325 Million Monthly Downloads. One Unpaid Maintainer. They Came After Him.
One stray character broke the security of 400,000 dependent projects. The security industry and the press came after the man who fixed it. His response was blunt.
There is a small library, most people outside backend engineering have never heard of, called Starlette. It runs underneath the most popular frameworks in the world and most of the tools the AI industry rushed into production over the last two years. If you have called an AI model through an API today, your request almost certainly passed through it.
A security firm auditing a completely different project accidentally found a flaw in January. One ordinary request, one extra character, and the guard at the door waved a stranger straight through. It took no break-in and no password, just that one character.
The flaw had shipped back in 2018. More than seven years in plain sight.
Then the whole weight of it came down on one person. He keeps the code alive for free in his spare time after a day job. And he had barely begun cleaning up a mistake that was never his when the security industry turned on him.
What he wrote back started a fight about who actually keeps the Internet safe.