(Semi-Official) Status Update

[DABH]

Folks:

Since #285 has been spammed into oblivion, I thought I would post a new issue here instead for better visibility. As promised, here is the update I have from today:

1. I got npm support to remove the offending package versions from there, so users of (dependent libraries of) colors will no longer be affected by the compromised versions. The compromised versions are deleted from npm.
2. Control of the repositories is still an issue with GitHub and npm. I am working with both support teams to either transfer control of the repositories to someone who won't sabotage them, or to make the "colors" name on npm just point to my copy at @dabh/colors (my preferred solution).
3. https://github.com/DABH/colors.js continues to be a safe alternative and the "official" fork until such time as this incident is fully resolved.
4. Although I know I'm shouting into a void, let's please try to work together as a community to combat spam, trolling, etc. on the threads/issues/commits here. The only thing it accomplishes is burying relevant info for the developers who need it.

Thanks, and I'll post another update when I have one.

[ethnh]

2 -- Definitely don't try to transfer away the repo, it's his code in the end Pointing NPM to a different repo would work fine enough, I wouldn't even consider transferring an option 👎

[sashmit]

@EthanHindmarsh I would not even consider it "his" code

@DABH seemed to actually change more of the code (in terms of lines of code) as well as other contributors. So technically they would own the copyright for the characters they changed: https://github.com/Marak/colors.js/graphs/contributors

Thems the breaks with OSS that doesn't have a explicit CLA for copyright assignment.

[bet0x]

2 -- Definitely don't try to transfer away the repo, it's his code in the end Pointing NPM to a different repo would work fine enough, I wouldn't even consider transferring an option 👎

Totally agree. People fork projects so fast just to get some fame. It's his code. Period. Also, @DABH you didn't clone the repo, you just uploaded it as if it was yours. I don't like those moves.

[r-bird]

It's his code. Period.

I wonder if @torvalds would call the Linux source code "his code".

[csvan]

Can we please not send this thread to spam-hell as well. Keep discussions in the other one instead since that is basically the only thing it is used for right now.

[funkyfuture]

It's his code. Period.

I wonder if @torvalds would call the Linux source code "his code".

it isn't about the MIT-licensed code, but about a repository.

[liquidautumn]

2 -- Definitely don't try to transfer away the repo, it's his code in the end Pointing NPM to a different repo would work fine enough, I wouldn't even consider transferring an option -1

There are 44 contributors to this project, it is their code, not his.

[DABH]

• Definitely aiming to just change the pointer on npm. I want to achieve the least disruptive solution possible.
• Copyright is moot since this is all MIT licensed anyway.
• I pushed a local copy I had of the uncompromised repo, rather than forking the repo which was at the time compromised. Also not my preference but such were the circumstances. Did not alter author info in package.json etc.
• Once things are settled my goal is to set up community governance for this project (multiple maintainers, a GitHub org, something); have to try to prevent a situation like this from re-occurring. I have no interest in being a solo maintainer on this or other big projects.

Feedback from everyone will be sought and we can have ample flame wars as soon as NPM/GitHub tell us what resolution they find acceptable. Thanks.

[ethnh]

@sashmit My point still stands regardless of who we consider the "owner" of the code: It would be incredibly disrespectful to the original author & maintainer of the code to take the repo off his account w/o his permission -- pointing the NPM package to a different repo is a different issue entirely

[nocturn9x]

It's funny how people are arguing here about how to take ownership of this repository from its rightful owner. It may not be ONLY his code, but it's also his code and this should not be done without the consent of all copyright holders. Allowing this means corporations like Microsoft, which runs GitHub if you had been living under a rock recently, can just ban someone and transfer their repositor(y|ies) to another user deemed more worthy of being able to speak out. Don't support this bullshit, the idiots that automatically updated their dependencies in production are the ones to be blamed. Trying to rob someone of their own code is outright theft and you guys are disgusting individuals

[nocturn9x]

It's his code. Period.

I wonder if @torvalds would call the Linux source code "his code".

Not only his code. Copyright isn't a black or white matter: the code he wrote IS in fact his. The reason why the kernel couldn't switch from GPL2 to GPL3 is exactly because not all copyright holders could agree on changing the license, which means that even if your contributions aren't the majority they still belong to you.

[sharpninja]

It's funny how people are arguing here about how to take ownership of this repository from its rightful owner.

My thoughts exactly!

