been up all night trying to work out a solution for this Zalgo bug and are still coming up short.

As much as we'd like to revert back to a previous working version, we strongly feel it's best if we can fix the actual problem instead of going back in time.

https://www.youtube.com/watch?v=KEkrWRHCDQU

[Offroaders123]

Yeah, changing the version number to an older release would fix it, but there are many projects out there that haven't been updated in multiple years, I don't think the devs for them will be around to change the Colors.js dependency not to use latest any time soon, Live Server could be an example. (This message was in reply to this one above)

[mdonnalley]

@Marak can you please promote the last working version to latest? I understand that you'd rather fail forward but our package is completely unusable because of this bug

[Marak]

I'm all out of ideas here. It's been a long night and I do I have to begin to prepare soup for Sunday church services tomorrow. I'll try to come back to this Monday if time permits.

Perhaps one of other maintainers can assist?

@substack @dominictarr and @tj should all have publishing access to NPM.

[DABH]

@Marak , It looks like you removed me from this repo so I'm unable to help. I can only imagine everything you're going through right now, but there are a bunch of other OSS devs like you who get hurt by pranks like this, rather than the big tech elite etc. that I think you are trying to go after. I'd be happy to help here, but please be willing to not harm the folks who would otherwise be on your side.

[Darker-Ink]

Best Bug though. You for sure should keep it in :+1: makes the console look cooler in my opinion.

[nbarikipoulos]

In package-lock file we trust and I will trust even for simple project...

[trusktr]

Hello whoever is behind this Marak account. Imagine if you turned your skill into making products for average humans that don't code, to improve their lives in big ways, leaving a bigger and longer lasting memory of what you've done... Bombs won't have as big of an impact in today's world.

[heisian]

💋

[DanielRuf]

For anyone who is affected, here are ways to check, which packages have to pin the version (the ones which directly use colors):

for npm:

npm ls colors

for yarn:

yarn why colors

In some cases you can use resolutions: https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/ https://www.npmjs.com/package/npm-force-resolutions

And in some you can easily apply a patch to remove the relevant code parts with patch-package: https://www.npmjs.com/package/patch-package

[timleg002]

Or check one technology called Haskell; you could even write pure (determined) IOs using one thing called Monads 🤣 It's big fun Then you could run code that never ever break, having a one century of technology under your fingertips would then be possible look how https://negativespace.co/iphone-woman-hands-touch/

all haskell evangelists are now rust evangelists, youre stuck in time bro

[cinderblock]

What are we, the confused internet, missing here? What's going on? Is this some sort of April Fools' joke? Are you trying to get developers to not use @latest tags when installing dependencies?

[sbmelvin]

So has a successor to colors.js been decided yet?

[cinderblock]

@DanielRuf Yeah, I'm not going to go sleuthing around trying to find the relevant story. A lot just point back here but all I see are what look like inside jokes. Thank you for the HN link.

I see that faker.js is related but it looks like the original post the HN post is about has been deleted along with the repository. I've got to go back to the Way Back Machine to get some details: https://web.archive.org/web/20210704022108/https://github.com/Marak/faker.js/issues/1046

---

@sbmelvin I like chalk

[slavanomics]

absolute legend for this thank you marak dont let anyone tell you otherwise

[DumbGameMaker]

the fix isn't that hard

just remove the affected code.

[DABH]

Folks, a quick update. Semi-official since I have been a maintainer on this project for 2 or 3 years (albeit largely passively).

1. Active steps are being taken to resolve this situation.
2. You may pin your dependency to 1.4.0 while this issue is being resolved.
3. If you prefer, you may reference https://www.npmjs.com/package/@dabh/colors, which has the same git history but none of the compromising commits. v1.4.0 is still the latest tag there. I will commit to maintaining this copy (i.e. keeping it in sync with the main repo) for some time after this issue is resolved. My goal is to amicably resolve things and have the original repo be maintained by the community, rather than telling people to "use my fork."
4. I will have no other updates until at least Monday.
5. This situation is not a joke, not trolling, and is reflective of serious personal issues. It is not constructive to make jokes or personal attacks. Furthermore, it is not helpful to continue posting the same links over and over in different places -- everyone closely involved is already aware of the history, and the reputational and real-life damage has already been incurred by the author; salting the wounds here only serves to reduce the chance of an amicable resolution.
6. There are major flaws with the open-source community, as Marak and others have highlighted over the years. This is part of a larger conversation, and it is probably helpful for us all to take some time and reflect on how we can do better.

Please try to refrain from continuing to flood this thread until there is more to share, unless you have additional suggestions on workarounds (e.g. as @DanielRuf has provided). Thank you, stay safe, and be kind 🙏

[kevinlonigro]

I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.

/* remove this line after testing */ let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }

[dougpagani]

I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.

/* remove this line after testing */ let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }

"I should not have to remove it myself"

You must see the irony if the reason this maintainer did this is because he's treated as a slave for his maintenance work, and yet here you are saying you're entitled to not having to fix this yourself...

[kevinlonigro]

It's a matter of trustworthiness.

On Sat, Jan 8, 2022 at 10:25 PM dougpagani @.***> wrote:

I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.

/ remove this line after testing / let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }

"I should not have to remove it myself"

You must see the irony if the reason this maintainer did this is because he's treated as a slave for his maintenance work, and yet here you are saying you're entitled to not having to fix this yourself...

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008221676, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSCTPZJU2JKROKA7WQTUVD53PANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[the-emmon]

imo, The Liberty Update offers some nice QOL improvements

[sintaxi]

The author of this project has intentionally sabotaged the library. DO NOT EXPECT A FIX. Peg to release 1.4.0 and start looking for an alternative.

