j
commented
2 years ago @Uzlopak why fork such a popular project, fix critical bugs, then not try to get those "upgrades" into upstream?
Closed Uzlopak closed 2 years ago
j
commented
2 years ago @Uzlopak why fork such a popular project, fix critical bugs, then not try to get those "upgrades" into upstream?
Uzlopak
commented
2 years ago Hi
msdex just updated busboy. So maybe you want to upgrade busboy. You are not forced to switch to our fork.
The reason we forked was simply that mscdex had not fix multiple security issues, despite that they were reported to him in the issue-tracker and had corresponding PRs. After I wrote to snyk, msdex "woke up" and fixed the bugs.
j
commented
2 years ago @Uzlopak sounds reasonable, forking is fine especially for internal organizations, but then going to every repository using them to ask them to switch just separates community. Half upstream fixes will maybe be sent to yours, half to busboy, etc, etc.
Uzlopak
commented
2 years ago mscdex himself proposes actively to fork, if you are unsatisfied with his policies. I dont like this thought.
Tbh. I would rather have a centralized project. But what do you want to do, if the project owner does not give other devs contributor status, so that for the npm / node infrastructure relevant projects get properly maintained, and has supposedly other important projects with higher priority until snyk knocks at the door to mark his projects as vulnerable?
Hi,
we forked busboy and fixed two critical bugs in the package, which could cause the node-process to crash or to hang. We also improved the performance and added some new features. It does not have breaking changes aso it is a drop-in-replacement for busboy. We have a code coverage of about 95%.
https://github.com/fastify/busboy/blob/master/CHANGELOG.md https://github.com/fastify/busboy https://www.npmjs.com/package/@fastify/busboy
for tracking reasons: https://github.com/fastify/busboy/issues/68