[lannonbr]

@DABH are you in talks with GitHub to at least possibly get write access to this repository, given there is a large amount of content that is not constructive & harmful is being spread through the issue & PR listings.

[DABH]

Yes

[jdnewman85]

Sounds like github needs to overhaul their permission system to be more accurate. Remove the Delete Repo and rename buttons. Maybe install a poll system that asks the users whether the repo owner can merge a commit?

A ban of the MIT license might be in order. It erroneously states: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

Where the actions here seem to show that repo owners are required to not have any breaking changes. If anyone running on latest has issue, or I guess enough people?, then this seems to be a reason to take control of their account.

Now we know.

[sharpninja]

Sounds like github needs to overhaul their permission system to be more accurate. Remove the Delete Repo and rename buttons. Maybe install a poll system that asks the users whether the repo owner can merge a commit?

A ban of the MIT license might be in order. It erroneously states: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

Where the actions here seem to show that repo owners are required to not have any breaking changes. If anyone running on latest has issue, or I guess enough people?, then this seems to be a reason to take control of their account.

Now we know.

You, sir, are spot on. However, if the FOSS community really wants to destroy copyright they will inadvertently completely neuter all copy left licenses.

[derrickmehaffy]

Code and distribution of said code are two very different things. Yes the lead maintainer of an MIT licensed project is entitled to their code, but they are not entitled to it's distribution. NPM/GitHub/Microsoft are well within their rights to remove versions based on their AUP, specifically acceptable content: https://docs.npmjs.com/policies/open-source-terms#acceptable-content

Likewise NPM reserves full right to remove any package or version they believe to violate their AUP: https://docs.npmjs.com/policies/open-source-terms#your-content

That being said, the package name does legally belong to the account that created it unless it's transfered or is stale for a period of time.

If you aren't sure on this you can always just email GitHub's or NPM's legal teams.

[r-bird]

Allowing this means corporations like Microsoft, which runs GitHub if you had been living under a rock recently, can just ban someone and transfer their repositor(y|ies) to another user deemed more worthy of being able to speak out.

It has been allowed and still is by publishing the code under the MIT license. Feel free to read it.

Copyright isn't a black or white matter: the code he wrote IS in fact his.

Actually it is. Yes, the code he wrote is his, but he gave everyone to do what ever he wants to do with it (except remove the copyright notice and text of the original license). Even Microsoft and others. They may even take the code, reserve all rights (take responsibility), ship it with their product and make big money.

So if you want to have a stricter license, fork the repository, add some lines of code and apply a GPL license. I doubt anyone is going to use your fork, but you may publish it.

[nocturn9x]

That was not my point! I wasn't referring to licensing matters, but to how Microsoft can just shut someone down because they don't like their commits, which is incredibly scary to me

On Wed, Jan 12, 2022, 07:52 r-bird @.***> wrote:

Allowing this means corporations like Microsoft, which runs GitHub if you had been living under a rock recently, can just ban someone and transfer their repositor(y|ies) to another user deemed more worthy of being able to speak out.

It has been allowed and still is by publishing the code under the MIT license. Feel free to read it https://github.com/Marak/colors.js/blob/master/LICENSE.

Copyright isn't a black or white matter: the code he wrote IS in fact his.

Actually it is. Yes, the code he wrote is his, but he gave everyone to do what ever he wants to do with it (except remove the copyright notice and text of the original license). Even Microsoft and others. They may even take the code, reserve all rights (take responsibility), ship it with their product and make big money.

So if you want to have a stricter license, fork the repository, add some lines of code and apply a GPL license. I doubt anyone is going to use your fork, but you may publish it.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1010696533, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPKUU5AIWSSYT3BPA2DUVUQJ3ANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[ClaudiuCeia]

Also, @DABH you didn't clone the repo, you just uploaded it as if it was yours. I don't like those moves.

I don't get it, are you complaining about the GitHub UI not showing it's a fork? There's functionality built around forks that would get in the way if it was still being marked as a fork. Regardless, your statement is misleading at best, anyone can go check the commit history, the history wasn't rewritten in any way.

Also, @DABH seems to have been the guy making sure things go smooth since about 2014 with this project, it's as much "his" as it is Marak's.

[nocturn9x]

Exactly. It's ALSO Marak's repo, so transferring it without his consent is outright theft.

On Wed, Jan 12, 2022, 08:04 Claudiu Ceia @.***> wrote:

Also, @DABH https://github.com/DABH you didn't clone the repo, you just uploaded it as if it was yours. I don't like those moves.

