colors.js
colors.js copied to clipboard
Marak
Zalgo issue with `v1.4.44-liberty-2` release
It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors.
Please know we are working right now to fix the situation and will have a resolution shortly.
Woah, crazy bug! Glad to know you are working on it.
Just reinstalled the Live Server package because I came across this while trying to host a project over localhost. Tracked my way to the new american.js file here in your project because something related to this issue happened while starting the server. Really freaked me out! π
Alright, figured out how to temporarily fix the issue for use with Live Server.
The package.json for Live Server has Colors.js set to use the newest possible version available, latest, so I changed it back to the most recent Colors.js version that didn't have the issue, 1.4.0. Just thought I'd share a fix for anyone else that may also run into this too π
Still trying to figure out what happened. I think we may have tried to upgrade to JavaScript 6 but the CI system only supports JavaScript 5 and lower.
Is it an option that, in the meantime, you could revert your project back to 1.4.0, the release before the new change was introduced? This seemed to fix all of the issues on my end. A lot of large projects appear to be requiring your dependency, and they have the version number set to use the latest release.
We've been up all night trying to work out a solution for this Zalgo bug and are still coming up short.
As much as we'd like to revert back to a previous working version, we strongly feel it's best if we can fix the actual problem instead of going back in time.
https://www.youtube.com/watch?v=KEkrWRHCDQU
Yeah, changing the version number to an older release would fix it, but there are many projects out there that haven't been updated in multiple years, I don't think the devs for them will be around to change the Colors.js dependency not to use latest any time soon, Live Server could be an example. (This message was in reply to this one above)
@Marak can you please promote the last working version to latest? I understand that you'd rather fail forward but our package is completely unusable because of this bug
I'm all out of ideas here. It's been a long night and I do I have to begin to prepare soup for Sunday church services tomorrow. I'll try to come back to this Monday if time permits.
Perhaps one of other maintainers can assist?
@substack @dominictarr and @tj should all have publishing access to NPM.
@Marak , It looks like you removed me from this repo so I'm unable to help. I can only imagine everything you're going through right now, but there are a bunch of other OSS devs like you who get hurt by pranks like this, rather than the big tech elite etc. that I think you are trying to go after. I'd be happy to help here, but please be willing to not harm the folks who would otherwise be on your side.
Best Bug though. You for sure should keep it in :+1: makes the console look cooler in my opinion.
In package-lock file we trust and I will trust even for simple project...
Hello whoever is behind this Marak account. Imagine if you turned your skill into making products for average humans that don't code, to improve their lives in big ways, leaving a bigger and longer lasting memory of what you've done... Bombs won't have as big of an impact in today's world.
For anyone who is affected, here are ways to check, which packages have to pin the version (the ones which directly use colors):
for npm:
npm ls colors
for yarn:
yarn why colors
In some cases you can use resolutions: https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/ https://www.npmjs.com/package/npm-force-resolutions
And in some you can easily apply a patch to remove the relevant code parts with patch-package: https://www.npmjs.com/package/patch-package
Or check one technology called Haskell; you could even write pure (determined) IOs using one thing called Monads π€£ It's big fun Then you could run code that never ever break, having a one century of technology under your fingertips would then be possible look how https://negativespace.co/iphone-woman-hands-touch/
all haskell evangelists are now rust evangelists, youre stuck in time bro
What are we, the confused internet, missing here? What's going on? Is this some sort of April Fools' joke? Are you trying to get developers to not use @latest tags when installing dependencies?
@DanielRuf Yeah, I'm not going to go sleuthing around trying to find the relevant story. A lot just point back here but all I see are what look like inside jokes. Thank you for the HN link.
I see that faker.js is related but it looks like the original post the HN post is about has been deleted along with the repository. I've got to go back to the Way Back Machine to get some details: https://web.archive.org/web/20210704022108/https://github.com/Marak/faker.js/issues/1046
@sbmelvin I like chalk
absolute legend for this thank you marak dont let anyone tell you otherwise
Folks, a quick update. Semi-official since I have been a maintainer on this project for 2 or 3 years (albeit largely passively).
