Russia’s invasion of Ukraine has spilled over into the developer space, with a well-known npm maintainer adding “protestware” as a dependency to a very popular package.
Security vendor Snyk is tracking what it says is a vulnerability and a supply chain security incident, involving the Peacenotwar NPM package.
the peacenotwar was written and published by npm maintainer Brandon Nozaki Miller, also known as RIAevangelist, Sparky, and Electric Cowboy, and the world’s first licensed professional electric motorcycle rider.
Miller wanted the module to be “protestware”, to reflect people’s opposition to the war.
“This code serves as a non-destructive example of the importance of controlling your node modules.
“It also serves as a non-violent protest against Russia’s aggression that threatens the world right now.
This module will add a message of peace to your users’ desktops, and it will only do so if it doesn’t already exist just to be polite,” Miller wrote in the module’s description.
Snyk said almost no one downloaded the npm package until it was added as a dependency by Miller to the node-ipc module from versions 9.2.2 and 11.0.0.
Node-ipc provides fast inter-process communication services over UNIX sockets and popular Internet data transport protocols.
Snyk called the peacenotwar dependency for node-ipc a dangerous act on Miller’s part, noting that he manages over 40 other npm packages with hundreds of millions of downloads.
“How does this impact the maintainer’s future reputation and participation in the developer community?
“Would this maintainer be trusted again not to follow through with future acts in such actions or even more aggressive actions for any projects in which he is involved?” Snyk wrote.
Snyk added that the incident illustrates the impact of nested dependencies, which can reach key ecosystem projects.