How a Rogue Developer Ruined Millions of Software (happened this weekend)

ยท

3 min read

TLDR: A software developer who made some highly used open source software, decided to go rogue and inject a bug into his software, making it usable. This affected every other dependency (and developer) using his software.


Bug Breaks my Software Deployment

Over the weekend, I was deploying some software (to Firebase) with CI/CD pipelines. But for some reason, the pipelines were failing. The failure occurred at this stage of my GitHub Actions workflow:

    - uses: FirebaseExtended/action-hosting-deploy@v0
    with:
        repoToken: '${{ secrets.GITHUB_TOKEN }}'
        firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_ANTHONYDELLAVECCHIA }}'
        channelId: live
        projectId: anthonydellavecchia
        entryPoint: "./anthonyjdella"

This is the visual representation of my failed pipeline:

Image description

I then went over to the Firebase Extended Github repo to see if anyone else was having similar issues. And yep, many others were experiencing the same issue:

Image description (link)


Rogue Developer, Marak

Well, it turns out, Action-hosting-deploy was using a dependency called colors, created by Marak (the rogue developer), which is a tool that colors and styles your node.js console. This npm package gets over 20 million downloads per week, so its very popular! The dependency tree for this GitHub action looks something like this:

  • Action-hosting-deploy
    • Firebase-tools
      • cli-table
        • colors (subdependancy which is causing the issue)
    • winston
      • logform
        • colors (subdependancy which is causing the issue)

So what? Well, Marak, the creator of colors (mentioned above) added some code into his project to purposely break it. He added an infinite loop to purposely break his code!

Image description

(link to Marak's evil commit)

This is very much intentional and not an accidental bug. It was malicious.


Why is Breaking his own Software Bad?

You may be wondering why breaking his own software is bad? Well, Marak knows that his software is being used by other software. So if his breaks, so will theirs. Think of it as a chain reaction. If his breaks, other software that uses it will break too. Because of "dependency hell", this affects millions of developers.

Why Did Marak Do This?

Marak was upset that corporations were using his open-source software and not paying for it. It's basically that simple. He posted an article on his blog.

How Do You Fix It?

If your software was using colors, you would have to revert to the previous (non-broken) version. But because of this developer's poor work, you should definitely use another package instead. Chalk is another alternative that is recommended.

It's really important to have a dependency management system in place for your projects. Tools like Snyk, or SonarQube will help you detect dependency issues so you can quickly resolve them.

For more information:

Thanks for reading! ๐Ÿ™Œ

For more of my articles, check out (anthonydellavecchia.com)[https://anthonydellavecchia.com]!

Did you find this article valuable?

Support offline by becoming a sponsor. Any amount is appreciated!

ย