Is this package still active?

[catsalive]

There's an alpha release for this package from 9 months ago, is this package still active?

[dead-horse]

@alexmingoia can we transfer this project to https://github.com/koajs and we can maintain it together?

[ZijianHe]

Hi all, I've taken over the project and will start maintaining it after 11st February.

[jcao219]

Thank you Zijian.

[yi-ge]

Zijian，希望此项目越来越好。💪

[catsalive]

Thank you sir!

[imcotton]

Hi all, I've taken over the project and will start maintaining it after 11st February.

@ZijianHe first of all thank you for taking the maintaining responsibility, some questions:

1. Will you going to have the total control over the NPM publishing? (i.e.: npm owner ls koa-router)
2. Why it's not ending under the Koa.js org?
3. Who are you?

[fl0w]

@alexmingoia Thank you for your work with this library, and a hearty welcome @ZijianHe!

With koa-router being a significant lib used in Koa's ecosystem @alexmingoia, I'm not a distrusting person at all but as responsibilities creep up I'd like to respectfully ask how you arrived at the decision to pass over the package to @ZijianHe?

From a security standpoint it is a bit hard to evaluate this based off of @ZijianHe's history. And sincerely, I'm trying really hard not to offend anyone but I felt the question had to be asked.

Edit My bad, I had completely missed the "for sale" commits, which I saw just now.

[rarkins]

https://news.ycombinator.com/item?id=19156707

[alexmingoia]

Let's set the record straight.

• The Koa organization did not write, maintain, or ever help with this package. I wrote it. I maintained it, with help from people who reached out to me directly (and actually contributed code).
• @ZijianHe offered to maintain it, and I agreed to let him maintain it. I know him, and my personal life is not anyone's business. I don't have a relationship to the koa organization. I don't know them. Furthermore, @niftylettuce has repeatedly in emails to npm asserted that ZijianHe is Chinese, despite this having nothing to do with anything, or even knowing whether ZijianHe lives in China. Chinese developers have contributed more to this repository than anyone from the Koa organization. This kind of racial scaremongering or guilt by association is not acceptable. Its offensive. Let's be very clear: Developers from any ethnicity and nationality are welcome to contribute to open source.

[crobinson42]

Roger that @alexmingoia - just because you think ONE person is discriminating doesn't mean the rest of the concerned people who adopted this library of the years of it growing in REPUTATION is not a valid security concern and that everyone is racially motivated in their concern. ENOUGH SAID on that.

I'd like to thank you for your effort and the wonderful package, koa-router. When any npm package grows in downloads, it's building a reputation. That reputation was built on you maintaining the package. When a new maintainer comes in after you advertise "selling" the package, it's immediately a concern that someone with zero reputation then takes over a package that so many have and are trusting based on the previous reputation - in short, you cannot buy reputation.

So, I think the record is this: you sold a library and the new maintainer has no reputation in OSS, at least that has been published or is available to the public OSS community.

WE ARE SIMPLY CONCERNED - incidents like the event-streams maintainer injecting malicious code into a very popular package are what cause these types of concerns. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

[niftylettuce]

Someone may want to lock this thread for discussion.

Also to set the record straight since @alexmingoia is not telling the truth.

To clarify things for the community:

1) No, they (Chinese developers) have not contributed more. You revoked access from @jbielick who was #2 contributor to the package behind you. He messaged me in Slack today that he received zero notification from you and simply received a notification from NPM that he was removed access from the package. You removed his access completely from NPM.

2) My email to you prefaced the concern of the China-based user with "completely unknown" and "To an outsider". Here's the original email to clarify it for people viewing this from an incorrect context:

Hi Alex,

Thanks for your work in the open source community.

I am curious, since the project is open source, if you will be transparent as to the transfer of the koa-router repository and NPM ownership to a completely unknown user "ZijianHe" to the community.  Was there a monetary transaction?  Why did you choose him?  Why not transfer to the KOA org?

To an outsider, this is all a huge red flag, as an unknown Chinese GitHub user suddenly has full control of a NPM package with 130K weekly downloads and is used by major corporations.

3) I did not "repeatedly" assert that. I stated the word "Chinese" one time. One time is not "repeatedly". I would share with the community your response to my message, but I am not going to do so.

[int64ago]

The transaction should be agreed by all contributors!

[ZijianHe]

Hi all. I am the one who took over the repo. Thanks for some of you guys reaching out.

I haven't been contributing to open source projects before so I don't have too much public information on my Github account.

Thus I think it would be a good opportunity for me to join the open source community by maintaining the koa-router project.

I will start reviewing PRs and getting rid of issues after I finish going thru the code.

Any suggestions are welcome

[niftylettuce]

Thank you!!

On February 14, 2019 3:02:37 AM UTC, Zijian He notifications@github.com wrote:

Hi all. I am the one who took over the repo. Thanks for some of you guys reaching out.

I haven't been contributing to open source projects before so I don't have too much public information on my Github account.

Thus I think it would be a good opportunity for me to join the open source community by maintaining the koa-router project.

I will start reviewing PRs and getting rid of issues after I finish going thru the code.

Any suggestions are welcome

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/ZijianHe/koa-router/issues/494#issuecomment-463468328

[crobinson42]

@ZijianHe Hello and welcome! What projects are you using koa-router in, if you're willing to share? What peaked your interested in purchasing koa-router vs. simply contributing via PR's or even other libraries?

[ZijianHe]

@crobinson42 I use it with koa like most people. My projects are commercial so it would not be proper to share the code publicly.

It sometimes could be passive to simply contributing via PR to whatever repos. One can see for this repo there are 15 PRs lying there for very long time and the contributors must be very upset.

Purchasing it is just a way to put myself to an active position to make it easier to push things forward

[ljmerza]

Thank you for your initiative to push this repo forward. I'm sure you're getting a lot of hate but any person taking such an important project over would have. I think it came down to how quietly and quickly this transaction tried to be done instead of out in the open ... On an open source platform of all things.

[jdrydn]

Immature chinese developer comments aside (sigh 🤦‍♂️), the fact the project was "sold" to someone with a quiet public profile, no introduction from the original author, an offer to add it to the @koajs organisation ~being ignored~ not discussed and contributor push access being revoked without warning... none of these are nowhere near acceptable for a widely used 5-year-old open-source dependency 🙌

[HcgRandon]

All of you complaining that this was unacceptable is laughable. Do you pay alexmingoia's bills?

You are using a open source project, provided as is, by someone in their free time. Stop installing random dependencies for every little thing and you won't have to deal with these kind of issues.

That being said. Alex could of handled this much more delicately. While I don't use this package myself it would of been nice to of seen a discussion between contributors or maybe even adding it to the koajs org as stated by jdrydn.

The project being sold to a user with a default profile picture definitely feels a little sketchy.

[niftylettuce]

I think this thread can be locked now. Enough people. We have resolved the situation.

On February 15, 2019 2:54:55 AM UTC, HcgRandon notifications@github.com wrote:

All of you complaining that this was unacceptable is laughable. Do you pay alexmingoia's bills?

You are using a open source project, provided as is, by someone in their free time. Stop installing random dependencies for every little thing and you won't have to deal with these kind of issues.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/ZijianHe/koa-router/issues/494#issuecomment-463887240

[ZijianHe]

locked as suggested