EventSource
EventSource copied to clipboard
Yaffle
!!! MALWARE !!! broke production
Hmm, I think it's a worthwhile fix. Where did you see malware here? 🇺🇦🇺🇦🇺🇦
well from what I understand, it's a piece of code that inform about the war in ukraine if the user timezone is set to a russian one
I think the author of this repo is free to decide what code he publishes. Say thanks to that it's for free
@ilmerainen ah, yes, it's free, so the author holds no responsibility for it whatsoever
@uzervlad ah, yes, I think you can consider it as a feature and additional goal of the library to resist evil in any way possible. One more time, it's not malware. The author of the library doesn't steal your money or mine crypto by your PC. Dude, it's called freedom. And it's cool. Why the author of the popular library should сater to someone else's interests? Why the number of stars should define the functionality of your library?
Why the author of the popular library should сater to someone else's interests?
Oh I wonder, maybe because it's their responsibility as a maintainer of a somewhat popular library?
@uzervlad haha, why do you think so? Give strong arguments otherwise your words don't worth anything. He doesn't have any responsibility. He even can remove all the code one day
Also It is not considered Malware if you display information under certain conditions. As previous said see it as a feature. Also you are free to fork it and use your own version.
@vanilla-ice I guess you can close this one?
I guess not, I think other devs should be warned, that in some timeout there will be alert which stops javascript execution. If it is a feature will be great to document it.
Also It is not considered Malware if you display information under certain conditions. As previous said see it as a feature. Also you are free to fork it and use your own version.
Also Intl.DateTimeFormat is not supported in all browsers, so it can be crash in some browsers which even may not in the timezones from 'malware'. So, I think there is reason for keep this issue opened :-)
Has somebody filed a CVE yet? Whether you consider it malware or not, printing an unexpected console message is indeed a breaking change, and i'd have thought we all learned from node-ipc that protestware doesn't help any cause, and causes more harm than good.
To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.
Мне даже лень утруждать себя писать на английском, да и господин ишьюстартер очевидно на русском лучше понимает.
Так вот вопрос: @vanilla-ice ты что, серьезно? МАЛВАРЬ??? А давно ли дефолтный println() является малварью? Тебе никто не обязан гарантировать, что разработчики библиотек, которые ты используешь, будут аполитичными. Это законное право мейнтейнера, даже для самых тупорогих написано в лицензии: WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. Вооружись гугл переводчиком и перечитай 5 раз, что значит текст MIT лицензии. Более того: а что, собственно, случилось? У тебя (или у кого-то еще) угнали аккаунты? Может сломали компуктер твой? Тебе спокойно, без удаления файлов, как в node-ipc, в терминал написали "хуй войне", что от этого произошло? Конец света? Брэндону за node-ipc отдельный дизреспект, НО ТУТ-ТО ЧТО СЛУЧИЛОСЬ? У тебя друг из-за этого умер?
@Yaffle закрывай ишью, такие умники все равно никогда не поймут посыла, и устроят здесь срач на полторы тыщи комментов. Проходили уже это с гитлабом.
Today it's a funny message, tomorrow it's
To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.
This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version?
People have a right to not have their dependencies randomly turn into malware.
@AceSevenFive, I am agree. Here the author of the library sacrifices his reputation for what he considers important.
Today it's a funny message, tomorrow it's
To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.
This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version?
People have a right to not have their dependencies randomly turn into malware.
Open source: you can inspect before you install.
Today it's a funny message, tomorrow it's
To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.
This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version? People have a right to not have their dependencies randomly turn into malware.
Open source: you can inspect before you install.
If you think any non-trivial organization is going to be recursively inspecting every single one of their dependencies every time they're prompted for an update, I have a bridge to sell you.
Today it's a funny message, tomorrow it's
To those who were "offended", please don't forget that this is the beauty of the MIT license, as well as of several others:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Thus @Yaffle did nothing wrong and possesses a fully justified privilege to do whatever they wish with their own code.
