Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zalgo issue with v1.4.44-liberty-2 release #285

Open
Marak opened this issue Jan 8, 2022 · 290 comments
Open

Zalgo issue with v1.4.44-liberty-2 release #285

Marak opened this issue Jan 8, 2022 · 290 comments

Comments

@Marak
Copy link
Owner

@Marak Marak commented Jan 8, 2022

It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors.

Please know we are working right now to fix the situation and will have a resolution shortly.

wolf-cola

@Marak Marak pinned this issue Jan 8, 2022
@Offroaders123
Copy link

@Offroaders123 Offroaders123 commented Jan 8, 2022

Woah, crazy bug! Glad to know you are working on it.
Just reinstalled the Live Server package because I came across this while trying to host a project over localhost. Tracked my way to the new american.js file here in your project because something related to this issue happened while starting the server. Really freaked me out! 😂

image

@Offroaders123
Copy link

@Offroaders123 Offroaders123 commented Jan 8, 2022

Alright, figured out how to temporarily fix the issue for use with Live Server.
The package.json for Live Server has Colors.js set to use the newest possible version available, latest, so I changed it back to the most recent Colors.js version that didn't have the issue, 1.4.0. Just thought I'd share a fix for anyone else that may also run into this too 👍

@niknbr
Copy link

@niknbr niknbr commented Jan 8, 2022

👋 Hi
Seems like it was introduced because of this infinite loop

@Marak
Copy link
Owner Author

@Marak Marak commented Jan 8, 2022

patch

Still trying to figure out what happened. I think we may have tried to upgrade to JavaScript 6 but the CI system only supports JavaScript 5 and lower.

@legendary0001
Copy link

@legendary0001 legendary0001 commented Jan 8, 2022

60hkme

@Offroaders123
Copy link

@Offroaders123 Offroaders123 commented Jan 8, 2022

Is it an option that, in the meantime, you could revert your project back to 1.4.0, the release before the new change was introduced? This seemed to fix all of the issues on my end. A lot of large projects appear to be requiring your dependency, and they have the version number set to use the latest release.

@Marak
Copy link
Owner Author

@Marak Marak commented Jan 8, 2022

DF_4BVVo_400x400

We've been up all night trying to work out a solution for this Zalgo bug and are still coming up short.

As much as we'd like to revert back to a previous working version, we strongly feel it's best if we can fix the actual problem instead of going back in time.

HACKERMAN'S HACKING TUTORIALS - How To Hack Time
https://www.youtube.com/watch?v=KEkrWRHCDQU

@Offroaders123
Copy link

@Offroaders123 Offroaders123 commented Jan 8, 2022

Yeah, changing the version number to an older release would fix it, but there are many projects out there that haven't been updated in multiple years, I don't think the devs for them will be around to change the Colors.js dependency not to use latest any time soon, Live Server could be an example. (This message was in reply to this one above)

@mdonnalley
Copy link

@mdonnalley mdonnalley commented Jan 8, 2022

@Marak can you please promote the last working version to latest? I understand that you'd rather fail forward but our package is completely unusable because of this bug

@Marak
Copy link
Owner Author

@Marak Marak commented Jan 8, 2022

substack-dom

I'm all out of ideas here. It's been a long night and I do I have to begin to prepare soup for Sunday church services tomorrow. I'll try to come back to this Monday if time permits.

Perhaps one of other maintainers can assist?

@substack @dominictarr and @tj should all have publishing access to NPM.

@DABH
Copy link
Contributor

@DABH DABH commented Jan 8, 2022

@Marak , It looks like you removed me from this repo so I'm unable to help. I can only imagine everything you're going through right now, but there are a bunch of other OSS devs like you who get hurt by pranks like this, rather than the big tech elite etc. that I think you are trying to go after. I'd be happy to help here, but please be willing to not harm the folks who would otherwise be on your side.

@Darker-Ink
Copy link

@Darker-Ink Darker-Ink commented Jan 8, 2022

Best Bug though. You for sure should keep it in 👍 makes the console look cooler in my opinion.

@nbarikipoulos
Copy link

@nbarikipoulos nbarikipoulos commented Jan 8, 2022

In package-lock file we trust and I will trust even for simple project...

@trusktr
Copy link

@trusktr trusktr commented Jan 8, 2022

Hello whoever is behind this Marak account. Imagine if you turned your skill into making products for average humans that don't code, to improve their lives in big ways, leaving a bigger and longer lasting memory of what you've done... Bombs won't have as big of an impact in today's world.

