Have you considered taking over npm-run-all in npmjs.com?

[k2snowman69]

First, thank you for creating a fork of such a massively used project and keeping it up to date! The importance of you being willing to do that work is massive, so thank you!

To help with adoption, I was curious if you had at all considered just taking ownership of npm-run-all completely? I don't mean get access to the Github repository, I mean take ownership of write access to npmjs.com for npm-run-all. I bring this up because npm-run-all is still getting ~2 million weekly downloads and being able to inject your updates directly there would help all those consumers who haven't found your fork yet.

I did this for a repo a while ago and effectively it's the same process as filing a naming dispute: https://support.github.com/contact/npm-name-disputes . My takeover went as follows:

1. Contact npm support effectively saying the repository has had no support for 5 years and that you'd like to take it over
2. They responded with instructions to reach out to the owner or if no response in a few weeks, npm support will step in
3. Reply to the owner and npm support asking for write permissions
4. In my case, owner was happy to transfer rights and once responded npm support transferred it for me.

Overall because the original owner responded quickly, it took less than 2 days to complete everything.

[bcomnes]

I've performed this process in the past, however last time I attempted a year or so ago I was told that this is no longer an option due to security concerns.

When was the last time you were able to work through this with npm support?

I have mixed feelings on this. For name squatting and obviously dead and unused names, it would be cool to get those back into rotation and I'm definitively bummed this is no longer possible.

For abandoned packages with many daily downloads, it would be nice to get security updates to these users. On the other hand, this process opens up a temptation to entryist types who are looking for a way to lord over a captive audience in a completely different way than the users originally signed up for (sounds weird, but it happens).

From an individual perspective, forking and maintaining abandoned packages is essentially the same amount of work as taking over an existing package lineages (in fact its easier, because there is less of an expectation to maintain under missing leadership and you don't need to ask for permission). The downside is that by default, less people know or care about it. The upside is that there is a clear breaking off point, for the maintainers and the users.

I think the real solution here would be npm implementing an 'alternative to' feature where modules could advertise their forks or alternatives on packages that haven't seen an update in over a year. Second to that, renovate has a suggested replacement feature which many people found this package with. Maybe dependabot could implement something similar.

In the case of mysticatea, I've attempted to contact him over the course of 2-3 years and he's non-responsive. I respect his decision to not focus or respond to inquiries about is past work, and instead carried it on in a way that I hoped someone would.

In the meantime, I really just think people with obviously rotting deps and dozens of warnings are probably just going to have to live with their indecision until they do some simple research on their situation.

[k2snowman69]

Last time I did this was in 2021 so new restrictions definitely could be added since then

I have mixed feelings on this. For name squatting and obviously dead and unused names, it would be cool to get those back into rotation and I'm definitively bummed this is no longer possible.

Agreed

For abandoned packages with many daily downloads, it would be nice to get security updates to these users. On the other hand, this process opens up a temptation to entryist types who are looking for a way to lord over a captive audience in a completely different way than the users originally signed up for (sounds weird, but it happens).

I'll give an alternative here... npm could do a better job of notifying. Similar to the "deprecated" tag having a "unmaintained" message where if you don't "publish at least once a year" or something you get that message. This would push a lot of owners who are sitting on high value names to probably get back involved or hand it off so that their name doesn't get associated with unmaintained code.

In the case of mysticatea, I've attempted to contact him over the course of 2-3 years and he's non-responsive.

Was he non-responsive or tell you that he was no longer focusing on that package? Either way, it sucks if the user is non-responsive that npm just gives up and doesn't offer a way to take ownership any longer. I get the security issue that comes with that, however there's an existing security issue of not maintaining packages. Just one of those could cause legal liability to npm and the other does not.

[voxpelli]

We ended up with an alternative path with making it so that Renovate would suggest moving to this fork instead of staying at the old one: https://github.com/bcomnes/npm-run-all2/issues/118

That's an approach that could maybe be extended beyond Renovate and integrate into other tools as well

[bcomnes]

Last time I did this was in 2021 so new restrictions definitely could be added since then

Yes, unfortunately they shut this avenue down.

npm could do a better job

Yes, but the best we can probably do at this point is not wait for npm on features we need.

Was he non-responsive or tell you that he was no longer focusing on that package

Non-responsive unfortunately. This is okay, and people should plan for it. One's life is a non-renewable resource and I have complete respect for ones decision to take this approach.

Going to close for now since I don't think there is anything I can do but I appreciate the discussion. Feel free to re-open or make new issues if there is more to discuss.