Dark side of burned out programmers

Story of dead repository

I admire developers who do open source. It helps every developer. But sometimes the maintainer goes for a long vacation, is burned out, or even dead. What to do then?

Check f.e. this pull request https://github.com/dominictarr/rc/pull/121

Hey @dominictarr, apparently after some years the community really needs your help :) Do you think you can merge this PR and release a new version?
- Sphinx

Multiple developers asked for a simple merge. This is how maintainer replied.

hey everyone! sorry to have bad news but I’m not gonna merge this. I’m gonna use this issue to point out the bigger problems with the way we do open source, for burnt out maintainers everywhere.

I’m burnt out and I havn’t even written any code in months.

this is not actually a problem with my code, it’s a dep. ini could backport the fix. then the reported thing would go away without me doing anything.

I don’t care about this.

this is a false positive. It will be nearly impossible to actually turn this into an actual attack. this is a configuration loading library. If an attacker can write new configuration files into user space you’ve probably been owned anyway. But there is some tool like npm audit that’s saying this is a problem, but it’s not the real problem.

this is not an isolated issue. I am sure there are many other cases where another ex-maintainer has a module that needs a trivial update. npm should have a way to override the dependencies of sub deps. I think that’s the real solution that needs to happen here.

If you still really want me to merge this. I’ll do it for $300 usd. You should be able to find me by email on transferwise. My email is in the package.json of this module. I am hoping that this will create a viral shit storm. probably loads of open source consumers will be outraged, good. I know that actually open maintainers will back me. ps. going away for the weekend and I won’t look at this issue until monday. when I see a transfer into my account I’ll merge it.

OK. I got his point. This dependency tree is a nightmare. However, we expect some time to prepare. He could also add a new maintainer or propose a solution. Blocking other people by not merging pull request when someone prepared it is just wrong.

What do you think about it?