@heisian
Copy link

@heisian heisian commented Jan 8, 2022

💋

@DanielRuf
Copy link

@DanielRuf DanielRuf commented Jan 8, 2022

For anyone who is affected, here are ways to check, which packages have to pin the version (the ones which directly use colors):

for npm:

npm ls colors

for yarn:

yarn why colors

In some cases you can use resolutions:
https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/
https://www.npmjs.com/package/npm-force-resolutions

And in some you can easily apply a patch to remove the relevant code parts with patch-package: https://www.npmjs.com/package/patch-package

@timleg002
Copy link

@timleg002 timleg002 commented Jan 8, 2022

Or check one technology called Haskell; you could even write pure (determined) IOs using one thing called Monads 🤣 It's big fun Then you could run code that never ever break, having a one century of technology under your fingertips would then be possible look how https://negativespace.co/iphone-woman-hands-touch/

all haskell evangelists are now rust evangelists, youre stuck in time bro

@cinderblock
Copy link

@cinderblock cinderblock commented Jan 8, 2022

What are we, the confused internet, missing here? What's going on? Is this some sort of April Fools' joke? Are you trying to get developers to not use @latest tags when installing dependencies?

@sbmelvin
Copy link

@sbmelvin sbmelvin commented Jan 8, 2022

So has a successor to colors.js been decided yet?

@cinderblock
Copy link

@cinderblock cinderblock commented Jan 8, 2022

@DanielRuf Yeah, I'm not going to go sleuthing around trying to find the relevant story. A lot just point back here but all I see are what look like inside jokes. Thank you for the HN link.

I see that faker.js is related but it looks like the original post the HN post is about has been deleted along with the repository. I've got to go back to the Way Back Machine to get some details: https://web.archive.org/web/20210704022108/https://github.com/Marak/faker.js/issues/1046


@sbmelvin I like chalk

@slavanomics
Copy link

@slavanomics slavanomics commented Jan 9, 2022

absolute legend for this thank you marak dont let anyone tell you otherwise

@Marak
Copy link
Owner Author

@Marak Marak commented Jan 14, 2022

It's been three days and I still have not heard back from Github Support.

I fear that colors.js v2.2.2 ( Over 9000 Smiles Edition ™ ) will never be published.

I ask you, the Nameless Faceless Lords of Github Support ( currently a regent of the Microsoft Imperium ): Who are you to deny the glorious citizens of colors.js over 9000 smiles??? Need I remind you that colors.js supports ALL ANSI Escape Codes and has FULL tty support?

I'll have you know I've already contacted my secret network of 64th Level Dwarf Paladins at the Electronic Freedom Foundation. As you read this they are in the midst of drafting a Pull Request the likes of which the world has never seen before. This pull request will be written entirely in the Holy C Programming Language. This pull request will contain over 144,000 custom Node.js modules, each one greater than the next. The sheer act of witnessing the magnificence of this Pull Request will cause all tests on all Continuous Integration servers to fail. Travis CI himself will be banished to the land of SourceForgia for 1,000 years.

To ensure that this Pull Request will be merged: I have compiled Temple OS in a VMWare virtual machine over 9000 times. I have read the Holy C documentation 33 times. I have personally built a shrine to Terry A. Davis consisting of Gold, Silver, and 1980s M.U.S.C.L.E Men collectable figurines.

9/11, never forget
I am the one who commits
I am the one who forks
I AM THE ONE WHO OPENED THE SOURCE

code-with-god

@notwedtm
Copy link

@notwedtm notwedtm commented Jan 14, 2022

@notwedtm my friend. It doesn't help at all what are you doing. I didn't write tests yet for that and it is not supposed to go to production is such state. And when I set tests it is not for npm packages only, I will simply ping the website to help myself not to panic so. Or I will be a company hopefully and hire a "test engineer" (In fact I would never higher a full time for a profile that doesn't exist ~ test engineer, god bless)

Ah that makes it all okay then. Carry on.

@renhiyama
Copy link

@renhiyama renhiyama commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

@Solixity
Copy link

@Solixity Solixity commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

And I'm a owner of @labdiscord. Most of us are owners of an organization. Humble yourself.. and what the hell is RovelStars anyways?

@TechStudent11
Copy link

@TechStudent11 TechStudent11 commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

And I'm a owner of @labdiscord. Most of us are owners of an organization. Humble yourself.. and what the hell is RovelStars anyways?

And what's LabDiscord?

@Solixity
Copy link

@Solixity Solixity commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

And I'm a owner of @labdiscord. Most of us are owners of an organization. Humble yourself.. and what the hell is RovelStars anyways?

