Last week, the maintainer of two massively popular npm libraries sabotaged 'colors' and pulled his code from 'faker,' breaking thousands of projects that rely on these libraries. 'Colors' alone has over 19,000 dependents on NPM and has been downloaded over 3.4 billion times as of today. And 'faker' has been retrieved 272 million times from the npm repository, with over 2,500 dependents.
The faker "Endgame"
In the change made to 'faker' version 6.6.6, the library's maintainer Marak Squires added a commit titled "Endgame," referencing the late programmer Aaron Swartz who died by suicide.
Screenshot of the faker commit
Similarly, the npm homepage of the package was also altered with the same message by the maintainer:
Screenshot of the faker npm homepage
Faker, meet faker!
For all the world could understand, 'faker' was abandoned by Squires, who had previously written about the challenges associated with monetizing open source projects.
In the blog post available on archive.org, the developer described how he had planned on offering a 'Faker Cloud' subscription-based service to fund the project, but that the effort didn’t reach fruition.
Screenshot of the former Faker Cloud homepage
Despite having been abandoned by Squires, it seems 'faker' is here to stay. Just a few days after the colors and faker sabotage incident, I got a message from an open source developer and now one of the maintainers of the 'faker' project, Jessica Sachs.
It seems the functional versions of the popular 'faker' library have been forked and are being maintained by a new team at fakerjs.dev. The GitHub repo associated with this forked project is called faker-js/faker, whereas a new scoped project has also been released on npm: undefined (https://www.npmjs.com/package/undefined).
Faker's forked project lives at undefined on npm
While Squires still maintains ownership of both 'faker' and 'colors,' the sabotaged versions of 'colors' have been removed by npm. And it seems this newly maintained Faker replica is gaining traction fast:
Faker update: It's been a week. We've merged all of the active forks. Currently at 1532 stars. Looks like everything is settling.#javascript #faker #fakerjs #opensource #softwaredevelopment pic.twitter.com/xuoKY9Ydk0
— Faker 🐼 (@faker_js) January 14, 2022
Fostering faker
I cheekily asked Jessica what the chances are of this project fork also going rogue and being sabotaged. I was told the new team behind the initiative comprises a group of seasoned open source contributors.
"We're recognized by the Open Collective as the successors to the project and have been working with them every step of the way to do what’s right for the community," said Sachs. "I've written up a statement on behalf of the Faker team explaining the situation and where we stand."
The statement goes over some of the commonly asked questions with regards to faker's transition, how will it be funded moving forward, and concludes with a positive note:
"We're excited to give new life to this idea and project. This project can have a fresh start and it will become even cooler. We felt we needed to do a public announcement because of all of the attention the project received in the media and from the community. We believe that we have acted in the way that is best for the community."
We may not have yet cracked the larger puzzle on how to support the open source community and popular projects like Log4j. But at least we have a real-world case of a famous and significant open source software project rescued just in time!
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax SharmaTags