wtf is that

[ap0sentada]

when i run code with const color = require("colors") i recive this log

[dustinlw1987]

Marak is a greedy terrible person that decided to severely screw over his users by introducing malicious code that intentionally breaks colors.js. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

He also blew up his apartment and apparently beat up his girlfriend. https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

In other words, do not trust anything from this person.

[DABH]

This is a duplicate of #285 . For sake of making solutions easy to find, please consider closing this issue so folks go to #285 instead. Thanks.

[dustinlw1987]

Marak should NOT be trusted as a developer! Especially after doing this unilaterally without notification.

[roberrrt-s]

@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.

[dustinlw1987]

@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.

I'm going to call him out for his own actions. He burnt bridges and destroyed any possible trust anybody could have for him.

Fucking not sorry.

[will-holley]

If you're using yarn, you can resolve this issue by adding the following to your package.json:

"resolutions": {
  "colors": "1.4.0"
}

[roberrrt-s]

@dustinlw1987 You're literally calling someone that helped millions of developers a greedy fuck what is wrong with you lol.

I'm going to call him out for his own actions. He burnt bridges and destroyed any possible trust anybody could have for him.

Fucking not sorry.

It's always our responsibility to make sure we're not using malicious code. Always.

[dustinlw1987]

Precisely! It is also our responsibility to call out malicious actions.

[shayneoneill]

Goddamn. I took down our whole infrastructure at work thinking we had been hacked.

Did he think for a second that this was hitting back at the big guys? It wasn't . It just fucked over a lot of us guys who are regular working slobs who now have to explain to the boss why our deployments imploded.

[seho-dev]

Fortunately I use chalk.js

[ChristopherTrimboli]

Just a reminder that if your project broke because of this, you are using deps unsafely and most likely using a ^ in your package.json versions. In the world of FOSS, this maintainer is free to publish any version they want. Since it is their repository. Beyond the politics or the protest or the broken builds... there exists engineering solutions for this to never effect you and I don't think the solution is to censor or cancel @Marak.

My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best.

[kkm]

can someone fork?

[jshor]

I've forked this and will maintain colors from now on. See #292

Edit: @DABH will maintain a fork for this.

[DABH]

If you read #285 you’ll see I’ve already forked and am working to resolve the incident with the relevant parties.

[VisZhangrong]

shit

[sanishchirayath1]

I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...

[ShaofeiZi]

what？

[jcschmidig]

Marak crossed a line here. This seriously damages the whole community. If he wants to be paid directly there are sure other possibilities. This should not happen to anyone.

[tswordyao]

I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...

it is a terrible reason

[harish2704]

@sanishchirayath1 : FYI, https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

[sanishchirayath1]

I am not here to justify what he did... But, the guy is going through a tough period,, His house burned down...He is literally homeless...Big companies are not contributing to the work open source do... It should be a wake-up call to all companies who are using open source code to generate revenues ... consider start contribute to open-source to keep them open-source innovating...

it is a terrible reason

Yes, It is...Maybe he is going through a mental breakdown. What he did is wrong no doubt about it.

[VentGrey]

Ahh the cope in the comments is beautiful. So much third party dependency whining and little action taken, so much to be expected from people who only know how to write npm install and copy documentation snippets.

If you don't like it, make your own faker.js

If you cannot...then why are you a programmer? Leave and make something else, you clearly aren't suited for technology, consider dumpster diving tho, it might be fun :D

[jcschmidig]

@VentGrey you are missing clearly the point. It's about trust in the community.

[kimshinoh]

NISU! waste my time

[karikera]

Duplicate of #289

[euberdeveloper]

Hi, this is a duplicate of my comment in the other issue

Hi, in case the author will not maintain this project or fix this, I made a fork that restores the normal behaviour. I am not sure if I will maintain this package, but just in case the problem will not be solved and you don't want to be scared when running npm update...

https://github.com/euberdeveloper/colors.js

In any case I could also suggest passing to the chalk package, which is very good and has a serious and reliable author

[minhlucvan]

It's took me days to debug this issue :'(

[ddzy]

If you're using yarn, you can resolve this issue by adding the following to your package.json:

"resolutions": {
  "colors": "1.4.0"
}

Nice work!