And what's LabDiscord?

It's officially called "Discord Labs" but someone else has discordlabs/discordlab last I've checked. We're creating tools to make the developer-side of Discord better, such as tools that help with bot analytics, of course our general Bot List and soon enough, we're planning to release Widgets for both bots and users.

@csvan
Copy link

@csvan csvan commented Jan 14, 2022

Are there like 10 sock puppet accounts arguing with each other here or am I high?

@TechStudent11
Copy link

@TechStudent11 TechStudent11 commented Jan 14, 2022

Are there like 10 sock puppet accounts arguing with each other here or am I high?

yes and idk why

@TechStudent11
Copy link

@TechStudent11 TechStudent11 commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

And I'm a owner of @labdiscord. Most of us are owners of an organization. Humble yourself.. and what the hell is RovelStars anyways?

And what's LabDiscord?

It's officially called "Discord Labs" but someone else has discordlabs/discordlab last I've checked. We're creating tools to make the developer-side of Discord better, such as tools that help with bot analytics, of course our general Bot List and soon enough, we're planning to release Widgets for both bots and users.

Oh that's actually pretty cool.

@TechStudent11
Copy link

@TechStudent11 TechStudent11 commented Jan 14, 2022

@dustinlw1987 what's up with the disliking?

@Marak
Copy link
Owner Author

@Marak Marak commented Jan 14, 2022

Are there like 10 sock puppet accounts arguing with each other here or am I high?

yes and idk why

its probably the sentient ai i accidentallied on FAANG last year

@TechStudent11
Copy link

@TechStudent11 TechStudent11 commented Jan 14, 2022

Are there like 10 sock puppet accounts arguing with each other here or am I high?

yes and idk why

its probably the sentient ai i accidentallied on FAANG last year

um okay?

@Solixity
Copy link

@Solixity Solixity commented Jan 14, 2022

Are there like 10 sock puppet accounts arguing with each other here or am I high?

yes and idk why

its probably the sentient ai i accidentallied on FAANG last year

um okay?

just smile, nod, and give the mans a thumbs up while everyone figures out what's going on.

@notwedtm
Copy link

@notwedtm notwedtm commented Jan 14, 2022

@notwedtm my friend. It doesn't help at all what are you doing. I didn't write tests yet for that and it is not supposed to go to production is such state. And when I set tests it is not for npm packages only, I will simply ping the website to help myself not to panic so. Or I will be a company hopefully and hire a "test engineer" (In fact I would never hire a full time for a profile that doesn't exist ~ test engineer, god bless)

Either way, I've submitted a PR to address several vulnerabilities in your software. Hopefully, this leads to your application being more secure, and you learning about the novel attack vectors that newer developers don't often consider.

bacloud22/Classified-ads-48#82

@renhiyama
Copy link

@renhiyama renhiyama commented Jan 14, 2022

@notwedtm again, you don't make a website if you don't do this basic test: ping that endpoint before each appointment. And yes, only "anonymous" people as you've said, are supporting Marak and not big greedy companies doing ads for web 3.0 they don't even know where we are heading: like make a VR app without knowing anything about computers. Are you proud of them not supporting people contributed that much to open source ? are you OK with this really ? What a weird logic to have.

Yes. I am 100%, perfectly okay with Microsoft FOLLOWING THE LAW.

This project was licensed BY @Marak in a way that allowed Microsoft to do exactly what they did. If @Marak didn't want Microsoft to do that anymore:

👏 CHANGE 👏 THE 👏 LICENSE 👏

It's not hard. It happens every day. A simple commit changing the license to AGPLv3 would have got Marak exactly what he was looking for.

Do you realise that people already got forks of the old version? And they can easily promote that their fork can be used by Microsoft and others easily? Thus defeating AGPL license.

@renhiyama
Copy link

@renhiyama renhiyama commented Jan 14, 2022

I trust @Marak still now, and will do in future! Don't dislike this comment you guys if you don't support him, it's my personal opinion and I have the right to support him, and he has the right to make and destroy codes. More happy because this method did SHAKE the whole social media and blogs, and his message to fortune companies definitely went to them!

The vast majority of "support" comes from anonymous accounts with little to no contributions to open source themselves. You have continued to shill and throw random support towards Marak with no understanding of what "trust" is.

You say you "trust" Marak still now. What do you "trust" him to do?

At this point, I'm convinced you are just an alt account of Marak's that being using to stir the pot.

