Slugging It Out in Open Source

Great Pods

Slugging It Out in Open Source

Key Points

In 2011, someone called "Dodo" published a popular npm module called "Slug" for creating URL slugs
Dodo stopped working on the module in 2015 and completely vanished from the internet after 2018
A denial of service vulnerability was publicly disclosed in the Slug module in 2017
The author became frustrated with abandoned packages and contacted npm about taking over maintenance
npm had a documented process: email the maintainer, wait for response, and transfer ownership if no reply after follow-ups
The author started emailing maintainers of abandoned packages with security issues, getting mostly positive responses
Dodo was the only maintainer who never responded - emails bounced or went unanswered
After a month and npm support follow-ups, the Slug package was transferred to the author
The author quickly fixed the DOS vulnerability but felt stuck maintaining a package they didn't care about
Despite not being interested in slugs, the author invested significant time learning romanization methods and adding language support
Each new feature required extensive research but appeared as minimal commits adding a few characters
The maintenance work was unrewarding and negatively impacted the author's mental health
A more popular competing package called "Slugify" existed, which was actually a fork of the original Slug
Both maintainers wanted to hand off their packages to each other, leading to mutual collaboration
The Slugify maintainer added the author as collaborator after the package became popular from a Google I/O presentation
This situation exemplifies the broader problem of critical open-source code being maintained by overwhelmed volunteers
Many open-source maintainers suffer from guilt and anxiety due to inadequate time and resources for proper maintenance
The same maintenance problems exist in proprietary software - only big, popular packages get proper support while everything else risks developer burnout

Full Transcript

Language: en
I want to talk about open source, but
before I do, let's talk about slugs.
Not the slimy invertebrates, although
those are totally awesome. I'm talking
about URL slugs.
Way back in 2011, someone using the
moniker Dodo published an npm module for
making slugs.
The module itself was called Slug and it
became popular.
But in 2015, Dodo stopped working on the
In 2017, a denial of service
vulnerability in the module was
disclosed publicly.
Then after 2018, Dodo seemed to have
vanished from the internet completely.
Okay, I know I've set this up like it's
a murder mystery or some investigative
journalism uncovering international
espionage or something like that and
it's not that. But stick with me here
My involvement in the story starts in
Dodo has stopped working on Slug and has
either disappeared or is poised to
disappear from the internet and there is
a publicly disclosed vulnerability in
Meanwhile, I was frustrated about a
different bug in some other module.
The bug was breaking a build for me and
I had submitted a pull request to fix
it. But my pull request didn't get a
response. The package had apparently
been abandoned by its maintainer.
I explained the situation to someone at
npm inc. No problem. They said
we have a documented process for this
situation.
They told me to email the module
maintainer and CC npm support.
In the email, I was to explain what was
up to the maintainer and ask if they
could either merge my change or give me
access to the package so I could do the
maintenance myself.
If the maintainer fixes the bug or gives
me access to the package, great. If the
maintainer doesn't respond to me for a
couple weeks and also doesn't respond to
a follow-up or two from npm support,
then npm support will transfer the
package ownership to me.
In the current world of increasing
supply chain attacks, npm probably
doesn't do things this way anymore.
But in 2018, the thinking was that if
someone has stopped maintaining a
package, it is in the community's best
interest for the package to be
maintained by someone else.
I started emailing maintainers of
packages that seemed abandoned and had
unfixed bugs, especially security
issues. Responses were positive. It
probably helped that I was among the
most prolific contributors to Nodecore,
a fact which I always mentioned. Some
maintainers were grateful to turn over
their package because they didn't want
to maintain it themselves anymore.
Anyway, every single maintainer I
emailed replied to me with one
exception.
That exception was Dodo.
My first email to Dodo bounced. I found
another email address for Dodo, which
did not bounce, but Dodo did not
After a month and two follow-up emails
from MPM support to Dodo, MPM support
transferred the package to me. I was now
the maintainer of Slug.
I published a fix for the DOSs bug
quickly, but now I was stuck. I wasn't
interested in slugs or the package. This
package wasn't the most popular thing on
npm, but it was far more popular than
anything I had ever published to that
point. Now people wanted features and
help. To top it off, the DOSs
vulnerability wasn't really a big deal.
I don't know how everyone was using the
module, but it seems unlikely to have
been commonly exploitable.
But okay, I fixed the package. Now what?
I didn't want to abandon the package and
put it right back where it was. So
instead, I dove in. I was going to pay
down technical debt, fix bugs, add
features. There's a joke that free
software is free as in puppy. And now I
owned a puppy.
I spent time learning different methods
for romanizing various languages,
considered the pros and cons of adding
various alphabets, and so on. I didn't
have time in my life for this, but
somehow I made time. From the outside,
it didn't look like I was doing much.
Each new feature required a ton of
research and experimentation just to
show up as a single commit, adding a
handful of non-asky characters. There
are still lots of things that would
ideally be done. There's always more to
do, but I just can't prioritize doing
them over other things in my life. I
still don't care about slugs. Someone
out there does probably, and that's
great. But I'm faking it and so it's all
not even that rewarding. This can't be
good for my mental health.
There is another Slug package on npm
that is more popular than Slug. It is
called Slugify.
It is a fork of Slug, so it shares a lot
of the same API. I made some changes to
Slug to bring it even more into
alignment with Slugify. My unspoken hope
was that Slug and Slugify would become
so similar that they could merge and I
could effectively hand off Slug to the
maintainer of Slugify.
Turned out there's one catch. The
maintainer of Slugify wanted to do the
same thing and hand off Slugify to the
maintainer of Slug. After some mutually
supportive interactions in the Slugify
issue tracker, the Slugify maintainer
emailed me in April 2021 telling me that
they added me as a collaborator in
GitHub. They told me to feel free to
make any decisions and that they trusted
me 100%.
In another email, they explained that
they never thought about maintaining
Slugify much, but then it was on a slide
for a Google IO talk and became popular.
The Slug and Slugify modules are minor
examples of a larger issue. So much
critical open-source code is maintained
by people who cannot invest the time to
properly maintain it. And a lot of these
people suffer guilt and anxiety over it.
I'm far from the first person to point
this out. And there's a lot to say about
how sponsorships and foundations are
only partial solutions, but other people
have already explained that better than
I could. If you want more information on
this, I recommend Nadia Eggbal's book,
Working in Public. I should mention
though that I have every reason to
believe this problem is just as endemic
in proprietary software. As with open
source, if a proprietary package is big
and popular enough, it will be
maintained. But everything else faces
the risk of burned out, disinterested,
and undercompensated developers and
underresourced teams.
To this day, I do not know what happened
to Dodo. Maybe they retired. Maybe they
won the lottery. and have moved to a
private island. Maybe they decided to
leave tech for another career.
Or maybe they just got tired of
maintaining slug and simply stopped.

← All Summaries

Watch on YouTube