- Active steps are being taken to resolve this situation.
- You may pin your dependency to 1.4.0 while this issue is being resolved.
- If you prefer, you may reference https://www.npmjs.com/package/@dabh/colors, which has the same git history but none of the compromising commits. v1.4.0 is still the latest tag there. I will commit to maintaining this copy (i.e. keeping it in sync with the main repo) for some time after this issue is resolved. My goal is to amicably resolve things and have the original repo be maintained by the community, rather than telling people to "use my fork."
- I will have no other updates until at least Monday.
- This situation is not a joke, not trolling, and is reflective of serious personal issues. It is not constructive to make jokes or personal attacks. Furthermore, it is not helpful to continue posting the same links over and over in different places -- everyone closely involved is already aware of the history, and the reputational and real-life damage has already been incurred by the author; salting the wounds here only serves to reduce the chance of an amicable resolution.
- There are major flaws with the open-source community, as Marak and others have highlighted over the years. This is part of a larger conversation, and it is probably helpful for us all to take some time and reflect on how we can do better.
Please try to refrain from continuing to flood this thread until there is more to share, unless you have additional suggestions on workarounds (e.g. as @DanielRuf has provided). Thank you, stay safe, and be kind π
I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.
/* remove this line after testing */ let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }
I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.
/* remove this line after testing */ let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }
"I should not have to remove it myself"
You must see the irony if the reason this maintainer did this is because he's treated as a slave for his maintenance work, and yet here you are saying you're entitled to not having to fix this yourself...
It's a matter of trustworthiness.
On Sat, Jan 8, 2022 at 10:25 PM dougpagani @.***> wrote:
I would say you need to remove the following code that was introduced in index.js printing the American flag. It was not there in 1.4.0. It breaks AWS CDK. I should not have to remove it myself.
/* remove this line after testing */ let am = require('../lib/custom/american'); am(); for (let i = 666; i < Infinity; i++) { if (i % 333) { // console.log('testing'.zalgo.rainbow) } console.log('testing testing testing testing testing testing testing'.zalgo) }
"I should not have to remove it myself"
You must see the irony if the reason this maintainer did this is because he's treated as a slave for his maintenance work, and yet here you are saying you're entitled to not having to fix this yourself...
β Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008221676, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSCTPZJU2JKROKA7WQTUVD53PANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: <Marak/colors. @.***>
The author of this project has intentionally sabotaged the library. DO NOT EXPECT A FIX. Peg to release 1.4.0 and start looking for an alternative.
Marak, I hope you are ok. <3
This is fine.
I went to node_modules/colors/lib/index.js and commented lines 15-23 out. Truly a temporary fix until this is actually resolved.
And whoever made this forgot to remove the line after testing, go figure.
/* remove this line after testing */
let am = require('../lib/custom/american');
am();
for (let i = 666; i < Infinity; i++) {
if (i % 333) {
// console.log('testing'.zalgo.rainbow)
}
console.log('testing testing testing testing testing testing testing'.zalgo)
}
(Just realized someone posted this before me in the hidden items. Whoops.)
@Solixity see also https://github.com/Marak/colors.js/issues/285#issuecomment-1008168237
@Solixity see also #285 (comment)
Thanks. Truth be told, Iβm more of a βsearch for the bad code and comment it outβ type of person but if it gets annoying soon (I use colors for a lot of my projects), Iβll definitely patch the package or just downgrade to 1.4.0 as thatβs what other people say is the latest working version.
@Marak we are with you! We support Aaron Swartz, and we give salute to him for the greatest work ever done in open source's history! Long live Aaron Swartz!
We support your work. But, this is not how the way to express your current state, this is a loser way, Marak. You can just open many ways for people to appreciate your work with some money.
Wow this is a really horrible way to protest something. What a child.
Edit: For the people disliking my comment, I cannot think of a faster way to evaporate all trust people have for you than by making a widely used library malicious. It's a one-way ticket to making sure you'll never find a job in software development ever again. If Marak really does have mental health issues it is not a justification for acting the way that he did -- only an explanation.
