Just days after my publication of Datafaker.net, an Open Source library to generate fake data for the JVM, on of the libraries by which Datafaker got inspired, Faker.js, decides to pull the plug. The owner of the library, Marak, published a new version of Faker.js with the significant 666 version number, and proceeds to remove the source code.
All of this seems to be mostly caused by some frustration to monetize his Open Source effort, plus a small touch of anti-enterprise sentiment. Marak seems to be a slightly controversial figure, having ran into other issues before in the past, and requested support after this incident.
An interesting video published by Fireship gives a bit of more background on this and can be found here:
update: even the original video got removed!
update2: the video get replaced, it can be found here now. The noticable difference is that now the video has been censored, plus a few other items:
1:41 For non-violent crimes was originally something along the lines of For drug charges
2:07 Instead of this scene it was mentioned that another co-worker of Swartz committed suicide too
2:30 The “GitHub user” details were removed, I’m not sure why
So, Mar…the author of the library, seems to be a bit of character, pull’s Faker.js, and that’s it you’d think. But, alas, no, it seems the saga continues!
A bit of background
Javascript libraries are generally known for the huge amount of dependencies, with interesting consequences when things go wrong. Left-pad was one of these examples, which broke a significant amount of NPM libraries when the author unpublished the library (something which is almost impossible in the Java world), but it’s not limited to that. Due to to the way how most Javascript developers include libraries (“I require a minimum of 0.1.9, and if it’s newer, that’s fine”), any newly published libraries with be included in projects automatically. This behaviour is [madness] ill-advised, and something you’d often encounter in the Java world, but the Javascript world is often a bit more…dynamic.
So, with the above in mind, whenever a Javascript library changes, in general a lot of other libraries are effected. And, in this case, it seems that Marak also owns the colors.js Javascript library, which is a reasonably popular Javascript library with around (22 million downloads per week). The offending commit is this one, which introduced an endless loop targeted at American users, along with an American ASCII art picture and some Zalgo output, which distorts the console quite a bit.
Other Javascript libraries affected
Other libraries which are maintained by Marak are say.js (4500 weekly downloads), play.js (120 weekly downloads), translate.js (doesn’t seem to be listed on npm anymore). So, bases Faker.js and Colors.js, it seems there might be a lower impact on any changes, though ~5000 weekly downloads could still be an interesting disruption.
While searching for Marak’s libraries, I found this npm-test-access library. This library seems to be used for what the name describes: to test access to NPM. Marak seems like a very capable software engineer, and it’s unclear to me why he’d need a package like this. So, this make me personally doubt a little bit if Marak is really behind all of this, or if maybe his account got compromised, or if something else it at play.
Lessons learned
While this is not limited to the Javascript community per se, the Javascript community seems to be most often affected by changes like this, and I personally think there’s a lot to learn from this. For example, some quick wins could be: don’t depend on wildcard dependencies. Not even on minor versions, there’s no reason why changes like this couldn’t be introduced in bugfix releases.
Another change, which requires more work, is to rethink the way software libraries are written. I understand it’s more interesting to develop your own library instead of fixing someone else’s code, but is it really to much to ask to have something like a community maintained version of something like a Java Commons Lang equivalent, which would contain utilities like left-padding, string reversals, etc, but maintained by a team of developers with regular updates, instead surrendering yourself to the whims of a single developer? It’s just maybe something to think about. On the other hand: these developments are quite interesting from an entertainment perspective, so do we really want to take that away? 😉
Further updates
2022-01-10 07:50: 40 minutes ago, a new version of colors.js has been released (1.4.2). Instead of fixing the issue, this adds an endless loop to the safe.js file. So it seems we haven’t seen the last of this.
2022-01-11 09:02: Another update, this time from Marak on Twitter: Marak’s Github account has been suspended, and NPM has reverted his module to the latest version.