State and governance of the project?

[yvele]

---

Edit: The project still is alive, some other contributors like @slowcheetah have permissions for the project to keep going, see https://github.com/zloirock/core-js/issues/767#issuecomment-603682034 👍

Full summary of project governance here https://github.com/zloirock/core-js/issues/767#issuecomment-604892167 👍

---

Looks like @zloirock the author and main maintainer of the project will be will be unavailable for some time 1.5 years.

Sources: https://github.com/zloirock/core-js/issues/767#issuecomment-598966371, https://github.com/zloirock/core-js/issues/757#issuecomment-579221001, https://github.com/zloirock/core-js/issues/747#issuecomment-573318269, https://github.com/zloirock/core-js/issues/548#issuecomment-494112872

What exactly is the state of the governance of this project?

The JavaScript community should be a bit concerned because @zloirock looks like to be the "only" maintainer. Does somebody else have admin privileges to write on this repo? Publish on npm and make this project not to die?

Or the only way is to "wait" for someone to fork this repo? Maybe someone from @babel (poking @nicolo-ribaudo and @danez 🤷‍♂). Looks like @babel doesn't have bandwith to fork this project.

A huge open source project (25M weekly downloads) like this should be maintained by more than a single person 🤔

Any clues on the future of this project?

PS: I don't know your personal story @zloirock but I'm grateful for your amazing work on this project.. hoping everything will be fine

Edit: This project is dead, see https://github.com/zloirock/core-js/issues/767#issuecomment-598966371

[ashpr]

@zloirock Making himself the only maintainer was extremely poor handling of such a well used repo.. but I can't say I'm surprised. He's been extremely protective of it.

I think, in time, this project may need to be forked.

[delanni]

Looks like the Karma Police got him...

[danielrree]

It's going to be unmaintained for 1.5 years to be exact. So the project is essentially dead (just like the person he ran over by motorcycle).

zloirock's comment:

our stupid law.

Can't really call stupid the law that sets punishment for running over (and killing) someone on pedestrian crossing.

[yvele]

https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fkraevoy--alt.sudrf.ru%2Fmodules.php%3Fname%3Dsud_delo%26srv_num%3D1%26name_op%3Ddoc%26number%3D1733512%26delo_id%3D4%26new%3D4%26text_number%3D1

The verdict of the court Pushkarev D.The. convicted that DD.MM.YY , driving a motorcycle " НС ", registration plate *** , moving at a speed of 60 km / h, in the area

, in violation of paragraphs. 1.3, 10.1, 14.1 of the Rules of the road of the Russian Federation, did not give way to pedestrians R.G. and P.A. crossing the carriageway through an unregulated pedestrian crossing indicated by signs 5.19.1 and 5.19.2, as well as road markings 1.14.1, and allowed a collision with these persons.

As a result of a traffic accident, pedestrians R.G. and P.A. bodily injuries were caused, including those causing serious harm to health on the grounds of danger to life. From injuries sustained pedestrian P.A. died at the scene of a traffic accident.

The crime was committed by the convicted person under the circumstances detailed in the court verdict.

At the hearing Pushkarev D.The. actually admitted guilt.

As a result of a traffic accident, pedestrians R.G. and P.A. bodily injuries were caused, including those causing serious harm to health on the grounds of danger to life. From injuries sustained pedestrian P.A. died at the scene of a traffic accident.

convicted under Part 3 of Article 264 of the Criminal Code to 1 year 6 months in prison with a sentence in a penal colony, with the deprivation of the right to engage in activities related to driving, for a period of 2 years.

Ok 😔

[yvele]

@nicolo-ribaudo https://github.com/ryanelian/ts-polyfill/issues/4#issuecomment-599227863

Babel maintainer here 👋 We are probably not going to fork core-js because we don't have enough resources to maintain it.

🤷‍♂

[eiji03aero]

I bet this will be the SPOF of the year for js ecosystem

[devsnek]

For those in need of an immediate replacement, https://github.com/es-shims may provide what you need (and the project welcomes maintainers, if you feel like contributing)

[orliesaurus]

This could potentially be bigger than left-pad's controversy. As the package maintainer & owner is MIA and seems to be for a while...

[joshxyzhimself]

Need to update babel docs if we ever move to another repo

[MichaelZaporozhets]

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

[franciscop]

Please read the full report. It doesn't seem so black and white:

he emphasizes that he was unable to notice pedestrians in a timely manner, since they were below the light level of the vehicle headlights ( R.G. - was lying, P.A. - tried to raise her), were dressed in dark clothes, street lighting was insufficient, he ( D. Pushkarev ) was blinded by the high beam of an oncoming car. Further, the author discloses the contents of the witness statements of A.A. A.Yu. A.M. I.K. A.S. , focuses on the behavior of victims at a pedestrian crossing, which contradicted the requirements of paragraph 4.6 of the Rules of the road of the Russian Federation. He notes that the victims were intoxicated, behaved inappropriately.