This doesn't make them immune to criticism for showing that they're willing to surreptitiously introduce code that does unexpected and unadvertised things into their product. What's to say they won't wipe computers from Russia-based IP addresses in their next version? People have a right to not have their dependencies randomly turn into malware.
Open source: you can inspect before you install.
If you think any non-trivial organization is going to be recursively inspecting every single one of their dependencies every time they're prompted for an update, I have a bridge to sell you.
At least you have the chance. It is an inherent node's problem to have an unmanageable amount of deps.
People have a right to not have their dependencies randomly turn into malware
...unless their right conflicts with the dependency author's right to do whatever he wants with his dependency. Then the latter has the ultimate power. Isn't this almost precisely what MIT license says?
By the way...
Malware
I call this activism. Author of this library demonstrated 2 modern issues: subjectivity of freedom of expression and the rotten state of modern bloated front-end dependency hell.
People have a right to not have their dependencies randomly turn into malware
...unless their right conflicts with the dependency author's right to do whatever he wants with his dependency. Then the latter has the ultimate power. Isn't this almost precisely what MIT license says?
By the way...
Malware
I call this activism. Author of this library demonstrated 2 modern issues: subjectivity of freedom of expression and the rotten state of modern bloated front-end dependency hell.
The MIT license will not save you from US cybercrime law (or really any cybercrime law in a Western country)
That the MIT license doesn't restrict the author's legal rights does not have any bearing on what is ethical, or expected of them by the ecosystem. Nobody's trying to sue or put in jail an author that does something like this.
That said, it helps the cause it's advocating for precisely zero, and if anything, harms it. Activism that furthers a cause is great; activism that doesn't is far worse than inaction.
I don't get the malware angle.
Cisco states:
Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.
Please give a definition of malware and why you think this applies here.
I don't feel, that this is the case. If it made you feel better, I could open a "post factual" feature request.
@quenbyako где ты там увидел println, необразованная макака?))) переведи в транслейте мои ответы выше, если не осилил прочитать не на русском, я там все объяснил))
I don't get the malware angle.
Cisco states:
Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.
Please give a definition of malware and why you think this applies here.
I don't feel, that this is the case. If it made you feel better, I could open a "post factual" feature request.
From Malwarebytes:
Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is harmful to systems.
Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.
The motives behind malware vary. Malware can be about making money off you, sabotaging your ability to get work done, making a political statement, or just bragging rights. Although malware cannot damage the physical hardware of systems or network equipment (with one known exception—see the Google Android section below), it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.
I'd argue that opening browser windows without user consent counts as "taking partial control over a device's operations."
@vanilla-ice
необразованная макака
Серьезно? Умнее оскорбления не получилось придумать?
Я специально дважды перечитал комментарии выше. Высасывать из пальца сказки что "не все бразуеры поддерживают Х фичу" это закапывать себя еще глубже, не осознавая, что делает код, опубликованный в патче. А он ведь очень простой, там нет rocket science'a.
Где я увидел println? Ой, да вот же он! Но можно повторно использовать свое коронное оскорбление макакой и сказать, что это alert, а не println. Но в таком случае да, я конечно буду повержен, ведь это диаметрально противоположные вещи.
Кажется необразованных макаки, не отличающих открытие окна+алерта от реально вредоносного кода, в этом треде сидит две.
@vanilla-ice
необразованная макака
Серьезно? Умнее оскорбления не получилось придумать?
Я специально дважды перечитал комментарии выше. Высасывать из пальца сказки что "не все бразуеры поддерживают Х фичу" это закапывать себя еще глубже, не осознавая, что делает код, опубликованный в патче. А он ведь очень простой, там нет rocket science'a.
простой и тупой, в том то и дело, нашел println там? по ссылке что ты скинул его там нет, умой личико и протри глазки) может еще скажешь что alert не останавливает js execution?) Учитывая что эта библиотека - полифилл к sse, остановка js execution - больно. Но тебе-то откуда знать)
@vanilla-ice
может еще скажешь что alert не останавливает js execution?)
Если тебя смущает ИСКЛЮЧИТЕЛЬНО этот момент, то так и быть, я может встану завтра пораньше, и пофикшу остановку рантайма. Ради тебя.
@vanilla-ice
может еще скажешь что alert не останавливает js execution?)
Если тебя смущает ИСКЛЮЧИТЕЛЬНО этот момент, то так и быть, я может встану завтра пораньше, и пофикшу остановку рантайма. Ради тебя.
хороший мальчик) Не забудь задокументировать новую фичу, раз встанешь пораньше)
@quenbyako I think you should send a complaint to vanilla-ice's comments. You can do this in his profile (Block/Report link) with a screenshot/weblink to this issue and comment.
I'd argue that opening browser windows without user consent counts as "taking partial control over a device's operations."
Especially since it's not a listed feature of the library, nor has a breaking change version been published to prevent unwanted install of this "feature".
Автор просто накакал простым разрабам и пользователям, и радуется. Типичный усраинец
@ljharb However, it's only your opinion that this activism doesn't have any impact. Inevitably this action will sow a seed of doubt in the minds of those who encounter it and who so far don't have an adequate position about it. There is no possibility to forecast the consequences of this activism.
@ilmerainen only for the brief window before there’s a CVE, and every dependent and business stops using the package, and any package the author has publish rights on becomes suspect. Sowing a seed of doubt is great, but this wont actually do enough of that to be worth it.
For those people, who showing off their ruski apolitism:
Here is a website of russian fss department, which is working with vulnerabilities in different projects (read as HackerOne with flavor of propaganda and repressions). Go on guys, send them an email, that we found the traitor of the Motherland, and they need to punish him. This parasite hacks your browser by using alert call! Uuuu, alert is stopping js runtime, the worst vulnerability! It is necessary to punish the nazi traitor, repo owner!
@quenbyako its enough if a potential user of the library will pay attention to that commit and decide for himself whether to use it or not, everything else is your political fantasies)
@vanilla-ice чел, определись уже: ты соврал, что малварь нашел, или соврал, что "достаточно" в жопе мира отыскать твое невероятно важное ишью, в котором ты как рыцарь на белом коне предупреждаешь пользователя.
Или крестик сними, или трусы надень, нельзя одновременно устраивать цирк про малварь и писать "моего вскукарека на этот счет достаточно, теперь все знают".
@vanilla-ice чел, определись уже: ты соврал, что малварь нашел, или соврал, что "достаточно" в жопе мира отыскать твое невероятно важное ишью, в котором ты как рыцарь на белом коне предупреждаешь пользователя.
Или крестик сними, или трусы надень, нельзя одновременно устраивать цирк про малварь и писать "моего вскукарека на этот счет достаточно, теперь все знают".
это комплексная проблема, но лично мне достаточно того что ее видно, а не втихую подсовывается)) Тут же MIT, не могу настаивать на переписывании автором кода))
Apart from being malware that makes the program heavier, it shows false information and encourages people to read BBC News (a state-owned British online newspaper).
91% украинцев полностью поддерживает своего президента Владимира Зеленского и его ответные действия на нападение России.
Just 6,307,793 votes in the 2019 elections, according to Wikipedia, and 49.84% turnout. Ukraine had 42,153,201 inhabitants in 2019.
"Весь мир осудил необоснованное вторжение и решил ввести " + bold("невиданные ранее санкции против России")
This is not true.
"В то же время, " + bold("российское правительство ограничивает доступ граждан к внешней информации")
This is true, but I think that most people already know this.
@jorgesumle quite a narrow view from the Western world to count itself as most of the world. Fact is that most of the world does not care. No sanctions applied.
@jorgesumle
in the 2019 elections, according to Wikipedia, and 49.84% turnout.
Orly? and this paper is priceless shit. Ok, got it. Pretty impressive, that you argument this fact by 2019(!!!) year stats.
This is not true.
Orly? And this paper is shit as well. Alrighty, got it bro.
I think that most people already know this
ORLY? YOU THINK? yeah yeah yeah, you know everything bro. you know that each russian in each village knows that. Mhm, yeah.
Those stupid arguments are SO stupid, that anyone can smash them spending 2 seconds by typing in google search request. Stop disgrace yourself. Wanna be part of russian propaganda? Cool, do it, but not in devs community, please.
@michael-o
Fact is that most of the world does not care. No sanctions applied.
Бля, чел))))
Orly? and this paper is priceless shit.
Nice link with fbclid parameter in the URL. I can't even access those websites:
Pretty impressive, that you argument this fact by 2019(!!!) year stats.
When the elections took place.
I think that most people already know this
ORLY? YOU THINK? yeah yeah yeah, you know everything bro. you know that each russian in each village knows that. Mhm, yeah.
I said "most".
Those stupid arguments are SO stupid that anyone can smash them spending 2 seconds by typing in google search request. Stop disgrace yourself.
Бля, чел))))
какая ирония!
This is a horrible "feature". Software should be politically neutral. Given the fact that this library is usually a dependency of a dependency of a dependency of a dependency and so on and so forth, users who see these anti-war sentiments will have absolutely no idea where its coming from. To them it will look like its coming from the website or webapp that they're using, not some library that's buried in the dependency tree somewhere. Did you ever consider that before adding this?
This is a horrible "feature". Software should be politically neutral. Given the fact that this library is usually a dependency of a dependency of a dependency of a dependency and so on and so forth, users who see these anti-war sentiments will have absolutely no idea where its coming from. To them it will look like its coming from the website or webapp that they're using, not some library that's buried in the dependency tree somewhere. Did you ever consider that before adding this?
People's lives are at stake, all this ranting is worth nothing. When the house is on fire, all this abstract talk is not applicable. This is an exceptional case. I bet you can't even imagine what is it like once not to wake up in the morning.
Why are you thinking in the box that "this is right and this is not". There are no right things. Who has the power is right. And I am very proud of the author's act. At least he has tried.
Ah, yes, the "the ends justify the means" excuse. Sorry, but I don't buy that. When I use your software or library I could care less about your political values. Your software/library does what I want, so I'm going to care about that a lot more than I would about what you politically believe in. Any other user would believe the same. This is not "abstract talk". This is the deliberate weakening of the chain of trust between a user and a developer, by the developer no less. It is not just about power. Power doesn't matter here. This is about the fact that your code should be politically neutral. Nobody who uses your code is going to give a damn about what you believe in politically. But go ahead, force your political beliefs onto all your users and insert malicious code into your software and see what happens. After all, your users totally won't be bothered when they pull in your code and release a project using it and then get complaints that their software is displaying anti-war banners all over the place and they can't figure out why. Yeah, a user totally isn't gonna care about that. Quit with your self-justifications. It does you no good. Perhaps we should have your operating system start displaying anti-war sentiments every time it starts, and we'll also have it lag for 20-30 seconds just to force you to read the whole thing. Oh and there's no bypassing it or anything; you have to sit there and read all of it entirely before you can actually use your computer. Yeah, I'm sure you won't complain about that. At all.
Anyway, its obvious that you and those who agree with you only want to hear yes-men and others who agree with your stance, even though doing this is incredibly obnoxious and ridiculous. And violates the OSI definition too. So yeah, just keep hiding comments that disagree with you and coming up with excuses. It just proves my point.
Wow your even marking my comments off-topic even though they're perfectly on-topic with this particular issue. Now that's hilarious. Anyway I'm leaving this discussion since its obvious that any form of disagreement is disallowed and in order for my comments to be shown I must agree with you and co. Fine by me.
@ethindp How about you just fork the source. Remove the changes. Release your own version. Are you not capable of that? Then why are we discussing that with you anyhow?
@ethindp only comments asking to be outside of politics are hidden, plus the one where you are asking to hide your comment.
