Ask HN: How should open source support critical dependencies?

36 points

6 years ago

In something slightly similar to the infamous leftpad issue, many NPM builds started failing yesterday because 'npm audit' now reports a security vulnerability for lodash. lodash is currently in use in over 7 million Github repos, and it's nearly impossible to use NPM without some transitive dependency that depends on lodash.

This security vulnerability was reported in October (https://hackerone.com/reports/712065) and there have been 2 PRs open for 2 months that fix this issue, but lodash hasn't had any releases for a year. There is essentially one (unpaid) person who has power to release lodash, a library that a huge majority of reasonably-sized javascript projects now depend on.

How should the open source community address essentially abandoned projects that have become critical in the ecosystem?

20 comments