2021 / Cloud Security / Management / Open Source / Risk management

Check dependencies on open source libraries!

Check dependencies on open source libraries!

With a high number of dependencies on open source libraries, unwanted problems can occur. As a recent incident shows, these do not have to be of technical origin, but can have human motives. The open-source faker.js and colors.js libraries were intentionally tampered with by Marak Squires, the developer.

Developers who have relied on the libraries’ features should have encountered numerous problems with the latest version. Specifically, there is talk of loops and various other errors.

Millions go into open source library dependencies every day

faker.js – A library for creating demo data is downloaded about 2.5 million times a week. The potential is huge. Therefore, version 6.6.6 is no longer functional. Those who go back to version 5.5.3 will be able to avoid the problems.

The situation with colors.js, on the other hand, is somewhat more critical. These pieces of code are accessed by 22.4 million developers every week. All this to add colors to a javascript console. Space enough for Marak Squires’ message: he apparently wants to point out the ills of open source development. This mainly involves the provision of complex software projects, which are also used by wealthy companies without providing monetary compensation.

You are currently viewing a placeholder content from Default. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

Discussion about the sudden change de code is mixed

Anyone following the discussion will quickly learn that there are two camps on this front. Some would like to see more such actions. The overall goal is often to create the financial ground to fund open source projects. Others, however, sharply criticize the action, saying that charitable projects also suffer and small businesses are put in a bind.

Dependencies on open source libraries should be monitored and reduced

Including programming code that can be arbitrarily adapted by independent third parties is a risk. For this reason, companies that deal with the topic of information security in particular should dedicate themselves to this task.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.