Me? An alt? Oh I didn't knew I had the chance to call myself such a popular person! Anyways I am the owner of @rovelstars org. Deal with it 😎

And I'm a owner of @labdiscord. Most of us are owners of an organization. Humble yourself.. and what the hell is RovelStars anyways?

And what's LabDiscord?

It's officially called "Discord Labs" but someone else has discordlabs/discordlab last I've checked. We're creating tools to make the developer-side of Discord better, such as tools that help with bot analytics, of course our general Bot List and soon enough, we're planning to release Widgets for both bots and users.

Oh that's actually pretty cool.

I didn't meant to be proud of my work, but I just proved him that I'm not a freaking alt of Marak. I am just a regular guy who loves oss and want to raise awareness about Aaron Swartz.

@notwedtm
Copy link

@notwedtm notwedtm commented Jan 14, 2022

@notwedtm again, you don't make a website if you don't do this basic test: ping that endpoint before each appointment. And yes, only "anonymous" people as you've said, are supporting Marak and not big greedy companies doing ads for web 3.0 they don't even know where we are heading: like make a VR app without knowing anything about computers. Are you proud of them not supporting people contributed that much to open source ? are you OK with this really ? What a weird logic to have.

Yes. I am 100%, perfectly okay with Microsoft FOLLOWING THE LAW.
This project was licensed BY @Marak in a way that allowed Microsoft to do exactly what they did. If @Marak didn't want Microsoft to do that anymore:

👏 CHANGE 👏 THE 👏 LICENSE 👏

It's not hard. It happens every day. A simple commit changing the license to AGPLv3 would have got Marak exactly what he was looking for.

Do you realise that people already got forks of the old version? And they can easily promote that their fork can be used by Microsoft and others easily? Thus defeating AGPL license.

This is 100% correct, and exactly the way it should be. That's what open source means, and that's what happens when you pick a license that legally allows this. Don't enter the game if you don't understand the rules.

Take a look at the contributors of this repo. Why do we think @Marak deserves to shit on the work of the 30 plus other contributors? He made no contributions for years before pushing this mess. Is it because he was the first to use the name? Why does he get to unilaterally decide on the fate of the hard work of those other people?

@renhiyama
Copy link

@renhiyama renhiyama commented Jan 14, 2022

And now I am both in support and against Marak.
Summing up total about whatever comments i have read here. Marak definitely made fortune companies notice him and his work. Can we just learn this fact: When this zalgo thingy never came, nobody knew Marak. Honestly. But he was a building pillar of such a big community. But 3 days ago, we all are now noticing him about his bad deeds. Can't we ask him a sorry for once? I think it's not right to say "fuck off Marak" to him because we never thanked him in the first place.

Now, against: as pointed out by someone above, an eg: doctor could have cancelled so many appointments, and so many patients could have died due to this... This way was definitely not the correct way to raise awareness... But this way DID raised awareness, I have seen countless blogs and news about Marak now, including Snyk blogs too. He has written history, but not in golden letters, but in black dark letters. Sorry Marak. Open source is not the way to go if you want to earn for a living

@notwedtm
Copy link

@notwedtm notwedtm commented Jan 14, 2022

And now I am both in support and against Marak. Summing up total about whatever comments i have read here. Marak definitely made fortune companies notice him and his work. Can we just learn this fact: When this zalgo thingy never came, nobody knew Marak. Honestly. But he was a building pillar of such a big community. But 3 days ago, we all are now noticing him about his bad deeds. Can't we ask him a sorry for once? I think it's not right to say "fuck off Marak" to him because we never thanked him in the first place.

Now, against: as pointed out by someone above, an eg: doctor could have cancelled so many appointments, and so many patients could have died due to this... This way was definitely not the correct way to raise awareness... But this way DID raised awareness, I have seen countless blogs and news about Marak now, including Snyk blogs too. He has written history, but not in golden letters, but in black dark letters. Sorry Marak. Open source is not the way to go if you want to earn for a living

You are absolutely correct. The fact that @Marak took this approach should not "cancel" his massive contributions to the open-source community. It is sad and unfortunate that he did not receive accolades appropriate to his contributions, and that should absolutely be addressed.

Voluntarily contributing to open source is not a requirement. Likewise, doing so with an expectation of surviving and living off of it is a very risky approach. Should there be a more concerted effort to provide financial stability to these contributors? Absolutely. Was there ever a guarantee or a promise that was made and not kept to do so? No.