I don't get it, are you complaining about the GitHub UI not showing it's a fork? There's functionality built around forks that would get in the way if it was still being marked as a fork. Regardless, your statement is misleading at best, anyone can go check the commit history, the history wasn't rewritten in any way.

Also, @DABH https://github.com/DABH seems to have been the guy making sure things go smooth since about 2014 with this project, it's as much "his" as it is Marak's.

[image: Screenshot 2022-01-12 at 08-59-45 Pulse · Marak colors js] https://user-images.githubusercontent.com/22706412/149079405-c59be051-9b47-4176-b6a9-5aa6b4ba38b0.png

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1010705097, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPIMAZCQQIGWNP6QV2TUVURWJANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[r-bird]

This is not even settled yet and I doubt Microsoft will do that.

In my opinion this repository should be as broken as the owner intended and https://github.com/DABH/colors.js should become the official source for NPM.

[nocturn9x]

I agree too.

On Wed, Jan 12, 2022, 08:09 r-bird @.***> wrote:

This is not even settled yet and I doubt Microsoft will do that.

In my opinion this repository should be as broken as the owner intended and https://github.com/DABH/colors.js should become the official source for NPM.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1010708984, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPJKK7OHVO22MUB6UXDUVUSJ5ANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[r-bird]

That was not my point! I wasn't referring to licensing matters, but to how Microsoft can just shut someone down because they don't like their commits, which is incredibly scary to me

Actually I agree with Microsoft on this matter. GitHub has community guidelines and willingly breaking a repository with more than one contributor is what I consider breaking the rules.

So Microsoft is allowed to remove the content and suspend (or terminate) the user account. The owner may still keep his source code where ever he saved it and re-publish it. GitHub is just a hosting platform.

[sharpninja]

Just because a company makes a claim in a contract doesn't mean that the claim is valid or legal.  In this case, the dev self-published a version of his copyrighted work with the intention of superseding prior versions (if superseding is not intended then why use a new version number that would indicate the newest version to be used?)  The hosting provider decided to remove the new version (which in their rights), but replaced it with an older version under the same name, thus hijacking the creators intellectual property with what they want people to use against the wishes of the actual owner of the title.

This would be like a church selling a new version of their Holy Bible translation and Amazon pulling it and placing the old version back in circulation.  Now you have Amazon distributing a document that they do not own under the name of the Church that does not want that version to be distributed any longer.  If this is allowed to go unchallenged then copyright will become null and void.

The Sharp Ninja GH: @sharpninja

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, January 11th, 2022 at 8:08 PM, DMehaffy @.***> wrote:

Code and distribution of said code are two very different things. Yes the lead maintainer of an MIT licensed project is entitled to their code, bit they are not entitled to it's distribution. NPM/GitHub/Microsoft are well within their rights to remove versions based on their AUP, specifically acceptable content: https://docs.npmjs.com/policies/open-source-terms#acceptable-content

Likewise NPM reserves full right to remove any package or version they believe to violate their AUP: https://docs.npmjs.com/policies/open-source-terms#your-content

That being said, the package name does legally belong to the account that created it unless it's transfered or is stale for a period of time.

If you aren't sure on this you can always just email GitHub's or NPM's legal teams.

—

Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you commented.[blob:https://mail.protonmail.com/a246d652-0b8a-42a0-87d2-07fa28491688]Message ID: @.***>

[nocturn9x]

The fact that they legally can doesn't mean they should be allowed to. They're a private platform, sure, but do we really want to give tech corps like this so much power? Plus, what breakage of ToS would that full under?

On Wed, Jan 12, 2022, 08:23 r-bird @.***> wrote:

That was not my point! I wasn't referring to licensing matters, but to how Microsoft can just shut someone down because they don't like their commits, which is incredibly scary to me

Actually I agree with Microsoft on this matter. GitHub has community guidelines https://docs.github.com/en/github/site-policy/github-community-guidelines#what-is-not-allowed and willingly breaking a repository with more than one contributor is what I consider breaking the rules.

So Microsoft is allowed to remove the content and suspend (or terminate) the user account. The owner may still keep his source code where ever he saved it and re-publish it. GitHub is just a hosting platform.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1010719544, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPIMC5BZFNPP7CJTFUTUVUUATANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[sharpninja]

GitHub and MS aren't the issue.  They are completely in their rights to make a decision to squelch a dissenting voice on their platform.  All of the commits are still in place, so they didn't modify his intention.  NPM is the org on the slippery slope.