[sgammon]

@franciscop that's why you're supposed to drive slow enough that this never happens, because you have time to stop.

[Suvitruf]

Why instead of discussing this repo future you are talking about this accident? It's irrelevant and will not help to solve the issue.

[slowcheetah]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

[simskij]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

Sorry for finding this highly unlikely (given how restrictive zloirock seems to be with permissions), but could you please provide some kind of proof for this claim? Like, adding a notice in the readme.

Edit: Proven 👍

[em92]

@simskij @slowcheetah merged this: https://github.com/zloirock/core-js/pull/771

[simskij]

@simskij

@slowcheetah merged this: https://github.com/zloirock/core-js/pull/771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

[em92]

Btw, @slowcheetah, you can edit issue message by yourself.

[scottarc]

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

[tom-sherman]

I would like to urge everyone to try not to discuss @zloirock personal life in this issue, it's really not the forum for it. This is an important conversation about the maintenance of a critical JS dependency, we don't want to lose relevant comments in the noise. Thanks 🙂

[simskij]

To keep the discussion focused, maybe @slowcheetah could even hide all comments focusing on @zloirock's personal life (including this one)?

[simskij]

How that big project can be still a private repo? shouldn't it be cared by some js foundation?

In my opinion, it would feel pretty lousy to make such a decision without the core maintainer being present to weigh in.

[MichaelZaporozhets]

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

I’m not saying it’s up to the maintainer to necessarily disclaim potential risks- rather, an automated t-shirt sized risk assessment for dependency by github would be a neat feature.

I also strongly disagree that risk necessarily reflects inversely on quality... I’m confident a lot of the oss stuff I use for my private/personal projects would probably be a high-risk in an enterprise environment, but that’s fine. Right tool for the right job, etc.

Anyway, this is off-topic, I’m really just advocating for stronger governance around a project that is so important to everyone.

[yumetodo]

There are simple questions:

1. When enough money is provided, contributors can continue to maintain core-js?
2. Is it still suitable to use Open Collective or Patreon to give money to contributors?

[sheerun]

Currently he is the only administrator on Open Collective so distributing funds from it is probably not possible

[jmackay-io]

I disagree a lot with the "risk rating" requests outlined here. Just publicize the administrators of public repositories and let people decide for themselves. Not that it would have mattered in this case because this painted a perfectly clear picture.

I think the real culprits are the Babel team because they definitely knew this was a high-risk project, and they still forced millions of consumers to add it as a dependency. Even if individual developers identified core-js as risky, there's nothing most of them could have done about it.

[yvele]

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij @slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

Issue description updated. Is that good enough?

[IanKemp]

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

Or... or - developers could do some due diligence and risk assessment themselves before just pulling in every random JS library that comes across their radar.

A bizarre concept in JS land, I know.

[brodycj]

#548 (comment)

The idea of anyone owing so much money or going to prison just for an accident sounds ludricous (ridiculous) to me. I wonder if there is any way we could find some help for an appeal.

[ghost]

can we remove finally his job ad spam from the install logs now?

[brodycj]

I think it is up to the dependents to upgrade to the latest version, which seem to be cleaned up.

[slowcheetah]

can we remove finally his job ad spam from the install logs now?

No

[mryellow]

No

Why not?

He still looking for a job while incarcerated?

[5HT2]

Yes, it would be nice of him to be able to get back up on his feet after spending 1 and a half years in prison, before going to which he spent 6 months without a job maintaining an open source project for free.

[slowcheetah]

No

Why not?

He still looking for a job while incarcerated?

@zloirock ask me don't remove that

[ashpr]

No

Why not? He still looking for a job while incarcerated?

@zloirock ask me don't remove that

This proves time and time again that @zloirock is completely unfit to manage this repo.

I'm not doubting this technical abilities.. but his approach has been absolutely god awful. Specifically with this job thing and his long absence.

• Extremely limited collaboration.
• Advertising in our logs, which has actually been reported to have caused issues on CIs due to it maxing out log files.
• Threatening to delete the repo if NPM enforces a ban on logs.
• He has had job offers but he is turning them down.
• Now he's incarcerated for 1.5 years and he still refuses to remove it. He actually went out of his way to make sure its not removed.

Can you not see how absolutely mad this is?

I suggest we make a push for es-shim or babel should seriously consider forking.

[MKRhere]

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

[yvele]

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

Let's wait for the next release to be published on npm and then I'll be comfortable closing this issue.

When you have a look at the releases you can see that only @zloirock was in charge of publishing them.

