
PSA: You have 28 days to respond to NPM package takeovers, or you'll lose them - erikpukinskis
Learned the hard way. I got an email from a person trying to take over one of my NPM packages on November 16th. I didn&#x27;t see the email until today (I don&#x27;t check email very often), and NPM had already transferred the package to the third party on December 15th without my consent.<p>Turns out, it&#x27;s laid out in the NPM policy. You have exactly 4 weeks to respond to a takeover request, or you lose the package: https:&#x2F;&#x2F;www.npmjs.com&#x2F;policies&#x2F;disputes<p>Now I&#x27;ve set up a canned response in Gmail to automatically respond to NPM support if they try to do it again. Maybe that will help. Makes me very nervous about my other packages though.<p>Seems like a pretty good attack vector for hackers.
======
git-pull
As someone who just patched two abandoned projects to work with Django 2.0, I
can say it's incredibly annoying when maintainer's are MIA for extended times.

That means, now I have to divert time to maintaining my own fork.

The funny thing is I'm the person doing the heavy lifting. I make the fixes,
write the tests, make sure CI passes and older versions don't break, even
update the change log. Everything to assure stuff is in order. All they have
to do is accept the pull request and publish the package.

In my specific situation though, I was able to merge the PR to master. But had
no PyPI access to publish the package.

~~~
borplk
What does MIA stand for?

~~~
Spacemolte
Missing In Action I believe. Kind of like AFK (away from keyboard)

------
alexdrans
Yeah wtf, this is wrong. They should require explicitly permission before
transferring ownership.

~~~
Raed667
Then NPM would be graveyard of unmaintained projects

