Also worth linking to his talk at FOSDEM, on which this is based: https://fosdem.org/2026/schedule/event/SUVS7G-lets_end_open_...

It works. It is hooked up to Stripe. You can upload your package.json and receive a fully cleanroomed set of dependencies to use yourself. It is up to you to determine whether this is a compelling product or a warning to those who care about FOSS.

I haven't spent too much time on it, so there's a good chance that I'm wrong, but it doesn't seem to be satire. I think that it's merely depressing and predatory, or depressing and predatory because it's a cynical sales pitch - a conversion funnel - that conflates what could be deemed to be real risks (supply-chain attacks etc.) with major exaggerations. They probably worked with a PR agency to devise this approach and thought that is was a very clever way to capture attention of this exact community - which it may very well be if it spurs a heated discussion and people end up mentioning their brand name and visiting their site.

To be clear, engineers should not be required in the least to "maintain mental maps of which packages are safe and which will detonate their employer's IP strategy" simply because in the vast majority of cases they're not co-owners of that business or that strategy. That is overstated and intentionally misleading, I suspect. AGPL obligations depend on how software is combined and distributed or network-served, not on some magical "contamination" event from merely touching a package.

Rhetoric through and through, in my opinion.