It's very possible this went through npm support, they received no reply within the window, and the transfer was granted.
There are good practices around domain names to lock transfer, perhaps npm should consider adopting similar mechanisms.
The Koa organization did not write, maintain, or ever help with this package. I wrote it. I maintained it, with help from people who reached out to me directly (and actually contributed code).
@ZijianHe offered to maintain it, and I agreed to let him maintain it. Our relationship is not anyone's business. I don't have a relationship to the koa organization. I don't know them. Furthermore, @niftylettuce has repeatedly in emails to npm asserted that ZijianHe is Chinese, despite this having nothing to do with anything, or even knowing whether ZijianHe lives in China. Chinese developers have contributed more to this repository than anyone from the Koa organization. This kind of racial scaremongering or guilt by association is not acceptable. Its offensive. Let's be very clear: Developers from any ethnicity and nationality are welcome to contribute to open source.
I'm not going to say anything more on this issue. This is beyond ridiculous.
1) No, they (Chinese developers) have not contributed more. You revoked access from @jbielick who was #2 contributor to the package behind you. He messaged me in Slack today that he received zero notification from you and simply received a notification from NPM that he was removed access from the package. You removed his access completely from NPM.
2) My email to you prefaced the concern of the China-based user with "completely unknown" and "To an outsider". Here's the original email to clarify it for people viewing this from an incorrect context:
Thanks for your work in the open source community.
I am curious, since the project is open source, if you will be transparent as to the transfer of the koa-router repository and NPM ownership to a completely unknown user "ZijianHe" to the community. Was there a monetary transaction? Why did you choose him? Why not transfer to the KOA org?
To an outsider, this is all a huge red flag, as an unknown Chinese GitHub user suddenly has full control of a NPM package with 130K weekly downloads and is used by major corporations.
I hope my attempt to clarify this aspect doesn't take the focus off the other parts of your responses, because the issues you raise are concerning to me and I share your belief that the community deserves info about all this.
1. there seems to be -intentionally- very little transparency about it,
2. the second most prominent contributor - who was also the most prominent contributor for the last two years - was, we are told, locked out without notice
3. the original developer has repeatedly declined to acknowledge that the community has (or could have) any concerns worth even discussing.
4. the Github history indicates a strong possibility the package was bought.
If someone wants to sell their package, perhaps they have every right to, but the author's repeated dismissal that anyone might be legitimately concerned or legitimately want to know more about this process is bizarre and alarming.
Why not be transparent about selling the package? Or attempting to do so?
> Chinese developers have contributed more to this repository than anyone from the Koa organization. This kind of racial scaremongering or guilt by association is not acceptable. Its offensive.
Nice rhetoric here. But you know the Country of origin of most cyber attacks is China right?
> I'm not going to say anything more on this issue. This is beyond ridiculous.
Suit yourself. But it really isn't. Sorry for all the harassment you're getting but, it's not exactly unwarranted...
Race and nationality aside, the transfer of ownership to an entity that has zero open source contributions in the js space does look very suspicious. I'm just surprised that an open source author didn't provide that disclosure to users of his work.
For example i can see at least another Chinese contributor who is against this who works at Alibaba that commented.
The principle issue here is that the repo was put up for sale, and anyone paying for the opportunity to maintain a free library should be scrutinized. This would be true regardless of if they were Chinese, black, or a white guy from San Francisco.
This is yet another example of a (by now fairly known) vulnerability in the npm package ownership transfer process. Just a few months ago, there was a big drama with malicious code found in a popular package `event-stream`, placed by a new unknown owner.
I like one of the ideas in the GitHub issue, that a change in package ownership should be considered a major semver bump. At least that might reduce the reach of a bad actor who would buy a popular package for exploitation.
Of course, the real problem is thousands of codebases shouldn't be banking on the honor system for stuff like this.
I haven't been contributing to open source projects before so I don't have too much public information on my Github account.
Thus I think it would be a good opportunity for me to join the open source community by maintaining the koa-router project.
I will start reviewing PRs and getting rid of issues after I finish going thru the code.
Any suggestions are welcome
The transition from express to koa has been slow, and this doesn't help. It will undermine the confidence on the koa framework.
(in case the comment gets deleted: https://i.imgur.com/J5lOiMZ.png)
Great about koa is that it's not a monoculture like express. express has all batteries included and lacks a healthy ecosystem. Yes, there is a lot stuff out but everything in and around express feels broken. Yes, you can use it and it's ok but you not really happy.
This paired with the same maintainers who also are on connect, express-generator, etc. They do all together a great job maintaining express but you feel the lacking pace in all these project. express still lacks hhtp2 (not turn-key-ready), express-generator is full of strange edge-cases nobody needs (in the www file) polluting your code. express docs got better but still.
But we as a community need healthy competition and if koa-router moved to koajs you'd start the next monoculture and new contenders wouldn't have any chance to establish because there is a default router.
The key to be successful is to build a minimal/barebone product and let others create additions and not swallowing everything into a slow org.
And tbh, I like koa-router but simple stuff like a regex path matching is not included where I need my own middleware (I mean it's a few lines but still).
Everyone who don't like this move, fine, fork koa-router and make it better and we will see if koa-router's new maintainer is a real maintainer who will push the product. Or just write your own router, it's not that hard.
Forking and improving is open source not complaining in dozen threads and pressuring people to hand out a repo (this reminds me of office politics and blackmailing" 'give us the repo or we destroy your and the new maintainer's reputation online'). I think it's more about getting the SEO-relevant Github and npm name 'koa-router'.
So guys, just stop it, welcome the new guy and/or fork, I am happy to yarn add your fork.
What exactly are you automating? A notification system for transferring of ownership?
No package in any package manager, if it contains code, and greater than 0 downloads and dependencies, should ever be replaced. The cost of storing an old package is miniscule compared to a system where anyone can petition for a package name takeover and cause unlimited cost through the effects of takeover. 30 days is absurdly short in the lifetime of software and does nothing good for the community. Package squatting is not a real problem for anyone.
In this case, the owner wanted the ownership change so it's really a non-event.
No we don't. Our process is just as secure as npm's. Please stop talking about things you don't actually know.