[Chester97]

Do we have any fix for npm?

[jcschmidig]

Do we have any fix for npm?

npm already reverted to 1.4.0

[shayneoneill]

"My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best."

Why would you respect someone that doesn't respect you? Nobody is asking anyone to maintain it. Like half the crumbling JS infrastructure, shit gets abandoned. But sabotaging tens of thousands of deployments intentionally is a very different matter.

Its like the cock smokers who hack peoples sites and then blame the victim because they didnt understand an insanely complicated subsystem, its just making excuses for what is fundamentally a malevolent and destructive action that hurts other people for what?

This isnt free-software ideology, its sociopathy.

The worst part is most people who got this implosion never actually did anything to deserve it, or even put it in their packages file, its just there because some dependency of a dependency insists on it.

[nameofSEOKWONHONG]

나는 기사를 읽었고 이 행위에 대하여 이해한다. 자신의 시간을 투자하여 만든 프로젝트를 망치는 자유도 저자에게 있다고 생각한다. 포춘 500대 기업에서 유명 오픈 소스 프로젝트를 지원하지 않는다는 사실에 더 큰 충격이다. 오픈 소스가 돈을 구걸하지 않는다고 하지만, 예술가가 가난에 허덕이면서 오픈 소스에 투자할 이유는 없다고 생각한다. 피해를 입은 기업에는 유감이지만, 이 사건이 사고의 전환이 되기를 바란다.

[nameofSEOKWONHONG]

나는 기사를 읽었고 이 행위에 대하여 이해한다. 자신의 시간을 투자하여 만든 프로젝트를 망치는 자유도 저자에게 있다고 생각한다. 포춘 500대 기업에서 유명 오픈 소스 프로젝트를 지원하지 않는다는 사실에 더 큰 충격이다. 오픈 소스가 돈을 구걸하지 않는다고 하지만, 예술가가 가난에 허덕이면서 오픈 소스에 투자할 이유는 없다고 생각한다. 피해를 입은 기업에는 유감이지만, 이 사건이 사고의 전환이 되기를 바란다.

Used Google Translate to know whats written here, but I must say that - although I agree with the part of author's free will as of project - I strongly disagree that author of project this size is entitled to ruin thousands other projects that has color.js as a dependency........

I also agree with @shayneoneill above: what @Marak did is sociapathy; if @Marak wanted no longer to maintain colors.js he could have created an issue here and announce his plans this way, rather than making all this fuss.

내 의견은 아래의 뉴스에 기반한다. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ 위 행위에 완전히 동의하지는 않는다. 하지만 오픈 소스의 자유의지와 의무가 누구에게 있는가? 사용자? 창작자? 나는 창작자에 동의하고자 한다.

[ChristopherTrimboli]

"My shit broke too but I also respect that he is free to do this if he wishes. Don't complain that this is broken when you could write your own color.js and haven't paid to maintain Marek's. We are owed nothing and anything we are given in the FOSS space is given on an honor system at best."

Why would you respect someone that doesn't respect you? Nobody is asking anyone to maintain it. Like half the crumbling JS infrastructure, shit gets abandoned. But sabotaging tens of thousands of deployments intentionally is a very different matter.

Its like the cock smokers who hack peoples sites and then blame the victim because they didnt understand an insanely complicated subsystem, its just making excuses for what is fundamentally a malevolent and destructive action that hurts other people for what?

This isnt free-software ideology, its sociopathy.

The worst part is most people who got this implosion never actually did anything to deserve it, or even put it in their packages file, its just there because some dependency of a dependency insists on it.

Yes I agree it is on the more dark side of chaotic good personality types... I think Marek was using this as protest which is sometimes done like this to disrupt society in a way where people actually have to listen and pay attention because let's be honest now days there is little room for conversation without action. Cancel culture actually created this situation.

[jcschmidig]

Yes I agree it is on the more dark side of chaotic good personality types... I think Marek was using this as protest which is sometimes done like this to disrupt society in a way where people actually have to listen and pay attention because let's be honest now days there is little room for conversation without action. Cancel culture actually created this situation.

This is too easy. Behave as a berserk erases any good argument.