We've also just hit this in our Cloudron docs deploy pipeline. Now I saw there was a recent npm package release some 20min ago https://www.npmjs.com/package/colors/v/1.4.2 was this supposed to fix the issue? It seems the same problem is still there?
I can't launch http-server because of this issue. Assuming this never gets fixed, what's the proper way to force npm to use an older version of this dependency for http-server? Edit the lock file?
@RPGillespie6 see https://github.com/Marak/colors.js/issues/285#issuecomment-1008168237
@nebulade not really, see https://diff.intrinsic.com/colors/1.4.1/1.4.2. He added another loop to colors/safe, probably because he oversaw this.
reference: https://github.com/Marak/colors.js/issues/285#issuecomment-1008357669
I can't launch http-server because of this issue. Assuming this never gets fixed, what's the proper way to force npm to use an older version of this dependency for
http-server? Edit the lock file?
Instead of reverting the http-server, downgrade this module version to 1.4.0, that's what I've done, until the bug gets fixed.
You can run npm install [email protected] and itβll downgrade as is.
Donβt know why it decided to bonk the important part.
@Hamahmi yes, please see https://github.com/Marak/colors.js/issues/285#issuecomment-1008367265
Actually surprised that this didn't somehow bring down aws us-east-1.. takes a lot less usually. Maybe 1.4.2
Edit: https://github.com/Marak/colors.js/blob/6bc50e79eeaa1d87369bb3e7e608ebed18c5cf26/lib/extendStringPrototype.js#L55
Right here is the place to make the change to get log4j level hype though
@RPGillespie6 see #285 (comment)
@nebulade not really, see https://diff.intrinsic.com/colors/1.4.1/1.4.2. He added another loop to colors/safe, pobably because he oversaw this.
reference: #285 (comment)
Wow he is still going if this is true. You would think having 2 days to rethink this might convince him to think sanely but guess not.
I have deleted my previous comment to state that I support Marak's protest against big companies and their abuse of open-source, but Marak's character as a human is questionable. From allegations of burning down his house making bombs to abusing his girlfriend, I do not think the person running this repository is respectable (or sane) in the slightest.
This is a ~~troll campaign~~ protest by the author of this module. This package is not going to get fixed and you will continue to get burned unless you pin the package to version 1.4.0. For a short term fix change your package.json & package-lock.json to use 1.4.0 and republish your module. Then start looking for alternatives, or a fork of this project.
Here is an example how to fix your package... https://github.com/sintaxi/surge/commit/32eaaa2c5731c20093c12fde4c92d58bacda377a
DO NOT use ^1.4.0 otherwise your package will pull the latest 1.4.* version of the module.
PS: The author of this module wants to raise awareness about Aaron Swartz. Go learn more about him and his alleged suicide.
Excellent advice. Hopefully AWS follows for their CDK by not using the caret.
On Sun, Jan 9, 2022, 4:35 PM Brock Whitten @.***> wrote:
This is a troll campaign by the author of this module. This package is not going to get fixed and you will continue to get burned unless you pin the package to version 1.4.0. For a short term fix change your package.json & package-lock.json to use 1.4.0 and republish your module. Then start looking for alternatives, or a fork of this project.
Here is an example how to fix your package... @.*** https://github.com/sintaxi/surge/commit/32eaaa2c5731c20093c12fde4c92d58bacda377a
DO NOT use ^1.4.0 otherwise your package will pull the latest 1.4.* version of the module.
β Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008428366, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSCW6BEIWGEQBUWXCXLUVH5RRANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: <Marak/colors. @.***>
Thanks for the thead to aws/aws-cdk#18324 https://github.com/aws/aws-cdk/pull/18324, much appeciated.
