Will It Vibe logoWill It Vibe?
SCA-005High severity-15 points

colors.js / faker.js maintainer sabotage (npm, 2022)

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Flags manifest pins of colors@1.4.1 or faker@6.6.6, the versions the original author deliberately sabotaged (infinite-loop garbage output / gutted library) as a protest.

Why it matters

In January 2022 the original author of colors.js and faker.js deliberately sabotaged both of his own widely-used packages: colors 1.4.1 enters an infinite loop printing garbled ASCII instead of coloring terminal output, and faker 6.6.6 was gutted down to a near-empty stub. Any project that auto-updated to these versions broke in production without any external attacker involved -- it's the same practical risk as a compromise (an unreviewed update changes what your dependency does) even though the motive was a protest, not theft. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.

How to fix it

Pin colors to a version other than 1.4.1 (the widely-used community fork "@colors/colors" is a common replacement) and faker to a version other than 6.6.6 (the community-maintained "@faker-js/faker" fork replaced the original project). Reinstall and confirm your app still builds and colors/fake-data generation still work.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks