Developers use their open source projects as a way of expressing a political position. In particular, they add error code or protest messages to the latest versions of projects widely used in applications of many organizations, and even deliberately spoil the functionality without documenting these changes in advance. When the application receives an updated version of the project, this newly added code is launched unexpectedly for users.
Recently, the developer of the event-source-polyfill npm package expressed his protest to Russian users against the military operation on the territory of Ukraine. According to Bleeping Computer, on March 17 of this year, a Russian developer under the pseudonym Yaffle added an interesting piece of code to his popular event-source-polyfill library.
This library is designed to implement existing JavaScript functions in browsers that do not support them. This makes it very popular – event-source-polyfill is used by more than 135 thousand GitHub repositories and 600 thousand are downloaded weekly. once from npm.
The recently released version of the library 1.0.26 forces applications in which it is used to display anti-war messages to users in Russia 15 seconds after launch. Almost four weeks after the release, this version is still present in npm and GitHub.
This is the third time this year that developers have used their open source projects to protest. In January, the sabotage of the colors and faker libraries by their creator potentially “broke” thousands of production applications using them, and the destructive version of node-ipc released last month deleted all data from users’ hard drives in Russia and Belarus.
However, the case with event-source-polyfill differs from the previous two, since the new version of the library does not cause any harm, and even recommends using reliable sources of information that can be accessed via Tor.