'Faker' npm Library Gets New Home After Dev Throws in the Towel

January 18, 2022 By Ax Sharma

4 minute read time

Last week, the maintainer of two massively popular npm libraries sabotaged ‘colors’ and pulled his code from ‘faker’, breaking thousands of projects that rely on these libraries. ‘Colors’ alone has over 19,000 dependents on NPM and has been downloaded over 3.4 billion times as of today. And ‘faker’ has been retrieved 272 million times from the npm repository, with over 2,500 dependents. 

The Faker ‘Endgame’

In the change made to ‘faker’ version 6.6.6, the library’s maintainer Marak Squires added a commit titled “Endgame,” referencing the late programmer Aaron Swartz who died by suicide.

Screenshot of the faker commit

Screenshot of the faker commit

Similarly, the npm homepage of the package was also altered with the same message by the maintainer:

Screenshot of the faker npm homepage

Screenshot of the faker npm homepage

Faker, meet faker!

For all the world could understand, ‘faker’ was abandoned by Squires, who had previously written about the challenges associated with monetizing open source projects.

In the blog post available on archive.org, the developer described how he had planned on offering a ‘Faker Cloud’ subscription-based service to fund the project, but that the effort didn’t reach fruition.

Screenshot of the former Faker Cloud homepage

Screenshot of the former Faker Cloud homepage

Despite having been abandoned by Squires, it seems ‘faker’ is here to stay. Just a few days after the colors and faker sabotage incident, I got a message from an open source developer and now one of the maintainers of the ‘faker’ project, Jessica Sachs.

It seems the functional versions of the popular ‘faker’ library have been forked and are being maintained by a new team at fakerjs.dev. The GitHub repo associated with this forked project is called faker-js/faker, whereas a new scoped project has also been released on npm: undefined (https://www.npmjs.com/package/undefined).

Faker’s forked project lives at undefined on npm

Faker’s forked project lives at undefined on npm

While Squires still maintains ownership of both ‘faker’ and ‘colors’, the sabotaged versions of ‘colors’ have been removed by npm. And it seems this newly maintained Faker replica is gaining traction fast:

 

Fostering Faker

I cheekily asked Jessica what the chances are of this project fork also going rogue and being sabotaged. I was told the new team behind the initiative comprises a group of seasoned open source contributors.

“We’re recognized by the Open Collective as the successors to the project and have been working with them every step of the way to do what’s right for the community,” said Sachs. “I’ve written up a statement on behalf of the Faker team explaining the situation and where we stand.

The statement goes over some of the commonly asked questions with regards to faker’s transition, how will it be funded moving forward, and concludes with a positive note:

“We're excited to give new life to this idea and project. This project can have a fresh start and it will become even cooler. We felt we needed to do a public announcement because of all of the attention the project received in the media and from the community. We believe that we have acted in the way that is best for the community.”

We may not have yet cracked the larger puzzle on how to support the open source community and popular projects like Log4j. But at least we have a real-world case of a famous and significant open source software project rescued just in time!

Tags: npm, Open Source

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.