Check dependencies on open source libraries!

M.Sc. Chris Wojzechowski

Check dependencies on open source libraries!

With a high number of dependencies on open source libraries, unwanted problems can occur. As a recent incident shows, these do not have to be of technical origin, but can have human motives. The open-source faker.js and colors.js libraries were intentionally tampered with by Marak Squires, the developer.

Developers who have relied on the libraries’ features should have encountered numerous problems with the latest version. Specifically, there is talk of loops and various other errors.

Millions go into open source library dependencies every day

faker.js – A library for creating demo data is downloaded about 2.5 million times a week. The potential is huge. Therefore, version 6.6.6 is no longer functional. Those who go back to version 5.5.3 will be able to avoid the problems.

The situation with colors.js, on the other hand, is somewhat more critical. These pieces of code are accessed by 22.4 million developers every week. All this to add colors to a javascript console. Space enough for Marak Squires’ message: he apparently wants to point out the ills of open source development. This mainly involves the provision of complex software projects, which are also used by wealthy companies without providing monetary compensation.

Discussion about the sudden change de code is mixed

Anyone following the discussion will quickly learn that there are two camps on this front. Some would like to see more such actions. The overall goal is often to create the financial ground to fund open source projects. Others, however, sharply criticize the action, saying that charitable projects also suffer and small businesses are put in a bind.

Dependencies on open source libraries should be monitored and reduced

Including programming code that can be arbitrarily adapted by independent third parties is a risk. For this reason, companies that deal with the topic of information security in particular should dedicate themselves to this task.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.