- The developer of a pair of widely used open-source code libraries sabotaged them in an apparent act of protest.
- Each library has been downloaded millions of times and is used in thousands of software projects.
- Previously, the developer criticized companies for using the free tools without offering to pay.
A programmer who authored a pair of widely used open-source code libraries reportedly sabotaged their own work in an act of protest against large companies using the work for free.
As a result, some users of the modified code saw their projects crash or print screens of gibberish, the tech news site Bleeping Computer first reported.
Both libraries were hosted on GitHub's open-source repository, NPM, which appears to have suspended the programmer's account. GitHub is the Microsoft-owned software development platform that many major companies use to organize and share computer code.
One library, called "Colors.js," has over 23 million weekly downloads and nearly 19,000 projects that use it. The other, called "Faker.js," has 2.4 million weekly downloads and over 2,500 projects that use it.
Libraries like Faker.js and Colors.js essentially act as shortcuts for developers, letting them quickly add basic functions to their software without needing to take the time to reinvent the wheel with each new project.
In many cases, developers set their software to automatically download and use the latest versions of those libraries, hosted from services like GitHub's NPM.
But when something breaks — as happened here — it can cause cascading failures in anything that relies on that library. In 2016, a single programmer broke huge swaths of the internet's underlying software when he deleted an NPM package consisting of 11 lines of code.
Users of the Amazon Web Services Cloud Development Kit shared screenshots of their programming terminal showing the phrase "LIBERTY LIBERTY LIBERTY" printed three times followed by a cloud of non-readable text characters.
The programmer behind the libraries also posted an announcement about the Colors library where they shared sarcastic messages as other users sought help fixing the problems it created in their projects.
"As much as we'd like to revert back to a previous working version, we strongly feel it's best if we can fix the actual problem instead of going back in time," he wrote.
One commenter called the move "dependency terrorism," in reference to the downstream projects that rely on code libraries to be maintained in good faith.
Bleeping Computer dug up an earlier post by the programmer that could suggest a potential motive for the act of sabotage.
"I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work," the developer wrote in 2020. "Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it."
The episode reflects the ongoing tension between independent developers who create open-source software for free and large tech companies who integrate that software into for-profit applications and services.
The Faker.js ReadMe page shows that the version number is currently 6.6.6 with the text "What really happened to Aaron Swartz?" — a possible reference to QAnon conspiracy theories that have recently been circulating about the 2013 suicide of the Reddit cofounder.