The Sharp Ninja GH: @sharpninja

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Wednesday, January 12th, 2022 at 1:23 AM, r-bird @.***> wrote:

That was not my point! I wasn't referring to licensing matters, but to how Microsoft can just shut someone down because they don't like their commits, which is incredibly scary to me

Actually I agree with Microsoft on this matter. GitHub has community guidelines and willingly breaking a repository with more than one contributor is what I consider breaking the rules.

So Microsoft is allowed to remove the content and suspend (or terminate) the user account. The owner may still keep his source code where ever he saved it and re-publish it. GitHub is just a hosting platform.

—

Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you commented.[blob:https://mail.protonmail.com/75a4e0dd-ccbb-4cb2-a28a-a2830f2f80d2]Message ID: @.***>

[nocturn9x]

Couldn't have said it better myself (sorry for the lack of tags, I'm replying via email)

On Wed, Jan 12, 2022, 08:25 The Sharp Ninja @.***> wrote:

Just because a company makes a claim in a contract doesn't mean that the claim is valid or legal. In this case, the dev self-published a version of his copyrighted work with the intention of superseding prior versions (if superseding is not intended then why use a new version number that would indicate the newest version to be used?) The hosting provider decided to remove the new version (which in their rights), but replaced it with an older version under the same name, thus hijacking the creators intellectual property with what they want people to use against the wishes of the actual owner of the title.

This would be like a church selling a new version of their Holy Bible translation and Amazon pulling it and placing the old version back in circulation. Now you have Amazon distributing a document that they do not own under the name of the Church that does not want that version to be distributed any longer. If this is allowed to go unchallenged then copyright will become null and void.

The Sharp Ninja GH: @sharpninja

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, January 11th, 2022 at 8:08 PM, DMehaffy @.***> wrote:

Code and distribution of said code are two very different things. Yes the lead maintainer of an MIT licensed project is entitled to their code, bit they are not entitled to it's distribution. NPM/GitHub/Microsoft are well within their rights to remove versions based on their AUP, specifically acceptable content: https://docs.npmjs.com/policies/open-source-terms#acceptable-content

Likewise NPM reserves full right to remove any package or version they believe to violate their AUP: https://docs.npmjs.com/policies/open-source-terms#your-content

That being said, the package name does legally belong to the account that created it unless it's transfered or is stale for a period of time.

If you aren't sure on this you can always just email GitHub's or NPM's legal teams.

—

Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you commented.[blob: https://mail.protonmail.com/a246d652-0b8a-42a0-87d2-07fa28491688]Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1010720572, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPJKJAHHD7R3OIKT5PLUVUUGLANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[jdnewman85]

It is a bad idea for many reasons to use the latest of someones else's repo. IMO, every person complaining here needs to rethink their practices/setup. You are putting your projects, companies, etc at risk. Fork/Import your own known(ish) good versions. Pin your versions.

The owner of a repo could decide to make breaking changes at will. That's their decision. (or should be). Using, nor committing to a project shouldn't give you any additional power. If you want to do it differently, fork/import.

Follow recommended professional practices and it wouldn't have been a problem. 🤷🏼

If he'd caused it to delete your files or something - I might agree. However, I very much feel like any change to the functionality of a project under someones control... shouldn't ever break the MIT license. None of you were provided WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, but because of your poor practices, you're trying to force someone to provide that WARRANTY...OF FITNESS FOR A PARTICULAR PURPOSE.

End of my 2c

[nocturn9x]

It is a bad idea for many reasons to use the latest of someones else's repo. IMO, every person complaining here needs to rethink their practices/setup. You are putting your projects, companies, etc at risk. Fork/Import your own known(ish) good versions. Pin your versions.

The owner of a repo could decide to make breaking changes at will. That's their decision. (or should be). Using, nor committing to a project shouldn't give you any additional power. If you want to do it differently, fork/import.

Follow recommended professional practices and it wouldn't have been a problem. 🤷🏼

If he'd caused it to delete your files or something - I might agree. However, I very much feel like any change to the functionality of a project under someones control... shouldn't ever break the MIT license. None of you were provided WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, but because of your poor practices, you're trying to force someone to provide that WARRANTY...OF FITNESS FOR A PARTICULAR PURPOSE.

End of my 2c

Precisely

[r-bird]

what breakage of ToS would that full under?

• Respect each other
• Bullying
• Disrupting the experience of other users

I don't think DABHs work and effort are respected by just deleting all the work he submitted in the last four years. One could say he (or the community) was bullied.

