Zalgo issue with `v1.4.44-liberty-2` release

[Marak]

It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors.

Please know we are working right now to fix the situation and will have a resolution shortly.

[DanielRuf]

@kevinlonigro see https://github.com/aws/aws-cdk/pull/18324

[kevinlonigro]

Thanks for the thead to aws/aws-cdk#18324 https://github.com/aws/aws-cdk/pull/18324, much appeciated.

On Sun, Jan 9, 2022, 4:56 PM Daniel Ruf @.***> wrote:

@kevinlonigro https://github.com/kevinlonigro see aws/aws-cdk#18324 https://github.com/aws/aws-cdk/pull/18324

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008431348, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSD3YZ3P7PPGVA7DGD3UVIABFANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[jerome-yvan]

Hi, is there anyway on how to fix this?

[BitesizedLion]

Hi, is there anyway on how to fix this?

Downgrade to 1.4.0 or switch to Chalk

[Solixity]

So where is npm Inc. ? in such cases ?

More seriously; what could be the problems if they revert code to the version before the lastest, with the same version number ( @DanielRuf you seem to be knowing these.. thanks a lot for help with affected users).

Or they did it already I'm just checking: Last publish 3 hours ago

Nobody knows where they’re at. You could report it on https://npmjs.org/colors but in the end, that’s cause more problems than it’d solve. They’d erase the package as a whole, easier to just downgrade and hold.

[Solixity]

@Solixity I reported the bug like 1 hour before the whole thing starts here, as I was expecting this before it happens ❗ .

Why would it cause more problems? And they pushed a new version now, I just checked, I can't make my head on different cases and what would be the best in such situations.

A lot of programs depend on this package, it’s a matter of it not resolving and causing CI test issues.

But I’m filing a report right now to npm as I type this.

[DanielRuf]

The .2 release added the same code to colors/safe, see https://diff.intrinsic.com/colors/1.4.1/1.4.2

So that is still ongoing and pinning to v1.4.0 (using resolutions or your package.json and package-lock.json/yarn.lock files if directly used) or switching to chalk or some other solution are the only viable solutions. Or patching the code to remove these loops with patch-package.

https://diff.intrinsic.com/colors/1.4.1/1.4.2

[BitesizedLion]

Why would it cause more problems?

If you had bothered to read his reply

They’d erase the package as a whole, easier to just downgrade and hold.

And they pushed a new version now, I just checked

All that version is, is the author adding the loop to colors/safe as well. this isn't a bug, this is intentional by the author.

[Solixity]

Why would it cause more problems?

If you had bothered to read his reply

They’d erase the package as a whole, easier to just downgrade and hold.

And they pushed a new version now, I just checked

All that version is, is the author adding the loop to colors/safe as well. this isn't a bug, this is intentional by the author.

It’s definitely intentional. If it wasn’t, he’d be responding to our comments.

And his comment in /safe doesn’t back up the fact that it wasnt intentional.

[timothystewart6]

oof

[BitesizedLion]

Why would it cause more problems?

If you had bothered to read his reply

They’d erase the package as a whole, easier to just downgrade and hold.

And they pushed a new version now, I just checked

All that version is, is the author adding the loop to colors/safe as well. this isn't a bug, this is intentional by the author.

It’s definitely intentional. If it wasn’t, he’d be responding to our comments.

And his comment in /safe doesn’t back up the fact that it wasnt intentional.

Well, he couldn't really reply to comments if he wanted to any way, he's permanently suspended from Github

[DanielRuf]

They’d erase the package as a whole, easier to just downgrade and hold.

@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.

https://docs.npmjs.com/unpublishing-packages-from-the-registry

https://docs.npmjs.com/policies/unpublish

https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html

[Solixity]

They’d erase the package as a whole, easier to just downgrade and hold.

@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.

https://docs.npmjs.com/unpublishing-packages-from-the-registry

https://docs.npmjs.com/policies/unpublish

https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html

… yikes.

[BitesizedLion]

They’d erase the package as a whole, easier to just downgrade and hold.

@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.

https://docs.npmjs.com/unpublishing-packages-from-the-registry

https://docs.npmjs.com/policies/unpublish

https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html

Right, but that's if it's the author trying to do it. the "They" in this case would be NPM

Surely the policy wouldn't apply if they're removing something malicious?

[DanielRuf]

We should focus on fixing the affected projects. See also https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640

Surely the policy wouldn't apply if they're removing something malicious.

