Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about what to do about JavaScript library core-js. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

What will be the fate of an open source project that so many people rely on?

In November 2019, Denis Pushkarev, the maintainer of the popular core- js library, failed to overturn an 18-month prison sentence for driving a motorcycle into two pedestrians, killing one of them.

As a result, he is not expected to be able to update core-js, which makes project contributors and other developers worry about the fate of their code base.

Core-js is a "modular standard library for JavaScript", which means that it provides a large number of functions to perform common and useful operations. It is often used in "polyfills" (implementing modern browser functions in older, weaker browsers), downloads through the npm registry more than 26 million times a week, and is widely used by large companies, including Apple. Now its future is uncertain.

Pushkarev, known as zloirock on GitHub, mentioned in a post last May that he could end up in jail by adding post-installation ads to generate revenue for a project that many people use but few people pay for. He predicted that he might have to pay legal or medical fees related to the motorcycle accident.

In that post, developer Nathan Dobrowolski asked, "if you go to prison, who will maintain [core-js]?"

Pushkarev didn't give any answers at the time. Since his conviction last October, the need to address the problem has become very practical.

A discussion post that began in February asked whether Pushkarev,core-js could survive without Pushkarev,core-js, which has long been the main maintainer of the project. So far, only Pushkarev has released an official version, most recently on January 13, 2020.

At least one other project contributor (the one associated with the GitHub account slowcheetah) is in a "collaborator" status (basically with write permission) and claims to be able to post updates. But it is not clear whether this person's management will be enough to maintain community confidence in the project.

Another JavaScript password library called jsrsasign faces a similar challenge: its maintainer, Kenji Urushima, has not been active since April 2018. Programmers using the software expressed concern about a lack of communication and an unresolved vulnerability, noting that 350 npm projects depended on the library, including some from Microsoft and Mozilla.

The situation facing core-js and jsrsasign highlights many of the challenges facing popular open source projects, especially those with growing usage but no change in governance. One of the programmers involved in the discussion asked: how can such a widely used project be in the hands of one person instead of the foundation?

If core-js is dormant, it may not cause as much trouble as the left-pad event on the left in 2016. No system will suddenly go wrong, and developers will have time to modify the relevant code. However, the transition plan may help.

Ben Balter, GitHub's senior product manager for community and security, says the company will continue to seriously consider the transfer of ownership of the code repository in the absence of a response from project maintainers. "in the preferred case, we want to ensure that the problem is addressed proactively in advance," he said. "

"We encourage defenders to transfer popular projects from their personal accounts to an organization. in addition to gaining access to advanced community management functions, add at least one other maintainer as a co-owner to further ensure that the project continues, even if one maintainer cannot."

He added that the maintainer can indicate his intention to leave the project by setting the GitHub status to "away" to let the contributor know that the maintainer will not respond during this period.

Balter says GitHub has a process for handing over account ownership in case of illness, which applies to relatives, collaborators, colleagues and business partners. He said that forking the dormant code repository was also an option, noting in particular that if GitHub took over and became the regular source of the project, it might relocate the branch. After reading the above, do you have any further understanding of what to do with the JavaScript library core-js? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.