Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project Dead? Does it need more maintainers? #128

Open
OffensiveBias-08-145 opened this issue Mar 9, 2023 · 5 comments
Open

Project Dead? Does it need more maintainers? #128

OffensiveBias-08-145 opened this issue Mar 9, 2023 · 5 comments

Comments

@OffensiveBias-08-145
Copy link

Is this project dead?
Are there not enough project maintainers? @indutny Do you see a need for them within this project?

There are a number of PRs and Issues that have had no activity or have stalled progress. (Some even from a couple years ago)
Additionally, there are also some deviations RFCs that need to be/have addressed in PRs (Ex: RFC 5753, RFC 6598...)

No one can expect indutny to spend hours on an open source project because it is a dependency for theirs.
They have a life.

That being said there needs to be steps taken to ensure the future of this project:

  • A selected set of active package maintainers to keep this package up-to-date and improve upon it as standards/best practices change.
  • A formalized CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md

I am by no means the correct person for that.
There more qualified people with more time than I do currently.

But who ever has the time and wants to help with maintaining this package, please speak up.
@indutny
Copy link
Owner

indutny commented Mar 9, 2023

I'd be happy to give contributor bits and npm ownership to a person who has a track of maintaining some packages with reasonable download count. Thanks so much for raising this topic!

@alexporto2200
Copy link

Hey!
Is anyone helping you with this project? I was worried about some issues and saw that they are no longer accepting pr. I would like to help in some way.

@taylorjdawson
Copy link

This is now more important than ever. Someone needs to get in and fix this SSRF attack vulnerability

@w3nl w3nl mentioned this issue Feb 10, 2024
Closed
@github-actions github-actions bot mentioned this issue Feb 11, 2024
Open
@DevBrent
Copy link

This is now more important than ever. Someone needs to get in and fix this SSRF attack vulnerability

To be fair, if your only means of protecting unsecured or vulnerable local resources from being access is a thin veil of node-ip this sounds like a much bigger institutional problem with the software depending on this.

Does no one use AWS Security Groups? If you know you have potentially vulnerable or intentionally unauthenticated local services why would you use policies like GCP's default-allow-internal? Does no one understand their attack vectors?

Concerning that anyone is panicked about this one.

@x3cion
Copy link

x3cion commented Feb 13, 2024

To be fair, if your only means of protecting unsecured or vulnerable local resources from being access is a thin veil of node-ip this sounds like a much bigger institutional problem with the software depending on this.

I'm not panicked, but I can tell you that many IT projects do dependency checks as a first line of defense (e.g. npm audit). Being a base package to over 3k packages, this issue is blocking a lot of people. That's why the pressure is so high. I don't want to know how many are silently subscribed to #136, just to see when its fixed. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@indutny @x3cion @DevBrent @OffensiveBias-08-145 @taylorjdawson @alexporto2200