State and governance of the project?

[yvele]

---

Edit: The project still is alive, some other contributors like @slowcheetah have permissions for the project to keep going, see #767 (comment) 👍

Full summary of project governance here #767 (comment) 👍

---

Looks like @zloirock the author and main maintainer of the project will be will be unavailable for some time 1.5 years.

Sources: #767 (comment), #757 (comment), #747 (comment), #548 (comment)

What exactly is the state of the governance of this project?

The JavaScript community should be a bit concerned because @zloirock looks like to be the "only" maintainer. Does somebody else have admin privileges to write on this repo? Publish on npm and make this project not to die?

Or the only way is to "wait" for someone to fork this repo? Maybe someone from @babel (poking @nicolo-ribaudo and @danez 🤷‍♂). Looks like @babel doesn't have bandwith to fork this project.

A huge open source project (25M weekly downloads) like this should be maintained by more than a single person 🤔

Any clues on the future of this project?

PS: I don't know your personal story @zloirock but I'm grateful for your amazing work on this project.. hoping everything will be fine

Edit: This project is dead, see #767 (comment)

[ashpr]

@zloirock Making himself the only maintainer was extremely poor handling of such a well used repo.. but I can't say I'm surprised. He's been extremely protective of it.

I think, in time, this project may need to be forked.

[yvele]

@nicolo-ribaudo ryanelian/ts-polyfill#4 (comment)

Babel maintainer here 👋
We are probably not going to fork core-js because we don't have enough resources to maintain it.

🤷‍♂

[eiji03aero]

I bet this will be the SPOF of the year for js ecosystem

[orliesaurus]

This could potentially be bigger than left-pad's controversy. As the package maintainer & owner is MIA and seems to be for a while...

[joshxyzhimself]

Need to update babel docs if we ever move to another repo

[MichaelZaporozhets]

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

[Suvitruf]

Why instead of discussing this repo future you are talking about this accident? It's irrelevant and will not help to solve the issue.

[slowcheetah]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

[simskij]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

Sorry for finding this highly unlikely (given how restrictive zloirock seems to be with permissions), but could you please provide some kind of proof for this claim? Like, adding a notice in the readme.

Edit: Proven 👍

[em92]

@simskij
@slowcheetah merged this: #771

[simskij]

@simskij

@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

[em92]

Btw, @slowcheetah, you can edit issue message by yourself.

[scottarc]

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

[tom-sherman]

I would like to urge everyone to try not to discuss @zloirock personal life in this issue, it's really not the forum for it. This is an important conversation about the maintenance of a critical JS dependency, we don't want to lose relevant comments in the noise. Thanks 🙂

[simskij]

To keep the discussion focused, maybe @slowcheetah could even hide all comments focusing on @zloirock's personal life (including this one)?

[simskij]

How that big project can be still a private repo? shouldn't it be cared by some js foundation?

In my opinion, it would feel pretty lousy to make such a decision without the core maintainer being present to weigh in.

[MichaelZaporozhets]

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

I’m not saying it’s up to the maintainer to necessarily disclaim potential risks- rather, an automated t-shirt sized risk assessment for dependency by github would be a neat feature.

I also strongly disagree that risk necessarily reflects inversely on quality... I’m confident a lot of the oss stuff I use for my private/personal projects would probably be a high-risk in an enterprise environment, but that’s fine. Right tool for the right job, etc.

Anyway, this is off-topic, I’m really just advocating for stronger governance around a project that is so important to everyone.

[yumetodo]

There are simple questions:

1. When enough money is provided, contributors can continue to maintain core-js?
2. Is it still suitable to use Open Collective or Patreon to give money to contributors?

[sheerun]

Currently he is the only administrator on Open Collective so distributing funds from it is probably not possible

[jmackay-io]

I disagree a lot with the "risk rating" requests outlined here. Just publicize the administrators of public repositories and let people decide for themselves. Not that it would have mattered in this case because this painted a perfectly clear picture.

I think the real culprits are the Babel team because they definitely knew this was a high-risk project, and they still forced millions of consumers to add it as a dependency. Even if individual developers identified core-js as risky, there's nothing most of them could have done about it.

[yvele]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij
@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

Issue description updated. Is that good enough?

[IanKemp]

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

Or... or - developers could do some due diligence and risk assessment themselves before just pulling in every random JS library that comes across their radar.

A bizarre concept in JS land, I know.

[brodybits]

#548 (comment)

The idea of anyone owing so much money or going to prison just for an accident sounds ludricous (ridiculous) to me. I wonder if there is any way we could find some help for an appeal.

[brodybits]

I think it is up to the dependents to upgrade to the latest version, which seem to be cleaned up.

[5HT2]

Yes, it would be nice of him to be able to get back up on his feet after spending 1 and a half years in prison, before going to which he spent 6 months without a job maintaining an open source project for free.

[MKRhere]

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

[yvele]

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

Let's wait for the next release to be published on npm and then I'll be comfortable closing this issue.

When you have a look at the releases you can see that only @zloirock was in charge of publishing them.

On npm the only collaborator is zloirock 🤷‍♂

In the meanwhile I'm not confident that this project is going well regarding governance...

[yvele]

@slowcheetah are you able to inform us on the governance strategy?

• How many people have GitHub and npm permissions on this project?
• What kind of permissions? Administrative privileges?
• Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
• Is there a "leader"? Someone that can handle the architecture vision of the project?
• This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

[slowcheetah]

@slowcheetah are you able to inform us on the governance strategy?

• How many people have GitHub and npm permissions on this project?
• What kind of permissions? Administrative privileges?
• Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
• Is there a "leader"? Someone that can handle the architecture vision of the project?
• This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

• Only me an @zloyrock have npm permissions
• All privileges
• Yep. I have contact with @zloirock, but it is "delayed" because carantine situation now.
• I will try to dive in project but now i can't say that i am "leader". I am "support". There is some chance that within a few months @zloyrock himself will have access to the project.
• I no have direct relation with @babel. I have nothing to say

I am diving in project now. if @zloirock will not have direct access to the project, I will discuss disputed issues with him and try to do further support and development of the project.

Next week I hope to talk with him about the current bugfixes and come to the conclusion whether a new version is needed now.

[yvele]

Thanks you @slowcheetah 🙏 I think we all have enough informations... And I think I can close this issue now 🤔 if you agree of course. Issue edited.

[mattlubner]

I think this thread needs to be locked. The conversation looks like its (again) spiraling downwards, in the direction of frustration at the log messages.

Look, we all have opinions on the log messages. This isn't the place to discuss them, and frankly, if you're bothered by them (like I am), then put that energy into a more productive form of dissent (such as championing a solution). We're a creative bunch, so I have confidence we as a community can think of ways to address the systemic problem of developers needing support for their OSS efforts. No one is actually helped by the collective complaining that's happening throughout the GitHub issues for this repo.

Keep the thread on-topic. The questions seem resolved, so let's move on to other things.

[zloirock]

Holy shit... Apparently, it's time for me to think for whom I make core-js and why.