This would all be totally different, if the owner were the only developer. But in this case he was not even active for years and DABH de facto was the owner of the project.

[nocturn9x]

what breakage of ToS would that full under?

• Respect each other
• Bullying
• Disrupting the experience of other users

I don't think DABHs work and effort are respected by just deleting all the work he submitted in the last four years. One could say he (or the community) was bullied.

This would all be totally different, if the owner were the only developer. But in this case he was not even active for years and DABH de facto was the owner of the project.

That's a stretch at best. No one said they couldn't fork the repository. No one said that if you commit to a repo that its owner can't delete your changes. This is not a ToS violation at all, it's Microsoft being Microsoft and incompettent JavaScript developers that are not pinning their dependencies correctly

[r-bird]

No one said they couldn't fork the repository. No one said that if you commit to a repo that its owner can't delete your changes. This is not a ToS violation at all

Microsoft has the "householder's rights" and may decide how to interpret the ToS. And it did.

retarded JavaScript developers that are not pinning their dependencies correctly

That's not the point and no reason to become disrespectful.

[nocturn9x]

That's not the point and no reason to become disrespectful.

It actually is. Marak didn't disrupt previous versions of his package. He made a new release, and I'd argue this was actually a perfect example of how companies don't follow best practices. GitHub had no rights to do what they did, but feel free to believe otherwise

[DanielRuf]

It is a bad idea for many reasons to use the latest of someones else's repo. IMO, every person complaining here needs to rethink their practices/setup.

@jdnewman85 this is not quite right. In the software world Semantic Versioning selectors like ^ and ~ pick up any patch and minor releases so upstream packages can get these (especially important security patches) without unpinning or releasing new versions for all packages between the affected package and colors for example. Most don't use latest (which is a tag which has to be set manually in most cases). You can not pin everything and often this also introduces new problems.

[DanielRuf]

you're trying to force someone to provide that WARRANTY...OF FITNESS FOR A PARTICULAR PURPOSE

@jdnewman85 one last point that I want to clarify. The changes have lead to a DoS in projects which by definition is also a security issue. Snyk has also an entry for this: https://security.snyk.io/vuln/SNYK-JS-COLORS-2331906

And there is also a CVE (CVE-2021-23567) now: https://github.com/Marak/colors.js/issues/285#issuecomment-1010949214

So this has also burned some CPU resources in CI pipelines, on the computers of small developers and other opensource projects.

The motivation and the actual actions are a completely different topic. Especially if you read the news from 2020 what happened with the maintainer.

I don't think so that a part of the community wants to force the maintainer to provide the warranty. In general the whole discussion is way too heated. I often recommend in projects owned by one single maintainer (by creating an issue and describing my concerns), that such projects should be moved to some org and more maintainers invited. The truck factor is often an issue and hoarding projects on your personal account with many stars and dependents just for fame often not the best solution (I had cases where the maintainers unfortunately died and so did the projects).

[leandrojo]

The license of an MIT project allows copying it and all platform rights were lost by Marak when they did not follow the terms. Therefore, the change to @DABH, the most active member, is valid.

[nocturn9x]

Copyright isn't lost, EVER. Read the license terms, thanks.

On Wed, Jan 12, 2022, 15:20 Leandro Araújo @.***> wrote:

The license of an MIT project allows copying it and all platform rights were lost by Marak when they did not follow the terms. Therefore, the change to @DABH https://github.com/DABH, the most active member, is valid.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/317#issuecomment-1011093146, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFS6TPPG7OFV3HMXMBV5MNTUVWE3NANCNFSM5LVAWA2Q . You are receiving this because you commented.Message ID: <Marak/colors. @.***>

[TechStudent10]

@DABH Are faker and colors the only major NPM repos that are in @Marak's possession?

[DABH]

Those are the only two I’ve heard in the news, but I haven’t looked. My only interest is in making sure colors is taken care of, so I have no desire to do any investigation or action beyond colors.

[TechStudent10]

Those are the only two I’ve heard in the news, but I haven’t looked. My only interest is in making sure colors is taken care of, so I have no desire to do any investigation or action beyond colors.

Understood. Just wondering.

[ethnh]

In my opinion this repository should be as broken as the owner intended and https://github.com/DABH/colors.js should become the official source for NPM.