Yes as this would be against the usage terms and harms users. And hosting / distributing malware has also / could have some possible legal consequences, but this is not relevant now.

[nahidakbar]

I've used this package for a while and love it. But something of this level should have warrant a revert, a lot sooner, regardless of how fancy the improvements are. Not my decision to make. Can't comprehend why anyone would need to put something like that in the colors package in the first place.

Anyways keep up the good work,

[sintaxi]

@nahidakbar I'll help you get up to speed...

The author of this project has intentionally sabotaged the library. His attempts to "fix" the issue are disingenuous in an effort to troll you. He also revoked access of other contributors to prevent them from fixing the problem. Expect future patch releases to be further attempts to cause you grief. The best short term solution is to peg the package at 1.4.0 and start looking for an alternative or a fork.

[dustinlw1987]

Marak should NOT be trusted as a developer! Especially after doing this unilaterally without notification.

This is unbelievable.

[arthurfiorette]

👀 npx marak-free

[rsadr0pyz]

npx marak-free

[DABH]

All: The latest status update is still https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640 , i.e., pin at 1.4.0, use @dabh/colors, or wait till tomorrow for updates. Please try to avoid adding unnecessary comments (even lighthearted remarks) to this thread, as useful info is getting buried in the hidden items. Presumably, a lot of people are going to be visiting this thread tomorrow, so let's try to be considerate of them and make the signal-to-noise ratio as high as possible. Thanks and stay tuned.

[will-holley]

If you're using yarn, you can resolve this issue by adding the following to your package.json:

"resolutions": {
  "colors": "1.4.0"
}

[makc]

@Offroaders123

A lot of large projects appear to be requiring your dependency, and they have the version number set to use the latest release.

but.... that sounds like... the issue is actually on their end, no?

[dustinlw1987]

I just found further evidence that Marak has severe mental health issues and cannot be trusted:

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

[jamesmart77]

I am currently encountering this issue in @bubblewrap/cli. Should the colors peg at 1.4.0 go into my project's package.json that I am bubblewrapping or into the bubblewrap downloaded library itself?

[Apollon77]

Maybe @Marak as a try to support you:

I think executing this command should ease it for many people:

npm dist-tag add colors@1.4.0 latest

This will mark the 1.4.0 as "latest" version on npm and so 1.4.1 and 1.4.2 will be ignored ...

[dustinlw1987]

I just found further evidence

Here we go again. The investigator came with fake news. Shame on you @dustinlw1987 go and delete that

I will not, thank you. I'm reporting on the developer's state of mind and his actions which affect the developer community.

I reiterate: he has severe mental health issues and has been caught doing shady things that we should be concerned about.

[BitesizedLion]

I just found further evidence

Here we go again. The investigator came with fake news. Shame on you @dustinlw1987 go and delete that

Fake news? Ok, please tell me how it is fake news? That's a legitimate news source.

[Crsarmv7l]

People are upset why? Github suspended him why?

HE MADE CHANGES TO HIS OWN CODE.

Just because other people rely on it doesn't mean he cant change HIS OWN CODE

[BitesizedLion]

People are upset why? Github suspended him why?

HE MADE CHANGES TO HIS OWN CODE.

Just because other people rely on it doesn't mean he cant change HIS OWN CODE

He published malicious code when he has >20 million weekly downloads, not acceptable.

[Solixity]

People are upset why? Github suspended him why?

HE MADE CHANGES TO HIS OWN CODE.

Just because other people rely on it doesn't mean he cant change HIS OWN CODE

You’re failing to realize that he made changes that TONS of other people are now suffering from. At first, it was in one section but then he moved it onto the “safe” version. At that point, it’s deemed as malicious and people have the right to be upset about it.

[davux]

Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.

Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.

[dustinlw1987]

Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.

Your opinion is still probably very interesting, and it will fit perfectly on social networks.

Marak's malicious actions and code is very much an issue. We will discuss them here.

[BitesizedLion]

Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.

Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.

Unfortunately this is the internet, and you also happen to have no power over this

[BitesizedLion]

Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.

Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.

Oh and, people can very easily find the solution since it is the 2nd comment, which is, downgrade and pin 1.4.0, or optionally use some other kind of fork if you wish to do that

[liquidautumn]

In my opinion former maintainer is irrelevant now, better focus on reducing damage. While bigger projects already fixed or fixing this issue, multiple smaller package maintainers having hard time trying to figure it out. I've searched github issues for 'Carl Pilcher' and linked this issue for ones without mention of color.js but there will be more. Maybe we can have a bot that will do it automatically, if it is possible with github api.

[BitesizedLion]

Maybe we can have a bot that will do it automatically, if it is possible with github api.

Unsure if that is allowed.

[davux]

Maybe another maintainer involved in the project can take over development in a forked repository, and publish it to npm with either an alternative name or, if npm people allow it, the name colors so that people don't have to fix the dependency.

[BitesizedLion]

Maybe another maintainer involved in the project can take over development in a forked repository, and publish it to npm with either an alternative name or, if npm people allow it, the name colors so that people don't have to fix the dependency.

https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640

[PythonCoderAS]

In my opinion former maintainer is irrelevant now, better focus on reducing damage. While bigger projects already fixed or fixing this issue, multiple smaller package maintainers having hard time trying to figure it out. I've searched github issues for 'Carl Pilcher' and linked this issue for ones without mention of color.js but there will be more. Maybe we can have a bot that will do it automatically, if it is possible with github api.

I mean it isn't too hard to do since there is literally a tab on this repo which shows projects that are utilizing colors.js as a dependency. It also shouldn't be too hard to make an npm package that can be used with npx which does the pinning and automatically commits to GitHub if a .git folder is present.

[AntonioRedondo]

Colors.js is under the MIT license. According to this license the author provides the software "as is", without warranty of any kind:

As nasty as the new commit could be, the license shifts the responsibility of the library usage uniquely to the consumer, not the original developer/maintainer.

Not saying that this commit doesn't have further implications for open source software than the strictly ones covered in the license. But I think it opens a legitimate debate about who's responsible for damages and whether the author is morally entitled to such behaviour, even when it's extreme.

He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.

[PythonCoderAS]

He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.

The problem is that not everyone using colors.js is aware that they're using it. A lot of cli tools use colors.js, and I don't really think about the packages behind that when I install them, or even be aware of it. It's not on me if my fourth layer of dependencies used color.js.

[Itsbiggertheinside]

I have a question for you, is it really that hard to get the latest version to 1.4.0 until you fix the problem? The people here asking you to do this have not installed colors.js for their own purposes. A small example: nest.js, which acts as a backend, is not running on my server.

[liquidautumn]

@Itsbiggertheinside do you you mean nest cli or server itself? I've seen cli had colors problem, but runtime should be ok, isn't it?

[BitesizedLion]

@dustinlw1987 @BitesizedLion can't you imagine two people with the same name or what? Do you imagine people have access into internet in detention? What the hell are you? I'm out of this. It appears to me Marak is more sane than you, Go f*cking buy a book and learn some programmig too.

What are you on about you absolute crackhead, lmao

[notwedtm]

Colors.js is under the MIT license. According to this license the author provides the software "as is", without warranty of any kind:

As nasty as the new commit could be, the license shifts the responsibility of the library usage uniquely to the consumer, not the original developer/maintainer.

Not saying that this commit doesn't have further implications for open source software than the strictly ones covered in the license. But I think it opens a legitimate debate about who's responsible for damages and whether the author is morally entitled to such behaviour, even when it's extreme.

He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.

This may be true to the extent that there is no implied warranty or guarantee against defect. Accidental harm and intentional harm are two very different things. This does not mean the author can't still be sued or criminally charged solely on intentional malicious actions. A good lawyer would be able to argue that @Marak knew prior to pushing this commit that the effects would cause financial harm to multiple organizations.

If you license your land to build a freeway but then decide the freeway is being used by too many people who are too rich and don't give you credit so you go and rip up the asphalt, you're still going to be liable for the destruction and potential dangers you've caused to the public.

[cnamoncudev]

nest js has dependencies with colors.js, like going back to version 1.4.0?

[liquidautumn]

@cnamoncudev check related issue https://github.com/nestjs/nest-cli/issues/1480

[tesch1]

@notwedtm another, even-lesser hypothetical lawyer than yours, might point out that a contract is only valid in as much as two things of value were exchanged - what was exchanged here? a super-duper-valuable promise of always keeping the copyright notice intact 😆

[notwedtm]

@notwedtm another, even-lesser hypothetical lawyer than yours, might point out that a contract is only valid in as much as two things of value were exchanged - what was exchanged here? a super-duper-valuable promise of always keeping the copyright notice intact 😆

That would most likely lead to a conversation about the fundamental differences between a contract and a license.