DEV Community

Discussion on: How a Rogue Developer Ruined Millions of Software (happened this weekend)

Collapse
 
cicirello profile image
Vincent A. Cicirello

If they had a problem with closed source use of their software, they should have been using a copyleft license such as the GPLv3 rather than the permissive MIT license that they were using for colors. By licensing under the MIT license, the developer of colors explicitly declared that anyone can use their software for any purpose within any other software whether open or closed, etc.

Now this also highlights some important practices to employ in relation to project dependencies. First, don't use "latest" tags to pull in dependencies. Use an explicit version number instead. Second, always run all tests when upgrading dependencies. This malicious change shouldn't have gotten into as many packages/apps as easily as it did, at least not into production.

Collapse
 
anthonyjdella profile image
offline

Excellent comment, well put!

Many devs "by default", use the MIT license because it's so popular. But using a license like you mention is the way to go IMO. I'm kinda glad that this happened because it brings more awareness to other types of licenses.

And another excellent point on my using "latest" is a bad practice! Having a dependency scanner in your pipelines would have helped alot!

Collapse
 
lepinekong profile image
lepinekong

I think many including myself don't want to bother with copyright but this story shows one should. Reading his story I understand his rage against big companies or startups but he should have alerted his fellows developers instead of acting badly because he's the one who is going to the pay again. I'm sad for him.