Ask HN: Someone has committed 20K+ LoC to a PR, exhausting my CI & AI workflows

4•zacian•5mo ago

Hi HN, I'm maintaining an OSS project, and someone raised a PR a few days earlier, and since then, 20K+ LoC has been added to the PR. There are two new accounts, but they lack details on how to contact them, only providing usernames.

PR: https://github.com/srbhr/Resume-Matcher/pull/497

Accounts: 1. https://github.com/lololop67 2. https://github.com/ririyoungG

I've also found out from the PR that they're hosting the project somewhere, without any data disclaimer. Since this project is an AI resume builder, the accounts hosting the project can easily extract private data, such as phone numbers, emails, and addresses, and use it for malicious purposes, scams, etc. And that's what I'm more worried about. :(

I never intended to paywall this project. My goal was to provide a local first alternative to some online resume builders, and the accounts are doing the exact opposite, and they've hosted it at: https://gojob.ing/

I've tried commenting on the PR about the features they're working on, but I haven't received any replies so far.

What am I supposed to do here?

Comments

akkad33•5mo ago

Close it?

zacian•5mo ago

Yes, I've done that. Tried reaching out to those accounts again, but still no response.

franky47•5mo ago

Close the PR, and if they open a new one, block them from the org.

There is a setting to prevent PRs from recently created accounts, you might want to turn that on too: https://docs.github.com/en/communities/moderating-comments-a...

zacian•5mo ago

Thank you, I've done this. I've discovered that many such repositories have been hit by spam and commits that inject RCE or Adware in the name of contributions.

Patt_•5mo ago

just close it

zacian•5mo ago

Done

dv_dt•5mo ago

You probably want to turn on manual approval for running ci on external prs

jjice•5mo ago

As much as it's great to have a fully automated process, sometimes a thin audit layer is worth it's weight in gold. Seems like the volume on this repo wouldn't be too bad in this case.

zacian•5mo ago

> sometimes a thin audit layer is worth it's weight in gold.

Yes, 100%

zacian•5mo ago

Yes, I'll set that up and establish some rules for communicating your change and contribution to the project.

zacian•5mo ago

[Update]: Surprisingly, both accounts are either gone or have changed their usernames. The closed PR has been deleted and is no longer available.

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge

Arcan Explained: A browser for different webs

What did we learn from the AI Village in 2025?

An open replacement for the IBM 3174 Establishment Controller

The P in PGP isn't for pain: encrypting emails in the browser

Show HN: Mirror Parliament where users vote on top of politicians and draft laws

Ask HN: Opus 4.6 ignoring instructions, how to use 4.5 in Claude Code instead?

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI

AUR malware scanner written in Rust

Free FFmpeg API [video]

Are AI agents ready for the workplace? A new benchmark raises doubts

Show HN: AI Watermark and Stego Scanner

Clarity vs. complexity: the invisible work of subtraction

Solid-State Freezer Needs No Refrigerants

Ask HN: Will LLMs/AI Decrease Human Intelligence and Make Expertise a Commodity?

From Zero to Hero: A Brief Introduction to Spring Boot

NSA detected phone call between foreign intelligence and person close to Trump

How to Fake a Robotics Result

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge

Arcan Explained: A browser for different webs

What did we learn from the AI Village in 2025?

An open replacement for the IBM 3174 Establishment Controller

The P in PGP isn't for pain: encrypting emails in the browser

Show HN: Mirror Parliament where users vote on top of politicians and draft laws

Ask HN: Opus 4.6 ignoring instructions, how to use 4.5 in Claude Code instead?

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI

AUR malware scanner written in Rust

Free FFmpeg API [video]

Are AI agents ready for the workplace? A new benchmark raises doubts

Show HN: AI Watermark and Stego Scanner

Clarity vs. complexity: the invisible work of subtraction

Solid-State Freezer Needs No Refrigerants

Ask HN: Will LLMs/AI Decrease Human Intelligence and Make Expertise a Commodity?

From Zero to Hero: A Brief Introduction to Spring Boot

NSA detected phone call between foreign intelligence and person close to Trump

How to Fake a Robotics Result

Ask HN: Someone has committed 20K+ LoC to a PR, exhausting my CI & AI workflows

Comments