Profile picture
André Staltz @andrestaltz
, 9 tweets, 2 min read Read on Twitter
My comment on this incident, since Dominic is getting a lot of blame and I work closely with him.

1/ Yes he did a mistake (with huge proportions), but you have to understand Dominic has 700+ packages and this one is just one more. Each package has several issues and comments.
2/ This means Dominic simply cannot afford *time* or *attention* to each tiny issue. Think about all the other tiny issues he has handled well so far, which have gone through unnoticed and (important!) unpaid. And he'll still get issues daily for years to come.
3/ He got an email that seemed trustworthy enough, then gave ownership. He didn't have time to do careful judgement, he had probably hundreds of other things to answer or build. The fact that he gave ownership meant that he *cared* at least to do a tiny action that seemed ok.
4/ Not caring would be doing absolutely nothing at all, and that's the case quite often, and OSS maintainers get criticized also for *that*. It's a really shitty job and no one pays you for it.
5/ Giving away ownership is a *common* action that Node.js authors like Dominic and Substack have done. E.g. see how the Leveldb project is run as an OPEN open source project. Also recently Dominic gave me ownership to `noderify`.
6/ All of this is to say that you must understand how the life of a modular-OSS maintainer's life looks like before placing the blame on them. The mistake looks horrible if you think that Dominic maintained *only* that package and nothing else. But that's not true.
7/ There are many other things to blame here. I wouldn't blame only one thing, but several agents *share* the blame:
- Attacker
- Original package author
- Devs who use unpinned versions
- npm and commitment to semver only
- Users/companies who don't donate but still demand
8/ But in particular one thing that's usually ignored is the culture of publishing non-scoped package names and expecting maintenance. I started publishing mostly scoped names, e.g. @ staltz/use-profunctor-state instead of use-profunctor-state github.com/staltz/use-pro…
9/ Either way, it's not simple before a hack like this happens, but it looks very simple after it happens, particularly if you have an outsider perspective.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to André Staltz
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!