How should open source support critical dependencies?

Question

In something slightly similar to the infamous leftpad issue, many NPM builds started failing yesterday because 'npm audit' now reports a security vulnerability for lodash. lodash is currently in use in over 7 million Github repos, and it's nearly impossible to use NPM without some transitive dependency that depends on lodash.This security vulnerability was reported in October (https://hackerone.com/reports/712065) and there have been 2 PRs open for 2 months that fix this issue, but lodash hasn't had any releases for a year. There is essentially one (unpaid) person who has power to release lodash, a library that a huge majority of reasonably-sized javascript projects now depend on.How should the open source community address essentially abandoned projects that have become critical in the ecosystem?

hannob · Accepted Answer

The ability to fork and gain control if necessary is one of the main reasons one wants open source in the first place. So fork it.Other than that: I find the microdependency / mass dependency trend in NPM very irritating. As a rule of thumb I think you should be able to know at least roughly all your dependencies + transitive dependencies and take some care that they're healthy projects. If you can't name them all - you probably have too many of them.

benologist · Answer

I saw a great suggestion the other day -
> The npm ecosystem needs something like the distinction between Ubuntu's "main" and "universe" repositories, so that you have a smaller subset of known-good packages with harmonized transitive dependencies, stronger centralized curation, a lot more direct scrutiny, tighter control over versioning, and some party that is responsible for addressing vulnerabilities and ensuring appropriate maintainership.
https://news.ycombinator.com/item?id=23680734

evolve2k · Answer

Establish an initiate like &lsquo;Ruby Together&rsquo;> Ruby Together is a grassroots initiative committed to supporting the critical Ruby infrastructure you rely on.> Your financial backing allows Ruby Together to pay expert, professional developers to work on improving critical infrastructure projects.> The Ruby Together board of directors, elected by members, selects the most impactful projects to fund.> Ruby Together publishes monthly updates showing progress and our proven results.It brings together companies and individuals concerned about stability and health of the ecosystem, provides a aggregated place to do high impact sponsorship of the ecosystem and the elected board then sets about making a detailed workplan and working out the best distribution of funds.One dev on lodash? Discuss its importance; offer the dev funds to keep things up-to-date and if not them, have the resources to work out another way.Check out their early reports to get a better idea of the initial refactoring work they did within the ecosystem.https://rubytogether.org/

ddevault · Answer

The approach embodied by package managers like npm - but also Python, Go, and others besides - is fundamentally broken. The software maintainers should not be the sole point of failure in publishing their package.The approach used by distributions is much, much better. Having a separate team of people responsible for packaging up software is a much better approach. This would allow the security patches to get in, help enforce a sane baseline of packaging standards, prevent the introduction of malware, and have someone accountable whose interests align more with downstream than upstream.

bjourne · Answer

Good question! One Python example is docopt. It is a very well-liked command line parsing library but haven't seen any maintainer activity in two years. https://github.com/docopt/docopt But people don't realize that so they keep filing bug reports and submitting pull requests.
There is a docopt-ng package here: https://github.com/bazaar-projects/docopt-ng But users haven't found it yet. And sadly, there is no guarantee that the new maintainer won't also lose interest and abandon the project.
Definitely not an ideal situation. Yes, you can fork but how do you get visibility? How can the developer announce to the community that he or she wants to maintain the software?

MattGaiser · Answer

Really there just need to be more people involved in open source. The web is being built on the unpaid contributions of a few and when they don&rsquo;t have time or mess up due to being rushed, piles of things collapse.I suspect if a human resource audit of open source were done, there would be surprisingly few people involved in the maintenance of these things.

codegeek · Answer

I think companies with deep pockets need to step up a bit. I mean if anyone at FAANG etc are using packages like lodash, they should ideally team up and create some type of a funded group/co-op that funds these libraries and their maintenance and removes dependency from one person. You cannot just "charity" the way out of these situations.

zzo38computer · Answer

I mostly try to reduce dependencies, both direct and indirect, regardless of the programming language in use.

pacifika · Answer

Fork it? The better solution is to use less dependencies. Or in this case write JavaScript the browser can execute today, not to standards that might not be implemented tomorrow.Or work with a paid version of npm if you&rsquo;re app is business critical.