Reproducible builds are a lot more valuable. They let downstream consumers verify that the package was actually generated with the documented sources and inputs.
That seems like an obvious vector for doing something behind your back.
I haven't really looked into what it entails in establishing an attestation for a CI-built package, though, but I thought the idea was that you will at least get a git commit id that will describe the work, and that the attestation says that that's the work that's been done?
Reproducible building would be useful for removing the need to trust GitHub. But then what do you need the builds for anyway, you would always need to build it yourself anyway?
As soon as you are giving free attention and mentoring to people unable to make a somewhat useful contribution, you are giving up even more of your life for free.
There are people who know how to pick appropriate issues and send PRs with test cases. It might be better to look for them than try to mentor ineffective contributors.
One needs to study on their own, use forums or get in touch in some other way that isn't a PR if they want help. Also, while studying the codebase, finding low hanging fruit is going to be easy. That's where everyone should start.
Am I being paranoid? Probably, but given recent history I don't think so. Would I ban them for that? Dunno, but it would be a consideration.
Either way, I don't find the decision to ban someone from contributing for that to be all that surprising.
This sort of contribution seems easy enough to review.
Dude cannot take a no. The lesson here is don't be annoying if you want people to work with you.
And, FWIW, cURL - who has been dealing with tons of faux-security AI slop - just recently posted about someone using AI to find 22 actual security issues in cURL, which was helpful. So even if it's AI, it's not necessarily even slop - you should evaluate the contribution on its own merits. Before AI, people opened garbage PRs to popular repos all the time that were unhelpful/noise, they continue to do so now, nothing has changed.
On the matter of curl yeah I've seen they got actual help that way. Here is the problem. If you are an open-source maintainer there is some proportion of good contributors (most) and some proportion of low-effort spammers (few). AI is a force multiplier for sheer volume. So the spammers all pick it up because they do not care about quality. It can be used carefully to good effect, true, but now your mix of incoming volume goes from "lots of good contributions and a little to spam" to "lots of good contributions and lots of AI stuff" with the latter being mostly slop.
So open-source maintainers with limited time do what all humans do: they fall back on heuristics and adopt a bias against AI output, because now dealing with the spammers on a case-by-case basis takes way more time and just tossing AI stuff becomes easier. Like all heuristics it is imperfect, and I don't know if it's the best way, but I get why they do it.
Even that takes time. So people resort to proxy signals and ban for "bad vibes".
No one should be using Lodash in 2025, it mutates your collections, use `ramda` (https://ramdajs.com/) instead.
Unfortunately, a lot of the early core existing packages have dependencies in lodash, or another packages that does so too.
But stating matter-of-factly that no one should use it because some of its well-documented functions are mutating ones and not functional-style, and should instead use one particular FP library out of the many out there, is not very cool.
Blocking someone for being annoying? Sure, whatever.
Blocking someone for trying to make a contribution even if it was unwanted? Seems excessive and unhealthy to me.
https://github.com/orgs/community/discussions/158850 https://www.reddit.com/r/developersIndia/comments/1akh9ll/a_...
etc etc etc
Github needs moderation, just like anything else with user-created content.
I am not in the tiniest bit surprised that sometimes moderation makes a mistake, whether human error or automated error.
I agree that banning people without prior communication is rude, but looking at OP's PR[^1], I tend to concur with lodash maintainers this time. The PR gets no description, no explanation, and no prior discussion or RFCs. It adds a totally new GitHub Actions pipeline, while lodash isn't even using GitHub Actions now. It contains various fixup commits that should be squashed. One commit has a super long subject that should be split up. OP here went straight to the top level to propose a brand new release workflow, but the lodash maintainers obviously didn't consider them to be ready for such contributions.
These are common mistakes every contributor would make in the beginning, and I don't think the maintainers meant it personal. As many other comments have pointed out, by choosing an easier task, getting familiar with the workflow, and building trust, OP can get their patch landed.
[^0]: https://www.mozilla.org/en-US/about/governance/policies/comm...
This is not the right way to contribute to a project. If I were the maintainer, I wouldn't engage with it either, just like I don't reply to spam emails.
Your spam detector is broken. It was opened by an account that's clearly human with more than 10 years of history. It was closed by the author themselves 2 hours after they opened it. It's got WIP commits that were clearly written by a human thinking through the process.
What about this reads as spam to you? They just forgot to fill the description portion of the PR
There’s too much AI spam out there right now.
Publishing ‘@provenance-labs/lodash’ as a test, I suppose. Ok. Leaving it up? Looks like spam.
Badgering the author an a private email? Mmm. Definitely not.
This isn’t a bug, it’s a feature. There’s a contributing guide which clearly says; unless a feature gets community interest, it’s not happening. If you want a feature, talk about it rouse community interest.
Overall: maybe this wasn’t the right way to engage.
Sometimes you just have to walk away from these situations, because the harder you chase, the more it looks like you’re in the wrong.
…it certainly looks, right now, like the lodash author wasn’t out of line with this, to me.
Lex Livingroom. If you are among friends you can surly criticize a sweater, but if you come barging in uninvited and criticize the same sweater, you're in for a bad time.
I sympathize with the OP, GitHub makes it outrageously easy to accidentally open an upstream PR when you meant to open one on your own fork, it's happened to me twice. But i don't blame lodash for blocking them.
Regardless, opening an issue about their release process obviously should have been done first.
OP simply pushed his personal opinion on how lodash (extremely popular library) should be deployed. Proceeds to get confused and upset when this is rejected.
I suggest to OP to work on his social skills.
But the issue tracker is so overwhelmed by slop, non-Latin scripts, and people who think their personal problems (or AI model problems) are the product's problems, that the employees have all but ghosted the issue tracker and PRs; it takes days or weeks for the maintainers (employees) to triage/respond/despam the Github issues list. And if the employees _do_ leave an initial comment on a community PR that multiple users on the issue tracker are begging to be merged, and the PR author makes the requested changes or solves the roadblock, then the team never responds, or takes months to respond. Meanwhile main branch marches on - PRs from the internal paid dev team do get merged often.
I have to imagine that there's a layer of internal politics (maybe VC funding related? dunno) at these companies that shifts more and more communication onto internal nonpublic platforms, to the point where the open-source community rarely gets updates beyond patch notes. It certainly can feel strange when you're on the receiving end of a ghosting. One has to remember that "open-source" does not necessarily mean "community".
> But the issue tracker is so overwhelmed by slop, non-Latin scripts, and people who think their personal problems (or AI model problems) are the product's problems
The internet used to have a community feel. But that is very easily destroyed by this kind of "dark forest" behavior; everyone learns that opening yourself to the world is opening yourself to attack.
This blog post existing points at the latter.
Depending on how you run your project, you might want to play along with that story regardless, to extract some value and make the whole thing a two-way transaction instead of a one-way one. That however requires there to be some significant value to be extracted or else you end up with a net negative.
It is however also possible to reject transactionality entirely.
___
What is interesting in this case specifically, is that the author did manage to extract value eventually. If not by being the savior of lodash, then by becoming the victim of lodash.
This might be another detail hinting at why whoever maintains lodash might've decided to react with a block and nothing else.
Further receipts for this read of the situation include the immense clout-to-effort ratio of the PR just adding a new GitHub action that "adds more security" and the Blogpost itself opening with the actual mission statement of "improving the ecosystem".
As the industry has grown a lot of practices around software engineering from FAANG have become more widespread (reviews, CI, linting, etc) but these were designed for professional team environments. They aren’t fundamental to writing programs.
I also think attestation is bullshit. It's what I would call "security theater" like paying $5 for a blue check mark.
Whether a package has this particular check mark has almost nothing to do with whether its security practices are sufficient to keep you safe. At that point the attestation check mark actually harms security by welcoming complacency where there is still not sufficient operational safely to justify complacency.
ecshafer•4mo ago
altbdoor•4mo ago
andrewflnr•4mo ago
ecshafer•4mo ago
petre•4mo ago