Politics is inseparable from every aspect of life, including software and technology. The issue here isn’t that politics was brought into it - it’s already here, and everywhere. It’s that this specific kind of action erodes confidence in the whole ecosystem, not just one package or author.
I’m firmly in support of the message, to be clear - just not this manner of delivery (because i don’t believe it helps).
@ljharb I disagree with you that it does not help. Communication is the only way we can change something without using forceful methods.
@smuellner Yeah, I could fork it, but I don't use the library. I'm just pointing out that though I agree with the message -- I am fully behind Ukraine -- this was not the way to go about things at all. @Yaffle I didn't ask for my comment to be hidden. @ljharb Precisely what I'm trying to say. As an end-user of a library (say, this one, or some library I found on crates.io, or the Go package registry, etc.), I do not care about the political leanings of the maintainer(s) or author(s) of that library. I care about what it does for me. The massive problems with doing things like this to deliver a political message include:
- NPm has this very, very bad habit of making you end up pulling in like a few hundred deps for the simplest of things.
- Its not possible to "vet" every single npm dependency your project uses. The dependency growth is practically exponential at this point. The only way "vetting" works is if you explicitly look for packages with super small dependency chains, and your willing to go through the process of iterating through each and every single one to ensure that your not pulling in unwanted deps.
- If the above two reasons don't convince you, this one should: the likelihood of this political message reading its intended audience is pretty slim. Even if it does, as I said previously, its just going to cause confusion because people won't have any idea what dependency is causing the message to appear. That's for small teams -- maybe one or two developers. But if a big corporation is using this lib, there's a high probability that the message won't ever make it out of the development phase.
@smuellner How exactly does this help? If it causes a lot of headaches for end-user developers because a dependency does something that it shouldn't be doing, how is that beneficial to them? Your only making their lives more difficult by introducing unwanted behavior into your software all to express to the world your political views. There are so many other better, more productive ways you could help. You could send cryptocurrency or money to Ukrainians. You could get a following on Telegram. I could go on and on. Putting a political statement in a library that only an ancient, out of date and no-longer maintained product like Internet Explorer will ever actually need helps nobody. It also -- as I said before -- severely weakens the implicit contract between the developer and the maintainers/authors. When I use a dependency I trust that its only going to do what it claims to do. Displaying anti-war banners (and other things like that -- in other words, doing something outside its remit so to speak) violates that contract, and therefore damages the trust that I gave you. It makes me far less eager to use your library. Yes, I could fork it, but that doesn't mean that anyone else other than me will actually use that fork.
@ethindp
If it causes a lot of headaches for end-user developers
found some problem in dependency 👉 constrain its version in package.json that is published before this problem 👉 continue to using this dep. What's the problem? Where is headache?
And stop spamming comments, please. Github supports comment editing. 6 giant comments per day, you have nothing to do?
I don't get the malware angle. Cisco states:
Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals (often called “hackers”) to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware, and ransomware. Recent malware attacks have exfiltrated data in mass amounts.
Please give a definition of malware and why you think this applies here. I don't feel, that this is the case. If it made you feel better, I could open a "post factual" feature request.
From Malwarebytes:
Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is harmful to systems.
Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.
The motives behind malware vary. Malware can be about making money off you, sabotaging your ability to get work done, making a political statement, or just bragging rights. Although malware cannot damage the physical hardware of systems or network equipment (with one known exception—see the Google Android section below), it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.
I'd argue that opening browser windows without user consent counts as "taking partial control over a device's operations."
Following up on this, don't misinterpret my disdain for people turning their products into malware as support for Russia. Russia can still go fuck itself, I just don't want people acting unethically with their stuff.
I'm not gonna comment what what constitutes malware, but a polyfill's only job is to backport new APIs, so in the current state, this repo can't really be considered a polyfill.
If you have in your projects yarn or npm and you don't want to see this message
like this with yarn for package.json:
"resolutions": { "event-source-polyfill": "1.0.25" },
Not sure about npm, but maybe this https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
Of course, this means that you will use the previous version instead of the current one. In all packages. Even the ones in node_modules
This definitely helps if you use this, or rely on dependencies that use this. For new users I'd recommend finding an alternative polyfill. There are a few on NPM and you'll likely find one that is still being maintained true to it's role as a polyfill.
