On Being Blocked from Contributing to Lodash
8 hours ago
- #npm
- #security
- #open-source
- Author's GitHub account was blocked from contributing security improvements to the lodash project.
- The author was exploring ways to improve supply chain security in the JavaScript ecosystem, focusing on package provenance.
- Package provenance helps verify the build process of a package, ensuring it wasn't directly uploaded to the registry bypassing CI/CD.
- Despite the ease of adding provenance, adoption is low among top npm packages, including lodash.
- The author attempted to contribute by creating a PR for lodash to add provenance but faced challenges replicating the exact build process.
- After closing an initial PR, the author was blocked from further contributions or communication with the lodash maintainers.
- The experience highlighted the importance of gauging maintainer interest before investing time in contributions.
- Open source maintainers don't owe contributors anything, and enthusiasm doesn't always translate to accepted contributions.
- The author learned to start with an issue to discuss changes before proceeding with a PR to avoid wasted effort.