An Interest In:
Web News this Week
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
- March 24, 2024
- March 23, 2024
- March 22, 2024
How a Rogue Developer Ruined Millions of Software (happened this weekend)
TLDR: A software developer who made some highly used open source software, decided to go rogue and inject a bug into his software, making it usable. This affected every other dependency (and developer) using his software.
Bug Breaks my Software Deployment
Over the weekend, I was deploying some software (to Firebase) with CI/CD pipelines. But for some reason, the pipelines were failing. The failure occurred at this stage of my GitHub Actions workflow:
- uses: FirebaseExtended/action-hosting-deploy@v0 with: repoToken: '${{ secrets.GITHUB_TOKEN }}' firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_ANTHONYDELLAVECCHIA }}' channelId: live projectId: anthonydellavecchia entryPoint: "./anthonyjdella"
This is the visual representation of my failed pipeline:
I then went over to the Firebase Extended Github repo to see if anyone else was having similar issues. And yep, many others were experiencing the same issue:
Rogue Developer, Marak
Well, it turns out, Action-hosting-deploy
was using a dependency called colors
, created by Marak (the rogue developer), which is a tool that colors and styles your node.js console. This npm package gets over 20 million downloads per week, so its very popular! The dependency tree for this GitHub action looks something like this:
- Action-hosting-deploy
- Firebase-tools
- cli-table
- colors (subdependancy which is causing the issue)
- cli-table
- winston
- logform
- colors (subdependancy which is causing the issue)
- logform
- Firebase-tools
So what? Well, Marak
, the creator of colors
(mentioned above) added some code into his project to purposely break it. He added an infinite loop to purposely break his code!
This is very much intentional and not an accidental bug. It was malicious.
Why is Breaking his own Software Bad?
You may be wondering why breaking his own software is bad? Well, Marak knows that his software is being used by other software. So if his breaks, so will theirs. Think of it as a chain reaction. If his breaks, other software that uses it will break too. Because of "dependency hell", this affects millions of developers.
Why Did Marak Do This?
Marak was upset that corporations were using his open-source software and not paying for it. It's basically that simple. He posted an article on his blog.
How Do You Fix It?
If your software was using colors
, you would have to revert to the previous (non-broken) version. But because of this developer's poor work, you should definitely use another package instead. Chalk is another alternative that is recommended.
It's really important to have a dependency management system in place for your projects. Tools like Snyk, or SonarQube will help you detect dependency issues so you can quickly resolve them.
For more information:
- https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colors-and-faker-now-what/
- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
Thanks for reading!
For more of my articles, check out (anthonydellavecchia.com)[https://anthonydellavecchia.com]!
Original Link: https://dev.to/anthonyjdella/how-a-rogue-developer-ruined-millions-of-software-happened-this-weekend-4bp
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To