On npm the only collaborator is zloirock 🤷‍♂

In the meanwhile I'm not confident that this project is going well regarding governance...

[yvele]

@slowcheetah are you able to inform us on the governance strategy?

• How many people have GitHub and npm permissions on this project?
• What kind of permissions? Administrative privileges?
• Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
• Is there a "leader"? Someone that can handle the architecture vision of the project?
• This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

[slowcheetah]

@slowcheetah are you able to inform us on the governance strategy?

• How many people have GitHub and npm permissions on this project?
• What kind of permissions? Administrative privileges?
• Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
• Is there a "leader"? Someone that can handle the architecture vision of the project?
• This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

• Only me an @zloyrock have npm permissions
• All privileges
• Yep. I have contact with @zloirock, but it is "delayed" because carantine situation now.
• I will try to dive in project but now i can't say that i am "leader". I am "support". There is some chance that within a few months @zloyrock himself will have access to the project.
• I no have direct relation with @babel. I have nothing to say

I am diving in project now. if @zloirock will not have direct access to the project, I will discuss disputed issues with him and try to do further support and development of the project.

Next week I hope to talk with him about the current bugfixes and come to the conclusion whether a new version is needed now.

[yvele]

Thanks you @slowcheetah 🙏 I think we all have enough informations... And I think I can close this issue now 🤔 if you agree of course. Issue edited.

[apasov]

According to the testimony @zloirock is sentenced to serve his term in so called колония-поселение. It is something like lightweight prison or open prison. Inmates there have much more freedom than in real prison. I believe it's possible to have daily internet access there. So it might explain why he is still looking for a job while incarcerated.

I suppose that currently @zloirock is in СИЗО because he issued an appeal and is waiting for the trial for the appeal. In СИЗО conditions are very strict - you cannot have internet access there, but you can have supervised phone calls and personal meetings with relatives and/or friends several times per month. After the court rejects or approves his appeal he will be sent to the lightweight prison where he will be able to continue maintaining this repo.

Also one day served in СИЗО counts as 2 days in колония-поселение. It means the more days he spends in СИЗО the sooner he will be released. E.g. his term is 1 year and 6 months, but if he spends say 3 months in СИЗО his remaining term in колония-поселение will reduce to 1 year instead of 1 year and 3 months. So he'll be freed by 3 months earlier. If for some reasons he spends all his term in СИЗО he will be released in 9 months instead of 1 year and a half.

Maybe @slowcheetah can confirm or deny my assumptions.

[nektro]

No

Why not? He still looking for a job while incarcerated?

zloirock ask me don't remove that

This proves time and time again that zloirock is completely unfit to manage this repo.

Then don't use this project. Move on.

[joshmanders]

This proves time and time again that @zloirock is completely unfit to manage this repo.

You don't get to make that decision.

I'm not doubting this technical abilities.. but his approach has been absolutely god awful. Specifically with this job thing and his long absence.

Fork the repo and maintain it yourself then.

• Extremely limited collaboration.

Just because his project got popular doesn't mean he has to let anyone who wants to come in and make sweeping changes.

• Advertising in our logs, which has actually been reported to have caused issues on CIs due to it maxing out log files.

That's a problem with npm and yarn for not suppressing logs correctly, or the end user for not setting log levels to the appropriate ones.

• Threatening to delete the repo if NPM enforces a ban on logs.

His code, he can do with as he please, don't like it, fork it and maintain it yourself.

• He has had job offers but he is turning them down.

Just because he's looking for a job and someone gives him an offer doesn't mean it's a good fit and he has to accept it just to remove a console log to appease entitled people like you. You want the advertising to stop, maybe you should donate your money towards its development so that he doesn't need to do that.

• Now he's incarcerated for 1.5 years and he still refuses to remove it. He actually went out of his way to make sure its not removed.

See above.

Can you not see how absolutely mad this is?

Can you not see how absolutely entitled you're being and that nobody here, not even @zloirock has to acknowledge or owes you a single thing, at all?

I suggest we make a push for es-shim or babel should seriously consider forking.

Good luck.

[mattlubner]

I think this thread needs to be locked. The conversation looks like its (again) spiraling downwards, in the direction of frustration at the log messages.

Look, we all have opinions on the log messages. This isn't the place to discuss them, and frankly, if you're bothered by them (like I am), then put that energy into a more productive form of dissent (such as championing a solution). We're a creative bunch, so I have confidence we as a community can think of ways to address the systemic problem of developers needing support for their OSS efforts. No one is actually helped by the collective complaining that's happening throughout the GitHub issues for this repo.

Keep the thread on-topic. The questions seem resolved, so let's move on to other things.

[zloirock]

Holy shit... Apparently, it's time for me to think for whom I make core-js and why.