Open source maintainer pulls the plug on NPM packages colors and faker, now what

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • Appwrite - The Open Source Firebase alternative introduces iOS support
  • Scout APM - Less time debugging, more time building
  • SonarQube - Static code analysis for 29 languages.
  • underscore

    JavaScript's utility _ belt

    It's both technical and cultural.

    Javascript is used on the front end. Front end devs obsess (or at least used to obsess) over download sized. So you'd have crazy stuff like custom builds of Underscore (https://underscorejs.org/) with just the functions you wanted. Think manual sandboxing, if that makes any sense. You could get a package of Underscore with just map, filter and reduceRight, if you wanted to.

    Now, when Node came around, people wanted as much as possible to have the same libraries available on the front end, so the same obsession with size was carried over.

    Ergo the micro-milli-nano-packages they make.

    Now, about the technical solution to this. We have this, for well defined programming languages (read: statically typed ones, or dynamically typed ones with a clear structure).

    It's a linker. Tech from the 1950s.

    Link (include) just the stuff you want, "tree shake"/"remote dead code" whatever you don't.

    https://www.joelonsoftware.com/2004/01/28/please-sir-may-i-h...

    Java's largely to blame for this, Sun REALLY, REALLY hated stuff that could be hooked into any OS and wasn't portable, so they didn't provide a linker. Everything was supposed to be on their JVM and you were going to install their JVM everywhere (2 billion devices!!!) and to hell with small stuff or heaven forbid, including native libraries. Javascript followed (on top of the Java restrictions they added: dynamic, poorly defined language, that would have made linking with tree shaking really hard, anyway). .Net also followed.

    Almost 3 decades later we're trying to undo that damage.

  • SES-shim

    Endo is a distributed secure JavaScript sandbox, based on SES

    Fortunately the problem could become more tractable if something like SES / Endo takes off:

    "Endo protects program integrity both in-process and in distributed systems. SES protects local integrity, defending an application against supply chain attacks: hacks that enter through upgrades to third-party dependencies. Endo does this by encouraging the Principle of Least Authority. ... Endo uses LavaMoat to automatically generate reviewable policies that determine what capabilities will be distributed to third party dependencies."

    https://github.com/endojs/endo

  • Appwrite

    Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!

  • faker

    A library for generating fake data such as names, addresses, and phone numbers. [Moved to: https://github.com/faker-ruby/faker] (by stympy)

    https://github.com/stympy/faker/ - Copyright (c) 2007-2010 Benjamin Curtis

  • faker.js

    generate massive amounts of realistic fake data in Node.js and the browser (by 9renpoto)

  • cargo-crev

    A cryptographically verifiable code review system for the cargo (Rust) package manager.

  • colors.js

    get colors in your node.js console

    And yet it didn't have things like this:

    https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d1...

  • faker.js

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • dmca

    Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at

    I didn't remember that particular legal complication, so thanks for prompting me to look it up. It seems that his argument was that Bukkit couldn't be distributed because it contained Mojang's proprietary code, but the fact that it also contained some of his code meant that he was a copyright holder for the purposes of the DMCA.[0]

    This seems like an edge case that wasn't anticipated by the DMCA, but I can see the argument that mixing GPL code with proprietary code is creating and distributing a derivative work, in violation of the GPL. Without proprietary code being present, though, I don't think a developer can DMCA takedown their own GPL software.

    [0] "As the Minecraft Server software is included in CraftBukkit, and the original code has not been provided or its use authorized, this is a violation of my copyright." https://github.com/github/dmca/blob/master/2014/2014-09-05-C...

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts