*SPRYKER ADVISORY* Availability issue after DMCA takedown request against

Thomas Lehner

SPRYKER ADVISORY
Availability issue after DMCA takedown request against GitHub - codeitnowin/barcode-generator leading to dependency problem within Spryker repository GitHub - spryker/code-it-now
On April 21st, we discovered that deployments started to fail in development and CI environments because one of the project's common dependencies (codeitnowin/barcode-generator) became unavailable. Spryker barcode capability depends on this code.
Investigation into the cause of the unavailability revealed that a DMCA takedown request against this third-party repository prompted GitHub to restrict access to this repository.

Impacts
Normal operations of deployed production environments are not affected and will continue to work unchanged as long as no deployment is made.
For projects using the above module(s), because the affected dependency can no longer be resolved, deployment pipelines will fail.
If you are unsure whether you are using the above module, you can check your project’s composer.lock file for references to it. If that is not possible for you, the module is commonly used in the following business use cases:
• Shopping List - when a customer wants to print a shopping list
• Return Management - when a customer or a back-office user wants to print a return label
• Produce Information Management - inside Spryker back office via the Product Barcode page that lists the SKU with their barcode.
If you are using such functionality, please contact your solution partner or technical personnel so that they can help you determine if the affected module is used in your project.

Mitigation Steps
Spryker released a patch version 1.0.1 (https://github.com/spryker/code-it-now/tree/1.0.1) for the CodeItNow module that removed the dependencies impacted by the DMCA issue. The patch changes the functionality of spryker/code-it-now in the following way:
Existing Code128BarcodeGeneratorPlugin for the barcode generation will return a base64 image with a deprecation message: "Barcode generation temporarily unavailable.”
The printing Barcode feature will be mocked after integrating the patch into your project (providing a dummy picture instead of a working QR code).

While this will unblock deployments again, please note that the core functionality of the module will be removed until a replacement is found for it. If your project depends heavily on the original functionality, please consider holding back a release that would update the affected module to the latest version until a permanent solution is found.

Here are the steps to update the module:

Step 1
Execute on your dev machine composer update spryker/code-it-now.
Confirm that version 1.0.1 is installed now. If not, use composer why to check the reasons and resolve any blockers.
Ensure that you don’t have any other dependency on the codeitnowin/barcode library in your code. You can run composer remove codeitnowin/barcode if you have introduced this dependency yourself.

Step 2
After this step barcode image will be replaced with a dummy image with the message “Barcode generation temporarily unavailable.”
Run your tests, and check that the message is available in the barcode generating features.
Proceed with automated tests and deployments.
If your deployments should fail still or if you are having problems with the steps outlined above, please reach out to our support team via the Support or Partner Portal.

Alternative Workaround: Use Custom Barcode Generator
If you are dependent on the QR Code generator functionality and have a service for its generation available in your internal tech landscape already, you can implement an integration to the existing barcode generator service or implement a new service yourself.

For that you will need to implement a plugin for \Spryker\Service\BarcodeExtension\Dependency\Plugin\BarcodeGeneratorPluginInterface and return a BarcodeResponseTransfer that has coded image and its type (e.g. base64).
Coded image should be based on barcode data used by a BarcodeGeneratorPluginInterface::generate() method.

Long-term Solution
The Spryker team is looking into providing a solution to re-enable the Barcode feature’s functionality, and we will release another statement to be published on the Support-, the Partner Portal, as well as our Chat (this thread) in our Community Slack as a follow up to this note. We plan to provide an update on this matter via these channels until the end of CW17 latest.

Alberto Reyer

While the version number of https://github.com/spryker/code-it-now/releases/tag/1.0.1 indicates only a patch release, in reality it's a breaking change as it set's the minimum required PHP version to 7.4.
As even the demo shops are not yet 7.4 compatible (https://github.com/spryker-shop/b2b-demo-shop/blob/master/deploy.spryker-b2b-eu.yml#L46) I wonder why the minimum required version was set to 7.4.
Also the latest tag for the provided docker containers is still pointing to 7.3 (https://hub.docker.com/r/spryker/php).

For one of our projects this would mean an update to a newer PHP version, that will require a higher testing effort than I would expect for such a hotfix.

Unknown

PHP min version increase is never a breaking change.
This is common acceptance in PHP world.

You are always supposed to be way beyond the minimum, as for 7.3 this means since August 2021 on PHP 7.4+ as clearly communicated.
See also https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/supported-versions-of-php.html

Unknown

As for demoshops:
You are right, here we should have shown more due diligance in showing how to use 7.4+.
That didnt mean projects couldnt use 7.4+ - and many, if not most, did so on their own.
Master suite is reference here and shows that this was and is possible.
Demo shops are just a subset or trait of it and are updated so far only for product releases.

We plan on changing this after the next release, and provide more continues integration and updates for customers here, full transparency moving forward.

Unknown

https://api.release.spryker.com/release-group/4100
fully resolved and restores functionality for barcode topic.

Thomas Lehner

Spryker has released a permanent solution to the issue caused by the DMCA takedown of codeitnowin/barcode-generator by replacing the affected module spryker/code-it-now with laminas/laminas-barcode.
To integrate these changes into your project, please follow these steps:

Option 1: Use spryker/barcode-laminas as replacement for spryker/code-it-now
Step 1: Composer require the new module and update spryker/code-it-now
(optional, if module was used) composer remove spryker/code-it-now
composer require spryker/barcode-laminas:"^1.0.0"
composer require laminas/laminas-barcode:^2.8.0

Step 2: Replace CodeItNew in the BarcodeDependency Provider

In src/Pyz/Service/Barcode/BarcodeDependencyProvider.php replace
use Spryker\Service\CodeItNow\Plugin\Code128BarcodeGeneratorPlugin;
with
use Spryker\Service\BarcodeLaminas\Plugin\Code128BarcodeGeneratorPlugin;

Option 2: Updating and continue using spryker/code-it-now
If you want to use this option you will need to update to the most recent version of the module by running the following:

composer update spryker/code-it-now
composer require laminas/laminas-barcode:^2.8.0

Important: Option 2 is meant to be a temporary workaround to avoid additional work to be done. Please note that you will need to switch to spryker/barcode-laminas in the future and should plan to integrate Option 1 as soon as possible.

After these steps have been executed the past functionality should be fully restored.
Here you can find the official release group, as well as an example of the project changes to integrate the new module:
https://api.release.spryker.com/release-group/4100