search

jonschlinkert / word-wrap

Wrap words to a specified length.
https://github.com/jonschlinkert
MIT License
193 stars 57 forks source link

Give admin privileges to somebody else #39

Closed bgswilde closed 1 year ago

bgswilde commented 1 year ago

It seems like @jonschlinkert is a busy guy without much desire to keep this thing up to date or respond to inquiries on this. The most recent PR #33 has several individuals who would put the care into ensuring that code in this repo is solid, secure and up to date. @jonschlinkert, please give somebody else privileges to merge pull requests for the sake of the 1400+ projects that depend on word-wrap and 29M+ weekly downloads.

@jonschlinkert, if you're going to reasonably say in your bio... "I've created more than 1,000 open source projects in an effort to reach my goal. Open source software takes a lot of time to create and maintain, and millions of projects now depend on my code." then be a help to others in the community who depend on your code by allowing others to aid in maintaining it if you can't maintain it yourself.

(I realize that this is a shot in the dark, just trying as many avenues as possible to get @jonschlinkert's attention)

wellwelwel commented 1 year ago

An alternative would be to archive this repository and deprecate the word-wrap package, allowing dependent projects and users to move forward.

I mean this as a good thing, for example, the end of support at uglify-es allowed the birth of terser.

Once it's no longer possible to maintain support against vulnerabilities, I believe it's time to move on and be thankful for everything that @jonschlinkert and @doowb has contributed so far with word-wrap.

jonschlinkert commented 1 year ago

Is this you @bgswilde? Looks like one of your 3 contributions was this issue.

image

  1. I did respond in the past week or so on that issue and was already planning on merging in the PR
  2. When I think of burnout, I think of issues like this one.
  3. This is my contributions this year.

image

bgswilde commented 1 year ago

Thanks @jonschlinkert! Glad I got your attention! All the best!

wellwelwel commented 1 year ago

@bgswilde, I would like to show you a different angle.

The solution to this Issue exists since March 25th. So let's focus on the solution.

The @aashutoshrathi's fork is a good alternative and you can use it from npm.

I came here because CVE-2023-26115 vulnerability from ESLint.

By a simple npm ls word-wrap, I noticed that the one who depended on it was the Optionator.

See: https://github.com/gkz/optionator/issues/44

So, I just proposed the fix directly from Optionator. Within minutes, every ESLint version 7 or higher user had this issue fixed by perform a npm update.

What's the point?

In your projects that depends on word-wrap by some dependency, perform a simple npm ls word-wrap and map them.

Then, propose to them an alternative like:

Hi @_.

For now, I think the @aashutoshrathi's `word-wrap` fork is a good alternative, because it only changes a single fix focused on the vulnerability. In other words, it won't break anything.

You can comparing changes [here](https://github.com/jonschlinkert/word-wrap/compare/jonschlinkert:786ebf1...aashutoshrathi:87a3667) and see the @aashutoshrathi's [npm package](https://www.npmjs.com/package/@aashutoshrathi/word-wrap).

Regardless, I see this as a temporary measure.

#### References:
* [🔒 fix: CVE-2023-26115 jonschlinkert/word-wrap#33](https://github.com/jonschlinkert/word-wrap/pull/33)
* [Give admin privileges to somebody else  jonschlinkert/word-wrap#39](https://github.com/jonschlinkert/word-wrap/issues/39)

Thanks for your attention.

bgswilde commented 1 year ago

@wellwelwel that's good stuff, thanks. In our instance, word-wrap is a nested dependency several deps deep and overriding is proving to be very difficult. We used the fork in a few places successfully where we could, but decided a couple months back that the work wasn't worth it in our more complicated repos until there's an upgraded word-wrap, so we got in touch with those dependencies and prioritized other work. Been checking in periodically ever since. Jon mentioned burnout in his response, which was a good chunk of why I brought this up. I can imagine he's got lots of other bigger priorities than this project, and long term maybe somebody else to share the load would be good for him. No disrespect at all to Jon, though given his response he might have taken some offense and felt the need to point out github commits ¯_(ツ)_/¯. At the end of the day though, he sees what's happening in this repo, so I closed this issue.