Nobody had to upgrade. Anyone who accidentally upgraded because their dependencies had sloppy programming practices should be mad at their direct dependencies.

aws-cli should not be an attack vector, and if it is, AWS engineers are at fault.

This is a terrible argument. Marak didn't have to purposely break anyone's projects either. If he wanted to end it, he should have just sent a goodbye message stating the end of his involvement and walked away. This is the normal thing to do. If he wanted to be paid, he should have either picked the appropriate license at the beginning, or just changed it for future versions. The latter has also been done before with SugarCRM being one example. They are still around with paying customers. Something as free for all as the MIT license sends the wrong message.

This has been posted before, but Marak seems to be mentally unwell right now, which helps explain but doesn't condone his behavior.

https://abc7ny.com/suspicious-package-queens-astoria-fire/64...

I don't know what makes you want to try to gaslight people on marak's behalf but this is a pretty poor attempt at doing so. He published a deliberately broken update with a non-breaking version number change to a package management ecosystem where the community expects to follow a semver-ish model where point updates do not break things. This is an abuse of trust, just like it would be if you said “I'm tired of cooking for everyone so I'm going to spit in the soup before serving it”.

But you didn't have to go to that restaurant! Don't you do a full health and safety inspection of every restaurant you visit (and of their entire supply chain)?

Up-thread there is a comment that the Major on the semver was updated. Which is correct? Was it Major or Patch number?

Edit to Add: According to this page https://www.npmjs.com/package/faker

The previous version was 5.x.y and the endgame version was 6.6.6

So, which tools defaulted to magically bumping the dependency from 5.x.y to the 6.x.y? Seems like jumping a major shouldn't automatically happen.

I'm not sure what they said specifically but https://security.snyk.io/vuln/SNYK-JS-COLORS-2331906 and https://snyk.io/advisor/npm-package/colors show that the version went from 1.4.0 to 1.4.1.

Edit: your comment makes more sense now that I see it was talking about faker.js.

aws-cli, a tool which provides access to an absurd amount of resources (compute, storage, text messaging to name a few) relies on "community expectation of semver-ish adherence" for security and continual operation, and I'M the one gaslighting people?

You meant CDK (aws-cli is written in Python) but it’s not that simple: they shipped a lock file which pinned 1.4.0 but while NPM honors that the popular yarn package manager does not:

https://github.com/aws/aws-cdk/issues/18322#issuecomment-100...

This floating behavior allowed for it to be overridden locally:

https://github.com/aws/aws-cdk/issues/18322#issuecomment-100...

Ah yes, the classic "you're holding it wrong" defense.