It is. See this commit for proof: https://github.com/Yaffle/EventSource/commit/de137927e13d8afac153d2485152ccec48948a7a
It is. See this commit for proof: de13792
How can this be a malware? The codes are just opening a new window and redirect to a link.
Thanks
This is unexpected, undocumented behaviour and it erodes trust in the author. This is one of the more tame events in a series of protestware (malware with the intention of spreading propaganda protesting something) additions to NPM packages. The consequences to this one aren't that severe, just opening a link in a new window, but it's still behaviour you shouldn't be getting from a polyfill in any situation.
This is unexpected, undocumented behaviour and it erodes trust in the author. This is one of the more tame events in a series of protestware (malware with the intention of spreading propaganda protesting something) additions to NPM packages. The consequences to this one aren't that severe, just opening a link in a new window, but it's still behaviour you shouldn't be getting from a polyfill in any situation.
I understand now. Thank you for sharing
It is unfortunate that the author still does not believe that this behavior is unexpected, undocumented and abnormal and should be removed. There are better, more effective ways of sending the intended message, and this is not one of them.
@Yaffle Виктор, тебе совсем крышу снесло? Для кого ты подлянки делаешь? До кого хочешь достучаться? До солдат? До 80% поддерживающих войну, которые живут с туалетом с дыркой в полу, не знают что такое интернет и github? Или ты этот "подарочек" приготовил коллегам по цеху, разработчикам, у которых и так есть доступ к информации?
@Yaffle ты просто мелкий, трусливый человек, говнючок, который уехал из РФ в безопасное место и делает подлянки непонятно для кого и с какой целью. У коллег оставшихся в РФ могут быть проблемы с законом из-за личинки в твоём коде. Но тебе же пох на них, верно? Бешеная собака, которая кусает всех без разбору в определенной часовой зоне. Доволен собой?
(я твою обосранную библиотеку не использую и никогда не использовал)
@ljharb, Congratulations! I have remover it! Now I understand how I was wrong! Hate all of you!
@RedHotHub да, ты прав, я трусливый мелкий человек, поэтому я откатил правку уже неделю назад. Надеюсь, те кто использовал мою жалкую библиотеку обновятся до последней версии. Извините. Я собой не доволен. Надеюсь проблем с законом ни у кого не будет из-за меня.
https://github.com/Yaffle/EventSource/commit/ccf0883df5318b5f80a42d51144d5234cac6a6b5 adds more of it, so I’m not sure why this is closed.
@Yaffle Вить, я тоже очень надеюсь, что ни у кого не будет проблем из-за не до конца продуманного и безответственного способа протеста, который ты выбрал из множества других возможных форм...
Какой у тебя паспорт, кстати? Планируешь ли ты когда-нибудь возвращаться в Россию? Остались ли у тебя в Челябинске родственники или друзья, у которых могут быть проблемы, и, например, пройти обыски по делу возбужденному по какой-нибудь очередной придуманной, современной статье о массовых призывах, фейках или дискредитации?
@Yaffle i'm not sure why you're trolling the issue on top of vandalizing your own package, but https://diff.intrinsic.com/event-source-polyfill/1.0.22/1.0.29 clearly shows that the minified file contains way more changes than the unminified one.
You can certainly argue that printing a message isn't malware, but hiding code inside an obfuscated file very much is, regardless of what it does.
Doing that, as you well know, is a semver-major/breaking change, so that's not a viable option either.
It would reflect far better on you to just refuse to remove the problematic code rather than jumping through these hoops to try to pretend you're doing the "right thing". The colors maintainer did precisely that - is that the path you really want to follow?
@ljharb , but 1.0.29 has no the malware in the obfuscated code, unless it is so much hidden so I cannot see it. I am not hiding it, the npm package also should not have it.