On Sun, Jan 9, 2022, 4:56 PM Daniel Ruf @.***> wrote:
@kevinlonigro https://github.com/kevinlonigro see aws/aws-cdk#18324 https://github.com/aws/aws-cdk/pull/18324
β Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/285#issuecomment-1008431348, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXG4QSD3YZ3P7PPGVA7DGD3UVIABFANCNFSM5LQFI2VA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
Hi, is there anyway on how to fix this?
Downgrade to 1.4.0 or switch to Chalk
So where is npm Inc. ? in such cases ?
More seriously; what could be the problems if they revert code to the version before the lastest, with the same version number ( @DanielRuf you seem to be knowing these.. thanks a lot for help with affected users).
Or they did it already I'm just checking: Last publish 3 hours ago
Nobody knows where theyβre at. You could report it on https://npmjs.org/colors but in the end, thatβs cause more problems than itβd solve. Theyβd erase the package as a whole, easier to just downgrade and hold.
@Solixity I reported the bug like 1 hour before the whole thing starts here, as I was expecting this before it happens β .
Why would it cause more problems? And they pushed a new version now, I just checked, I can't make my head on different cases and what would be the best in such situations.
A lot of programs depend on this package, itβs a matter of it not resolving and causing CI test issues.
But Iβm filing a report right now to npm as I type this.
The .2 release added the same code to colors/safe, see https://diff.intrinsic.com/colors/1.4.1/1.4.2
So that is still ongoing and pinning to v1.4.0 (using resolutions or your package.json and package-lock.json/yarn.lock files if directly used) or switching to chalk or some other solution are the only viable solutions. Or patching the code to remove these loops with patch-package.
https://diff.intrinsic.com/colors/1.4.1/1.4.2
Why would it cause more problems?
If you had bothered to read his reply
Theyβd erase the package as a whole, easier to just downgrade and hold.
And they pushed a new version now, I just checked
All that version is, is the author adding the loop to colors/safe as well. this isn't a bug, this is intentional by the author.
Why would it cause more problems?
If you had bothered to read his reply
Theyβd erase the package as a whole, easier to just downgrade and hold.
And they pushed a new version now, I just checked
All that version is, is the author adding the loop to
colors/safeas well. this isn't a bug, this is intentional by the author.
Itβs definitely intentional. If it wasnβt, heβd be responding to our comments.
And his comment in /safe doesnβt back up the fact that it wasnt intentional.
Why would it cause more problems?
If you had bothered to read his reply
Theyβd erase the package as a whole, easier to just downgrade and hold.
And they pushed a new version now, I just checked
All that version is, is the author adding the loop to
colors/safeas well. this isn't a bug, this is intentional by the author.Itβs definitely intentional. If it wasnβt, heβd be responding to our comments.
And his comment in /safe doesnβt back up the fact that it wasnt intentional.
Well, he couldn't really reply to comments if he wanted to any way, he's permanently suspended from Github
Theyβd erase the package as a whole, easier to just downgrade and hold.
@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.
https://docs.npmjs.com/unpublishing-packages-from-the-registry
https://docs.npmjs.com/policies/unpublish
https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html
Theyβd erase the package as a whole, easier to just downgrade and hold.
@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.
https://docs.npmjs.com/unpublishing-packages-from-the-registry
https://docs.npmjs.com/policies/unpublish
https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html
β¦ yikes.
Theyβd erase the package as a whole, easier to just downgrade and hold.
@Solixity since the left-pad drama happened no, you can not delete releases and packages after a specific amount of time and downloads.
https://docs.npmjs.com/unpublishing-packages-from-the-registry
https://docs.npmjs.com/policies/unpublish
https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html
Right, but that's if it's the author trying to do it. the "They" in this case would be NPM
Surely the policy wouldn't apply if they're removing something malicious?
We should focus on fixing the affected projects. See also https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640
Surely the policy wouldn't apply if they're removing something malicious.
Yes as this would be against the usage terms and harms users. And hosting / distributing malware has also / could have some possible legal consequences, but this is not relevant now.
I've used this package for a while and love it. But something of this level should have warrant a revert, a lot sooner, regardless of how fancy the improvements are. Not my decision to make. Can't comprehend why anyone would need to put something like that in the colors package in the first place.
