DEV Community

Cover image for Breaking of two NPM libraries show that everything isn't right in FOSS ecosystem
Prahlad Yeri
Prahlad Yeri

Posted on • Originally published at freelancemag.blogspot.com

Breaking of two NPM libraries show that everything isn't right in FOSS ecosystem

As if COVID-19 and political events weren't enough to raise havoc in the life of already disturbed netizens, the netizens had to face one more setback today as some little known developer named Marak suddenly decided to pull the plug on two npm libraries he happened to control namely, colors and faker, causing multiple node builds to fail across the world, and the Gods of the heavens screaming their wrath on the poor plebeians!

Good Lord, where do I even begin with this! It's often said that a thing or machine is only as strong as the weakest link in its chain, and this is so true of the npm ecosystem. It's very essential for the safety and security of a product (a large and thriving ecosystem like node nonetheless!) that it should have as few dependencies as possible. But node developers seem to live in a totally different world. There are many large and highly used libraries in npm world such as webpack which have astronomical number of dependencies. This is so wrong but still continues to happen.

What happened with colors and faker can happen to any infrastructure project tomorrow. Imagine if this happened to a large project like webpack? Your project depends on webpack, but it has got other dependencies that depend on other dependencies that depend on other dependencies and so on ad-infinitum! This is how it works in the npm astronomical universe, and this needs to change.

The npm needs to learn and take a leaf out of other packaging systems like Python's PIP, PHP's composer/packagist and Ruby gems. It's not that these other packaging systems are perfect or don't err at all, but none of them have any popular infrastructure software that depends on trivial dependencies. In npm, you have trivial bits of code like plus.js or minus.js converted into proper packages and pushed across as dependencies. This needs to stop if npm/node ecosystem wants to be a serious contender in the backend development world.

Needless to say, the attitude and behavior of this particular dev, Marakh, is also very problematic here. And to be fair to npm, this kind of thing can happen to any open source software project (as it also happened with log4j recently and with npm itself earlier in 2016). Now, what can one do if a software author suddenly decides to pull the plug on their package and break the entire dependency chain? It's important to understand the mindset and psyche of such a developer here, which brings us to the age old mysterious question of why would someone like to contribute to FOSS in the first place!

In the linked reddit forum, the said developer Marak is quoted to have earlier warned thus in November, 2020:

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.

Now, why should open source developers have any problem with "big corporations" using their software for free? After all, the very purpose of FOSS is to create software which is free from all clutches or proprietaries, and being gratis is an important side-effect of it all. If you don't want your software to be used by someone, why contribute to FOSS at all? A developer with this mindset should obviously go full proprietary and start licensing their software, because that is what businesses do (including the so called "big corporations"!).

Even Richard Stallman (on whom rests the GPL and philosophical foundations of FOSS) never had any problem with corporations using free software (as long as they fulfilled its licensing terms).

Unfortunately, though, the problem of putting food on the developer's table is a genuine one. But I disagree that devs are justified in pulling stunts like this Marak in order to put food on their table. In fact, better is that proprietary or closed-source dev who sells or licenses their software for money than someone who enters FOSS with such an ulterior motive and tries to sabotage it for a few bucks. At least, the former is clear with their intentions and straightforward in their actions.

In the good old days of 90s, devs were clear about their vision and narrative in regards to the software they built. There was a Bill Gates who went full proprietary and built a corporate software empire. There was a Richard Stallman who embraced the philosophy of commons and started a great movement. There was also an ESR (Eric Raymond) who tried to balance both worlds and favored a more liberal version of open source by pushing for BSD/MIT/Apache style licensing. But at the end, they were all clear about their vision and what they had to do, and to some extent they were all successful in doing so.

Developers like Marak don't have that vision, they are confused about what open source is all about, and their role in it. I think devs should reflect and introspect on this, and try to come up with a model that is conducive to both themselves and the society at large. It's not necessary to adopt Stallman's GPL or ESR's vision, they can come up with their own too. Or they can even do a full Bill Gates and create a Microsoft or similar corporation. But what's not so ethical is trying to be a Bill Gates in Stallman's clothing (or a Wolf in Sheep's clothing!). Neither the Wolf's nor the Sheep's supporters are ever going to like that!

Discussion (7)

Collapse
sumstrm profile image
Andreas Sommarström

Interesting write up! The whole discussion after colors.js/faker.js is interesting in my opinion - as is every discussion after dependency related incidents. Most people seem to agree that something needs to be done, the problem is finding a solution that people can agree on...

Users that are interested in putting a "buffer" between new version releases and their own dependency supply chain can look into features like our delay on upstream versions: dev.to/sumstrm/update-dependencies...

Collapse
lexlohr profile image
Alex Lohr

Breaking other people's project is definitely malice - it also hurts people who were using this open source package for non-commercial use.

There is a better solution. Unfortunately, it is one that is rather boring for developers: licensing - every author can define the licensing terms of their software, so you can use a GPL3 that requires users of your library to open-source their work based on your library and at the same time support a commercial license without this requirement.

Collapse
volker_schukai profile image
Volker Schukai

If you provide software under a free license,
you should not complain afterwards.

A gift is a gift.

But it also shows
that structures like npm
stand on
very shaky feet.

Collapse
kallmanation profile image
Nathan Kallman

When you use software provided for free,
don't complain when the author changes how it works.

A gift is a gift.

Collapse
volker_schukai profile image
Volker Schukai

No offense! I'm not complaining about the package being changed; especially since i don't use it.
I just found the way a bit strange. but that's not really the issue for me either.

The volatility of npm and how many people are using it worries me more.

Thread Thread
kallmanation profile image
Nathan Kallman

Thanks for enduring my snark; sorry about that!

It is a strange response, but I feel more grated by the attitudes of so many devs who obviously are upset when their slave labor doesn't comply with their every whim.

NPM is unreasonably volatile. Whoever is just updating blind (esp. with packages whose maker explicitly stated to fork or pay up with a years warning) are skipping through a minefield, I struggle to feel sorry for them when things blow up in their face.

Thread Thread
volker_schukai profile image
Volker Schukai

I agree with you. The expectations of free software are sometimes unbearable.