Ask HN: Someone has committed 20K+ LoC to a PR, exhausting my CI & AI workflows

4•zacian•5mo ago

Hi HN, I'm maintaining an OSS project, and someone raised a PR a few days earlier, and since then, 20K+ LoC has been added to the PR. There are two new accounts, but they lack details on how to contact them, only providing usernames.

PR: https://github.com/srbhr/Resume-Matcher/pull/497

Accounts: 1. https://github.com/lololop67 2. https://github.com/ririyoungG

I've also found out from the PR that they're hosting the project somewhere, without any data disclaimer. Since this project is an AI resume builder, the accounts hosting the project can easily extract private data, such as phone numbers, emails, and addresses, and use it for malicious purposes, scams, etc. And that's what I'm more worried about. :(

I never intended to paywall this project. My goal was to provide a local first alternative to some online resume builders, and the accounts are doing the exact opposite, and they've hosted it at: https://gojob.ing/

I've tried commenting on the PR about the features they're working on, but I haven't received any replies so far.

What am I supposed to do here?

Comments

akkad33•5mo ago

Close it?

zacian•5mo ago

Yes, I've done that. Tried reaching out to those accounts again, but still no response.

franky47•5mo ago

Close the PR, and if they open a new one, block them from the org.

There is a setting to prevent PRs from recently created accounts, you might want to turn that on too: https://docs.github.com/en/communities/moderating-comments-a...

zacian•5mo ago

Thank you, I've done this. I've discovered that many such repositories have been hit by spam and commits that inject RCE or Adware in the name of contributions.

Patt_•5mo ago

just close it

zacian•5mo ago

Done

dv_dt•5mo ago

You probably want to turn on manual approval for running ci on external prs

jjice•5mo ago

As much as it's great to have a fully automated process, sometimes a thin audit layer is worth it's weight in gold. Seems like the volume on this repo wouldn't be too bad in this case.

zacian•5mo ago

> sometimes a thin audit layer is worth it's weight in gold.

Yes, 100%

zacian•5mo ago

Yes, I'll set that up and establish some rules for communicating your change and contribution to the project.

zacian•5mo ago

[Update]: Surprisingly, both accounts are either gone or have changed their usernames. The closed PR has been deleted and is no longer available.

We Scanned an AI Assistant for Security Issues: 12,465 Vulnerabilities

Amazon no longer defend cloud customers against video patent infringement claims

Show HN: Medinilla – an OCPP compliant .NET back end (partially done)

How Does AI Distribute the Pie? Large Language Models and the Ultimatum Game

Resistance Infrastructure

Fire-juggling unicyclist caught performing on crossing

Restoring a lost 1981 Unix roguelike (protoHack) and preserving Hack 1.0.3

GPS and Time Dilation – Special and General Relativity

Show HN: Witnessd – Prove human authorship via hardware-bound jitter seals

Show HN: I built a clawdbot that texts like your crush

Scientists reverse Alzheimer's in mice and restore memory (2025)

Compiling Prolog to Forth [pdf]

Show HN: Cymatica – an experimental, meditative audiovisual app

GitBlack: Tracing America's Foundation

Horizon-LM: A RAM-Centric Architecture for LLM Training

We just ordered shawarma and fries from Cursor [video]

Correctio

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

Free Trial: AI Interviewer

FDA intends to take action against non-FDA-approved GLP-1 drugs

Supernote e-ink devices for writing like paper

We are QA Engineers now

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

Show HN: Poddley.com – Follow people, not podcasts

Layoffs Surge 118% in January – The Highest Since 2009

Papyrus 114: Homer's Iliad

DicePit – Real-time multiplayer Knucklebones in the browser

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

We Scanned an AI Assistant for Security Issues: 12,465 Vulnerabilities

Amazon no longer defend cloud customers against video patent infringement claims

Show HN: Medinilla – an OCPP compliant .NET back end (partially done)

How Does AI Distribute the Pie? Large Language Models and the Ultimatum Game

Resistance Infrastructure

Fire-juggling unicyclist caught performing on crossing

Restoring a lost 1981 Unix roguelike (protoHack) and preserving Hack 1.0.3

GPS and Time Dilation – Special and General Relativity

Show HN: Witnessd – Prove human authorship via hardware-bound jitter seals

Show HN: I built a clawdbot that texts like your crush

Scientists reverse Alzheimer's in mice and restore memory (2025)

Compiling Prolog to Forth [pdf]

Show HN: Cymatica – an experimental, meditative audiovisual app

GitBlack: Tracing America's Foundation

Horizon-LM: A RAM-Centric Architecture for LLM Training

We just ordered shawarma and fries from Cursor [video]

Correctio

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

Free Trial: AI Interviewer

FDA intends to take action against non-FDA-approved GLP-1 drugs

Supernote e-ink devices for writing like paper

We are QA Engineers now

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

Show HN: Poddley.com – Follow people, not podcasts

Layoffs Surge 118% in January – The Highest Since 2009

Papyrus 114: Homer's Iliad

DicePit – Real-time multiplayer Knucklebones in the browser

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

Ask HN: Someone has committed 20K+ LoC to a PR, exhausting my CI & AI workflows

Comments