Anyways keep up the good work,
@nahidakbar I'll help you get up to speed...
The author of this project has intentionally sabotaged the library. His attempts to "fix" the issue are disingenuous in an effort to troll you. He also revoked access of other contributors to prevent them from fixing the problem. Expect future patch releases to be further attempts to cause you grief. The best short term solution is to peg the package at 1.4.0 and start looking for an alternative or a fork.
Marak should NOT be trusted as a developer! Especially after doing this unilaterally without notification.
This is unbelievable.
All: The latest status update is still https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640 , i.e., pin at 1.4.0, use @dabh/colors, or wait till tomorrow for updates. Please try to avoid adding unnecessary comments (even lighthearted remarks) to this thread, as useful info is getting buried in the hidden items. Presumably, a lot of people are going to be visiting this thread tomorrow, so let's try to be considerate of them and make the signal-to-noise ratio as high as possible. Thanks and stay tuned.
If you're using yarn, you can resolve this issue by adding the following to your package.json:
"resolutions": {
"colors": "1.4.0"
}
@Offroaders123
A lot of large projects appear to be requiring your dependency, and they have the version number set to use the latest release.
but.... that sounds like... the issue is actually on their end, no?
I just found further evidence that Marak has severe mental health issues and cannot be trusted:
https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
I am currently encountering this issue in @bubblewrap/cli. Should the colors peg at 1.4.0 go into my project's package.json that I am bubblewrapping or into the bubblewrap downloaded library itself?
Maybe @Marak as a try to support you:
I think executing this command should ease it for many people:
npm dist-tag add [email protected] latest
This will mark the 1.4.0 as "latest" version on npm and so 1.4.1 and 1.4.2 will be ignored ...
I just found further evidence
Here we go again. The investigator came with fake news. Shame on you @dustinlw1987 go and delete that
I will not, thank you. I'm reporting on the developer's state of mind and his actions which affect the developer community.
I reiterate: he has severe mental health issues and has been caught doing shady things that we should be concerned about.
I just found further evidence
Here we go again. The investigator came with fake news. Shame on you @dustinlw1987 go and delete that
Fake news? Ok, please tell me how it is fake news? That's a legitimate news source.
People are upset why? Github suspended him why?
HE MADE CHANGES TO HIS OWN CODE.
Just because other people rely on it doesn't mean he cant change HIS OWN CODE
People are upset why? Github suspended him why?
HE MADE CHANGES TO HIS OWN CODE.
Just because other people rely on it doesn't mean he cant change HIS OWN CODE
He published malicious code when he has >20 million weekly downloads, not acceptable.
People are upset why? Github suspended him why?
HE MADE CHANGES TO HIS OWN CODE.
Just because other people rely on it doesn't mean he cant change HIS OWN CODE
Youβre failing to realize that he made changes that TONS of other people are now suffering from. At first, it was in one section but then he moved it onto the βsafeβ version. At that point, itβs deemed as malicious and people have the right to be upset about it.
Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.
Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.
Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.
Your opinion is still probably very interesting, and it will fit perfectly on social networks.
Marak's malicious actions and code is very much an issue. We will discuss them here.
Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.
Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.
Unfortunately this is the internet, and you also happen to have no power over this
Please keep this an issue tracker. Noise is as much sabotaging as publishing corrupted code, because it prevents users from finding a solution.
Your opinion is still probably very interesting, and it will fit perfectly on social networks. If you realize a comment you wrote is not of technical interest, please remove it.
Oh and, people can very easily find the solution since it is the 2nd comment, which is, downgrade and pin 1.4.0, or optionally use some other kind of fork if you wish to do that
In my opinion former maintainer is irrelevant now, better focus on reducing damage. While bigger projects already fixed or fixing this issue, multiple smaller package maintainers having hard time trying to figure it out. I've searched github issues for 'Carl Pilcher' and linked this issue for ones without mention of color.js but there will be more. Maybe we can have a bot that will do it automatically, if it is possible with github api.
