I have a npm module I published in 2016, which to my knowledge has not worked since about 2018 (due to my failure to correctly use package-lock.json— in my defense, introduced in 2017). At some point in the last few years npm started getting very worried about supply chain attacks, so they started trying to get everyone to enable 2FA on their npm account, so frequently they send me emails asking for my phone number, and that's very reasonable, but also I think it's reasonable for me to not care
@mcc I sometimes worry about my abandoned software being out there. Then I realize that if anyone has ever forked it ever, then it’s out there anyway. There is nothing to be done! 🤷♂️
@brandon I do feel bad my code bitrotted, but again, package-lock.json! Kinda needed that feature if bitrot was going to be effectively prevented! :(
@mauve @mcc I maintain my own forks of almost all of the libraries I use, because they lack small but important features that I need. I really appreciate the access to the source code! However, I have had very bad luck getting PRs merged. I have gone to strenuous lengths at times with laser-like focus and extreme commitment to get PRs merged, with no increase in success rate. However, the success rate is much higher there than trying to get a bug fixed by filing a bug report!
@mauve @mcc That's a really interesting perspective! I actually feel the same way. I have no hope of my PRs being merged, but I do it anyway. I feel like it's a service to the universe in appreciation of the miraculous times when someone sends me a PR. So kind of them to notice my software!