Give admin privileges to somebody else #39
Comments
|
An alternative would be to archive this repository and deprecate the I mean this as a good thing, for example, the end of support at Once it's no longer possible to maintain support against vulnerabilities, I believe it's time to move on and be thankful for everything that @jonschlinkert and @doowb has contributed so far with |
|
Is this you @bgswilde? Looks like one of your 3 contributions was this issue.
|
|
Thanks @jonschlinkert! Glad I got your attention! All the best! |
|
@bgswilde, I would like to show you a different angle. The solution to this Issue exists since March 25th. The @aashutoshrathi's fork is a good alternative and you can use it from npm. I came here because CVE-2023-26115 vulnerability from ESLint. By a simple
So, I just proposed the fix directly from Optionator. What's the point?In your projects that depends on Then, propose to them an alternative like: Hi @_.
For now, I think the @aashutoshrathi's `word-wrap` fork is a good alternative, because it only changes a single fix focused on the vulnerability. In other words, it won't break anything.
You can comparing changes [here](https://github.com/jonschlinkert/word-wrap/compare/jonschlinkert:786ebf1...aashutoshrathi:87a3667) and see the @aashutoshrathi's [npm package](https://www.npmjs.com/package/@aashutoshrathi/word-wrap).
Regardless, I see this as a temporary measure.
#### References:
* [🔒 fix: CVE-2023-26115 jonschlinkert/word-wrap#33](https://github.com/jonschlinkert/word-wrap/pull/33)
* [Give admin privileges to somebody else jonschlinkert/word-wrap#39](https://github.com/jonschlinkert/word-wrap/issues/39)
Thanks for your attention. |
|
@wellwelwel that's good stuff, thanks. In our instance, word-wrap is a nested dependency several deps deep and overriding is proving to be very difficult. We used the fork in a few places successfully where we could, but decided a couple months back that the work wasn't worth it in our more complicated repos until there's an upgraded word-wrap, so we got in touch with those dependencies and prioritized other work. Been checking in periodically ever since. Jon mentioned burnout in his response, which was a good chunk of why I brought this up. I can imagine he's got lots of other bigger priorities than this project, and long term maybe somebody else to share the load would be good for him. No disrespect at all to Jon, though given his response he might have taken some offense and felt the need to point out github commits ¯_(ツ)_/¯. At the end of the day though, he sees what's happening in this repo, so I closed this issue. |
It seems like @jonschlinkert is a busy guy without much desire to keep this thing up to date or respond to inquiries on this. The most recent PR #33 has several individuals who would put the care into ensuring that code in this repo is solid, secure and up to date. @jonschlinkert, please give somebody else privileges to merge pull requests for the sake of the 1400+ projects that depend on word-wrap and 29M+ weekly downloads.
@jonschlinkert, if you're going to reasonably say in your bio... "I've created more than 1,000 open source projects in an effort to reach my goal. Open source software takes a lot of time to create and maintain, and millions of projects now depend on my code." then be a help to others in the community who depend on your code by allowing others to aid in maintaining it if you can't maintain it yourself.
(I realize that this is a shot in the dark, just trying as many avenues as possible to get @jonschlinkert's attention)
The text was updated successfully, but these errors were encountered: