The problem with projects with NPM dependencies is the ridiculously fast pace the packages keep updating. JavaScript / Node world has an unique way of creating and depending on tiny community packages and the number of dependencies even in a small project can be enormous. Using automated services like Dependabot only takes you so far, you just need to keep weeding the projects manually from time to time.
About the colors / fakerjs incident
Node community got reminded once more about this problematic situation when the maintainer of colors and faker libraries decided to publish malicious versions of the packages as a political statement. NPM has already had experiences of this since the leftpad incident so they swiftly reinstated the original package. GitHub assumed the user account was hacked as the users behaviours were abormal so they locked the account and it immediately got mixed reactions among the community as people thought they were somehow censoring the author. This lead people to call out for boycotting GitHub and looking for more decentralized solutions for code hosting.
People familiar with the author soon pointed out that he had previously voiced multiple times concerns of big corporations using his (open sourced) work for free. This lead people to blame the situation on the lack of sustainable monetization in important open source projects.
Meanwhile, others pointed out that the author had also been struggling with mental issues for a long time without getting proper help. He had also recently been posting some far out conspiracy theories and stuff like that on his social media profiles. I believe the root cause of this incident stems here but is much deeper and complex.
Things like QAnon are fuelled by a combination of broken things; a healthcare system that doesn’t work, a society that is so afraid of difficult discussions that rather censors inconvenient facts than allows discussion around them, and a serious case of woke mentality / tall puppy syndrome that totally suffocates any meaningful discourse around touchy issues. These kind of issues cannot be solved with technical solutions or any single magic bullet — we need to fix the deep issues within our society instead.
Published My Docker Base Images
I’ve been developing and using my own Docker base images for a while now. I decided to publish them as open source and last week I added a new image for testing in CI as well. The current images cover Django projects using Postgres and Postgis services, plus the new image that adds preinstalled Node as well (to make CI builds go faster).
The images are built upon great work by the awesome RevSys team, who also added a missing LICENCE to the repo only minutes after I asked Jeff about it. Great job!