Marak, I hope you are ok. <3

[Solixity]

This is fine. I went to node_modules/colors/lib/index.js and commented lines 15-23 out. Truly a temporary fix until this is actually resolved.

And whoever made this forgot to remove the line after testing, go figure.

/* remove this line after testing */
let am = require('../lib/custom/american');
am();
for (let i = 666; i < Infinity; i++) {
  if (i % 333) {
    // console.log('testing'.zalgo.rainbow)
  }
  console.log('testing testing testing testing testing testing testing'.zalgo)
}

(Just realized someone posted this before me in the hidden items. Whoops.)

[DanielRuf]

@Solixity see also https://github.com/Marak/colors.js/issues/285#issuecomment-1008168237

[Solixity]

@Solixity see also #285 (comment)

Thanks. Truth be told, I’m more of a “search for the bad code and comment it out” type of person but if it gets annoying soon (I use colors for a lot of my projects), I’ll definitely patch the package or just downgrade to 1.4.0 as that’s what other people say is the latest working version.

[renhiyama]

@Marak we are with you! We support Aaron Swartz, and we give salute to him for the greatest work ever done in open source's history! Long live Aaron Swartz!

[fzn0x]

We support your work. But, this is not how the way to express your current state, this is a loser way, Marak. You can just open many ways for people to appreciate your work with some money.

[BitesizedLion]

Easy solution: ditch this garbage and use chalk

[PythonCoderAS]

Wow this is a really horrible way to protest something. What a child.

Edit: For the people disliking my comment, I cannot think of a faster way to evaporate all trust people have for you than by making a widely used library malicious. It's a one-way ticket to making sure you'll never find a job in software development ever again. If Marak really does have mental health issues it is not a justification for acting the way that he did -- only an explanation.

[SpacingBat3]

Just a note that colors/safe still works fine through.

[NOPR9D]

Just a note that colors/safe still works fine through.

+1

[nebulade]

We've also just hit this in our Cloudron docs deploy pipeline. Now I saw there was a recent npm package release some 20min ago https://www.npmjs.com/package/colors/v/1.4.2 was this supposed to fix the issue? It seems the same problem is still there?

[RPGillespie6]

I can't launch http-server because of this issue. Assuming this never gets fixed, what's the proper way to force npm to use an older version of this dependency for http-server? Edit the lock file?

[DanielRuf]

@RPGillespie6 see https://github.com/Marak/colors.js/issues/285#issuecomment-1008168237

@nebulade not really, see https://diff.intrinsic.com/colors/1.4.1/1.4.2. He added another loop to colors/safe, probably because he oversaw this.

reference: https://github.com/Marak/colors.js/issues/285#issuecomment-1008357669

[bovidiu]

I can't launch http-server because of this issue. Assuming this never gets fixed, what's the proper way to force npm to use an older version of this dependency for http-server? Edit the lock file?

Instead of reverting the http-server, downgrade this module version to 1.4.0, that's what I've done, until the bug gets fixed.

[Solixity]

You can run npm install colors@1.4.0 and it’ll downgrade as is. Don’t know why it decided to bonk the important part.

[Hamahmi]

Still happens in 1.4.2

[DanielRuf]

@Hamahmi yes, please see https://github.com/Marak/colors.js/issues/285#issuecomment-1008367265

[korostelevm]

Actually surprised that this didn't somehow bring down aws us-east-1.. takes a lot less usually. Maybe 1.4.2

Edit: https://github.com/Marak/colors.js/blob/6bc50e79eeaa1d87369bb3e7e608ebed18c5cf26/lib/extendStringPrototype.js#L55

Right here is the place to make the change to get log4j level hype though

[PythonCoderAS]

@RPGillespie6 see #285 (comment)

@nebulade not really, see https://diff.intrinsic.com/colors/1.4.1/1.4.2. He added another loop to colors/safe, pobably because he oversaw this.

reference: #285 (comment)

Wow he is still going if this is true. You would think having 2 days to rethink this might convince him to think sanely but guess not.

[vidhanio]

I have deleted my previous comment to state that I support Marak's protest against big companies and their abuse of open-source, but Marak's character as a human is questionable. From allegations of burning down his house making bombs to abusing his girlfriend, I do not think the person running this repository is respectable (or sane) in the slightest.

[korostelevm]

https://xkcd.com/2347/

[sintaxi]

This is a troll campaign protest by the author of this module. This package is not going to get fixed and you will continue to get burned unless you pin the package to version 1.4.0. For a short term fix change your package.json & package-lock.json to use 1.4.0 and republish your module. Then start looking for alternatives, or a fork of this project.

Here is an example how to fix your package... https://github.com/sintaxi/surge/commit/32eaaa2c5731c20093c12fde4c92d58bacda377a

DO NOT use ^1.4.0 otherwise your package will pull the latest 1.4.* version of the module.

PS: The author of this module wants to raise awareness about Aaron Swartz. Go learn more about him and his alleged suicide.

[kevinlonigro]

Excellent advice. Hopefully AWS follows for their CDK by not using the caret.

On Sun, Jan 9, 2022, 4:35 PM Brock Whitten @.***> wrote:

This is a troll campaign by the author of this module. This package is not going to get fixed and you will continue to get burned unless you pin the package to version 1.4.0. For a short term fix change your package.json & package-lock.json to use 1.4.0 and republish your module. Then start looking for alternatives, or a fork of this project.

Here is an example how to fix your package... @.*** https://github.com/sintaxi/surge/commit/32eaaa2c5731c20093c12fde4c92d58bacda377a

DO NOT use ^1.4.0 otherwise your package will pull the latest 1.4.* version of the module.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008428366, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSCW6BEIWGEQBUWXCXLUVH5RRANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: <Marak/colors. @.***>