Exactly my thoughts too, NPM only really acts as a distribution platform;

We don't need to remove this repository from Marak's account to resolve this issue, forks already exist, and one can make their own fork in a matter of minutes. The only action I'd think would be reasonable (if any) to this repository is to archive it -- Marak can always un-archive it in the future (assuming he is not suspended) and continue development on the original repo, should he choose so

People can continue to use this repo as the official source for colors.js if they wish ( https://www.pluralsight.com/guides/install-npm-packages-from-gitgithub ), but I would find it unlikely that most NPM users would want to install colors from this repo knowing the owner had already once intentionally broken the code

[sharpninja]

Any solution that strips Marak of ownership of the package name would be illegal.

Sent from ProtonMail mobile

-------- Original Message -------- On Jan 12, 2022, 12:11 PM, Ethan Hindmarsh < @.***> wrote:

In my opinion this repository should be as broken as the owner intended and https://github.com/DABH/colors.js should become the official source for NPM.

Exactly my thoughts too, NPM only really acts as a distribution platform;

We don't need to remove this repository from Marak's account to resolve this issue, forks already exist, and one can make their own fork in a matter of minutes. The only action I'd think would be reasonable (if any) to this repository is to archive it -- Marak can always un-archive it in the future (assuming he is not suspended) and continue development on the original repo, should he choose so

People can continue to use this repo as the official source for colors.js if they wish ( https://www.pluralsight.com/guides/install-npm-packages-from-gitgithub ), but I would find it unlikely that most NPM users would want to install colors from this repo knowing the owner had already once intentionally broken the code

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[TechStudent10]

Any solution that strips Marak of ownership of the package name would be illegal.

@sharpninja how?

[sharpninja]

Copyright is established law both domestically and internationally. Copyright is not a license, it is ownership. Taking away someone's property is theft.

Sent from ProtonMail mobile

-------- Original Message -------- On Jan 12, 2022, 12:53 PM, TechStudent10 < @.***> wrote:

Any solution that strips Marak of ownership of the package name would be illegal.

@.***sharpninja how?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[TechStudent10]

Copyright is established law both domestically and internationally. Copyright is not a license, it is ownership. Taking away someone's property is theft.

Well I guess that's true.

[derrickmehaffy]

This is correct, stripping the package name would violate a legally binding agreement between Marak and NPM.

No one is suggesting this repo be moved to someone else, forking (with or without using GitHubs built in fork process) is 100% okay under MIT.

What Marak did is 100% a security vulnerability and it was correct for NPM to remove the version on that grounds alone, not to mention their AUP/ToS on acceptable content. They could even terminate his account just as GitHub is allowed to. You accept this when you use the platform and check the box agreeing to those terms.

The only step forward here is forking the code and releasing a new package. Regardless of what was done, it's in the past and it's time to move forward. Bickering about "big corps" ect does nothing, if we want to prevent this in the future then we put the package under a multi-maintainer org and be done with it, contribute as a community so no one person has control and can repeat these actions.

---

If you don't like how GitHub/NPM operate, there are alternatives to both. Self-hosted ones at that.

[sharpninja]

Any solution that strips Marak of ownership of the package name would be illegal.

@sharpninja how?

The closest thing I can think of would be eminent domain, but that would make the legal owner a municipality, likely the one where he lives, and they would become responsible for the package. They could in turn sell it at auction if they did not want that responsibility, but there is no law that I know of where a judge could transfer ownership to a non-government entity.

[sharpninja]

The only step forward here is forking the code and releasing a new package.

Agreed. People need to be forced to use a different package or use Marak's published package, not a package that NPM decides on.

[jdnewman85]

@jdnewman85 this is not quite right. In the software world Semantic Versioning selectors like ^ and ~ pick up any patch and minor releases so upstream packages can get these (especially important security patches) without unpinning or releasing new versions for all packages between the affected package and colors for example. Most don't use latest (which is a tag which has to be set manually in most cases). You can not pin everything and often this also introduces new problems.

You open your project and company to these attacks by not forking/importing these into your own (possibly private) repos. Just because your particular tools aren't capable - it's no excuse.

On your next post regarding DoS and what all was impacted. Please see the MIT license. Just because you've made you project dependent on something, doesn't mean you get to subvert the license you agreed to.

Done with this whole issue/thread. It's ridiculous. If you don't want to be subject to a particular persons whim, don't go including their repos in your builds. It's their choice to make breaking changes. If you can't figure out how to do that - I atleast hope you're working on personal projects and not a part of a larger org. 🙏🏼