Maybe we can have a bot that will do it automatically, if it is possible with github api.
Unsure if that is allowed.
Maybe another maintainer involved in the project can take over development in a forked repository, and publish it to npm with either an alternative name or, if npm people allow it, the name colors so that people don't have to fix the dependency.
Maybe another maintainer involved in the project can take over development in a forked repository, and publish it to npm with either an alternative name or, if npm people allow it, the name
colorsso that people don't have to fix the dependency.
https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640
In my opinion former maintainer is irrelevant now, better focus on reducing damage. While bigger projects already fixed or fixing this issue, multiple smaller package maintainers having hard time trying to figure it out. I've searched github issues for 'Carl Pilcher' and linked this issue for ones without mention of
color.jsbut there will be more. Maybe we can have a bot that will do it automatically, if it is possible with github api.
I mean it isn't too hard to do since there is literally a tab on this repo which shows projects that are utilizing colors.js as a dependency. It also shouldn't be too hard to make an npm package that can be used with npx which does the pinning and automatically commits to GitHub if a .git folder is present.
Colors.js is under the MIT license. According to this license the author provides the software "as is", without warranty of any kind:
As nasty as the new commit could be, the license shifts the responsibility of the library usage uniquely to the consumer, not the original developer/maintainer.
Not saying that this commit doesn't have further implications for open source software than the strictly ones covered in the license. But I think it opens a legitimate debate about who's responsible for damages and whether the author is morally entitled to such behaviour, even when it's extreme.
He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.
He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.
The problem is that not everyone using colors.js is aware that they're using it. A lot of cli tools use colors.js, and I don't really think about the packages behind that when I install them, or even be aware of it. It's not on me if my fourth layer of dependencies used color.js.
I have a question for you, is it really that hard to get the latest version to 1.4.0 until you fix the problem? The people here asking you to do this have not installed colors.js for their own purposes. A small example: nest.js, which acts as a backend, is not running on my server.
@Itsbiggertheinside do you you mean nest cli or server itself? I've seen cli had colors problem, but runtime should be ok, isn't it?
@dustinlw1987 @BitesizedLion can't you imagine two people with the same name or what? Do you imagine people have access into internet in detention? What the hell are you? I'm out of this. It appears to me Marak is more sane than you, Go f*cking buy a book and learn some programmig too.
What are you on about you absolute crackhead, lmao
Colors.js is under the MIT license. According to this license the author provides the software "as is", without warranty of any kind:
As nasty as the new commit could be, the license shifts the responsibility of the library usage uniquely to the consumer, not the original developer/maintainer.
Not saying that this commit doesn't have further implications for open source software than the strictly ones covered in the license. But I think it opens a legitimate debate about who's responsible for damages and whether the author is morally entitled to such behaviour, even when it's extreme.
He wanted to be paid for his work. If you don't like this commit, don't use my package. My software comes with no warranty could be his defence.
This may be true to the extent that there is no implied warranty or guarantee against defect. Accidental harm and intentional harm are two very different things. This does not mean the author can't still be sued or criminally charged solely on intentional malicious actions. A good lawyer would be able to argue that @Marak knew prior to pushing this commit that the effects would cause financial harm to multiple organizations.
If you license your land to build a freeway but then decide the freeway is being used by too many people who are too rich and don't give you credit so you go and rip up the asphalt, you're still going to be liable for the destruction and potential dangers you've caused to the public.
nest js has dependencies with colors.js, like going back to version 1.4.0?
@cnamoncudev check related issue https://github.com/nestjs/nest-cli/issues/1480
@notwedtm another, even-lesser hypothetical lawyer than yours, might point out that a contract is only valid in as much as two things of value were exchanged - what was exchanged here? a super-duper-valuable promise of always keeping the copyright notice intact π
@notwedtm another, even-lesser hypothetical lawyer than yours, might point out that a contract is only valid in as much as two things of value were exchanged - what was exchanged here? a super-duper-valuable promise of always keeping the copyright notice intact π
That would most likely lead to a conversation about the fundamental differences between a contract and a license.