Some places exist already to close the gap in this regard. Places like opencollective.org, which shows that @Marak has received a not-insignificant amount for his work. (https://opencollective.com/marak)

Should it be more? Almost certainly.
Does it justify what was done? Absolutely not.
Did @Marak really do anything to those mega corps that he has been slighted by? No. They did exactly what everyone else in this thread has suggested, forked the repo, and moved on. It wasn't even a blip on their radar.

@hello-smile6
Copy link

@hello-smile6 hello-smile6 commented Jan 15, 2022

If someone wants to tarnish his reputation and burn all his work to JUST MAKE A POINT, more power to him. Now his action is felt cross the tech community and beyond. People and corporations now need to think twice before using open source stuff. What are the underlying problems his action showed us?

  1. It is hard to make a comfortable income with open source.
  2. Big corporations profit from open source projects and pay so little. (Apple sent tech-support inquiry from its paying customer to Curl, a open source project)
  3. I never needed to know who made my life easy by providing their code for free. I never needed to pay or thanked them. I just needed the code to work. Am I in the minority?

People knew about the problems. Now more people are aware of the problems at the expense of Marak REGARDLESS of his intention. Yes, it caused some people some inconvenience. Those individual inconvenience is no way equal to Marak's. What about the collective inconvenience of the entire tech community he caused? So the collective convenience of his work never yielded him enough money and now he SHOULD BE held accountable?

I think many "Zalgo" were bound to happen. And it happened. A solution or not, the tech landscape is a bit different now thanks or "thanks" to Marak's action.

They did the right thing.

@RoopanV
Copy link

@RoopanV RoopanV commented Jan 15, 2022

#317 (comment)

Requesting all folks to get handy with an alternative

@hello-smile6
Copy link

@hello-smile6 hello-smile6 commented Jan 15, 2022

#317 (comment)

Requesting all folks to get handy with an alternative

Are they planning to dOS people?

@JoneKone
Copy link

@JoneKone JoneKone commented Jan 16, 2022

If you where an EU citizen you could request a forget my data.

@nukeop
Copy link

@nukeop nukeop commented Jan 16, 2022

image

@jerdoe
Copy link

@jerdoe jerdoe commented Jan 16, 2022

Many tell that Marak did hurt open source community with his last actions and has made people lost confidence in open source software.
But does it not highlight on the contrary how open source is great and how much it can be trusted ?

Because source was opened, anyone could have it with its whole history of commits and could revert it back to its last working release !
Because of the license, many people used Marak libs for free and since it was so widely used, community minded giving some fixes to everyone (using a fork, or pinning the version). Some private entities felt also obliged to support the open source community ; NPM unreleased the broken version.

If from the start, these libs had closed sources, would it have been so popular ? Would have it got fixed that fast ? If the libs were stuck in the hands of a unique private entity, and assuming that someone working there had corrupted/removed all the work done, what would have happened to the users ?

However, one should take note that the code could be deliberately more malicious and damaging : developers using open source libraries should become better aware of good practices and users of open source softwares should understand that those are usually provided "as-is" (in spite of a fair amount of certitude that a solution will be provided if widely used by the community)

@pravindahal
Copy link

@pravindahal pravindahal commented Jan 17, 2022

@bacloud14 my friend, https://github.com/bacloud14/Classified-ads-48/blob/main/package.json does not do version pinning.

Instead of an infinite loop, what if @Marak had decided instead to simply start sending all data in your application to him? Would your tests catch that?

Looking at your repo specifically, it would be pretty easy for any of the authors of the packages you import to own you pretty quickly.

That repo does use package-lock.json, so there is no need for version pinning in package.json.

@hello-smile6
Copy link

@hello-smile6 hello-smile6 commented Jan 17, 2022

@bacloud14 my friend, https://github.com/bacloud14/Classified-ads-48/blob/main/package.json does not do version pinning.
Instead of an infinite loop, what if @Marak had decided instead to simply start sending all data in your application to him? Would your tests catch that?
Looking at your repo specifically, it would be pretty easy for any of the authors of the packages you import to own you pretty quickly.

That repo does use package-lock.json, so there is no need for version pinning in package.json.

People aren't taught to use npm ci. npm ci should be the default for npm install, the current behavior should require a flag.

@dustinlw1987
Copy link

@dustinlw1987 dustinlw1987 commented Jan 17, 2022

@Marak just lost faker.js. The community has taken it from him and rightly so: https://fakerjs.dev/update.html

@hello-smile6
Copy link

@hello-smile6 hello-smile6 commented Jan 17, 2022

@Marak just lost faker.js. The community has taken it from him and rightly so: https://fakerjs.dev/update.html

They should've pulled back earlier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet