My name is Thomas, one of the original founders of cdnjs along with Ryan (linked below by another commenter).
We originally posted cdnjs on Hacker News in 2011 -> https://news.ycombinator.com/item?id=2828516
The project was originally created on AWS Cloudfront, Ryan and I thought we could handle the bills. In retrospect that was incredibly naive so we were fortunate to partner with Cloudflare.
At the time, cdnjs was a baby, Cloudflare had just started entering the market.
In short, Cloudflare always owned the domain, cdnjs.cloudflare.com, meaning, we were constrained to work under the DNS level.
We have both put considerable amounts of work into the project, but nothing compared to the community and the "core" contributors. I put "core" into quotes because for the last 5 years, cdnjs has largely been run by a highly dedicated man named Peter.
Peter built enormous amounts of infrastructure to support cdnjs. He is extremely diligent, intelligent and determined.
The project was Ryan's and I "baby" but we were happy to relinquish control, sorry for all the "buts", but we were not in a position to control due to the technical and commercial reasons.
Ryan and I have never personally profited off the project, we've only paid bills and late night ssh sessions.
Conversations are underway to move forward, it is likely that the project will move to an unpkg setup (assets are just mirrored to npm).
A lot to say, but I'm at a lack of words.
Happy to answer any and all questions.
Alas, that didn't happen, so Peter stepped down and is no longer maintaining cdnjs.
I'm still here to try and keep it alive, but hearing nothing internally makes that rather hard :(
We should probably rename this old repo ThomasCDN.js and fork this repo to a new CDN.js so that the ones doing the work can resume activity.
You guys are currently the weakest link and not contributing, instead just hurting the project while not communicating. Is there an internal fight about power right now? Is there some type of investment happening that you need to ensure you have control? I suspect this is turning into an enterprise business, thus the big push for consolidating control and secrecy.
If that can not work, or there is a big business push that the community doesn't need or want, the maintainers should make a new one in partnership with Cloudflare with a slight name change to avoid issues.
https://opencdn.cloudflare.com would be a good name.
Back then, and I don't know how much has changed, the libraries were maintained on GitHub and CloudFlare did the hosting. I wasn't aware of any problems with either organisation doing what they were doing, the system worked just fine. The founders (see https://cdnjs.com/about for confirmation) Thomas and Ryan were around, but not super active. Thomas was involved in building out some of the automation infrastructure, but the day-to-day of updating the repo was largely undertaken by the maintainers, and that was fine. I never 'met' either founder, but we had occasional email back and forth and they were grateful for my maintainer-ing.
I used the GitHub Mac app because I was finding my way. Whenever I changed any library, the action of the app checking a HUGE repo for any changes pegged my laptop for a few minutes every time. Not ideal, but the process of doing this librarian-ing helped me learn about a heap of stuff.
According to  I stopped on cdnJS mid-2014. Things got a bit twitchy for me when a library (edit: jPlayer) was pulled from the file structure because it was compromised (edit: XSS) or found malicious at release. I had a couple of user complaints directed at me because I was the one that added it in good faith originally (it passed the malware checks I ran on it). The founders stepped up to explain it wasn't me that was to blame, and one person didn't take that too well -- basically they found me on other software forums, posted threats to me and explained how the library that I had added, and someone else had removed, was crucial to their business and they'd lost such-and-such dollars in revenue with that library 404-ing without notice and that they were coming to find me and extract the money from me by force. It all died down a few weeks later.
Wow, that really takes "open source maintainer abuse" to a whole other level.
But expecting the same from a free service is unreasonable. Stalking people and asking for damages because they didn't meet an unreasonable expectation is beyond unreasonable.
For security issues like XSS in live and deployed libraries?
I mean, I don't agree that the library should ever be removed, but if you are of the opinion that vulnerable libraries should be pulled, they should be pulled quickly no?
Of course for a small startup a few days notice before removal is enough, but for a large company a few days may be barely better than no heads up at all. Not everyone can move with the same agility.
If you don't pull it at all you risk people staying on the library forever because they don't want to touch a working system.
Essentially, they were physically threatened over an open source change done by someone else.
Software development at scale is about much more than code. It's about maintaining relationships with people, being willing to trust other people can do good work without your input, and sharing responsibility for what you started. All the really awesome open source projects have people who are good at those things at their core.
Wait. Okay, no, You can't take a break because we give you huge donations that make it so the 5 maintainers can afford spend time working on it. You can easily feed 5 people or families on the annual donations of...
Okay. In all seriousness. No one doing open source owns anyone anything. Software at scale is a job. Jobs have salaries. Microsoft depends on it? How about Microsoft spends 10% of an engineering salary supporting it?
 https://opencollective.com/cdnjs#section-budget They also have patreon, which is bringing in $0 per month.
If project goes down and maintainers leave the project, Microsoft also loses money spent on their engineers contributing there. They will have to fork the project, put more people on it, waste a lot of time by re-learning code and start contributing. Money and time would be better spent by just donating to current main maintainers.
Sunken cost fallacy refers to irrational decision making about a future action, incorrectly using the costs of past actions to do so.
It is not a fallacy to assess or reassess the value or effectiveness of past actions.
Nope, the really awesome open source projects have one or two people who dedicate large amounts of personal time and resources to the project for no reward.
Thats the foundation of open source so many are ignorant of. It's not about community, fame or fortune open source is about people sacrificing a huge part of their life for no reward or acknowledgement, only criticism when it doesn't live up to a paid service provided by a team of professionals.
Worth noting that this holds true for everything at scale, not just software development.
What’s missing is a way to tell the browser to use a certain resource (identified by its hash) and a url to download it.
That way the browser could cache the object across websites and download from a source that the requesting website controls.
It could look like this
The major browsers (FF, Chrome, Safari) all fragment cache by the domain in the URL bar now, for privacy reasons, so this doesn't apply anymore.
> the browser could cache the object across websites and download from a source that the requesting website controls
You can't do this without reintroducing the same privacy issues that cache fragmentation was introduced to prevent.
Performance vs security trade offs seem to be popping up everywhere recently.
And I believe it's a good solution to restrict such a feature to files already marked with a hash on the origin. They would only do that for common libraries found elsewhere as well.
Just stop loading 100 resources on a single pageload. If a website loads just one css and maybe one js there wouldn't be any performance issues, unless of course those files are several megabytes in size.
I feel like we're really close now. Come on guys, one last push.
We have engineers currently working with the CDNJS team to get updates happening again. Once that is done we will start to think about the best way to keep CDNJS updating without requiring as much human intervention in the future. Thanks for your patience and feel free to ask any questions here.
It's a free CDN that automatically pulls from NPM or Github based on repo URL without any submission/approval bottlenecks. It's also more robust with multiple CDN and DNS providers.
cdnjs doesn't work well with es6 modules or at least requires more manual labor. unpkg and jsdelivr work because they keep the structure defined in the package.json
And also, note that yeah they last pushed to master in August, but they've been doing work since then on at least one other branch. https://github.com/cjdelisle/cjdns/tree/crashey
Software should mature and when it does, development should slow down. I don't use cjdns myself, but from what I've heard it seems to be a solid piece of software.
If you had personally submitted a PR to the project and it was sitting there unacknowledged, or you were seeing lots of PRs by others sitting unresponded to then I could see a reason for being frustrated. But there are only two open PRs at the moment, and only one of them is without any comments.
CJDNS - DNS software for ip6, by "CJ"
IOW, totally unrelated.
I mean even the Linux Kernel was maintained like that a few years ago.
Heartbleed  was a bug in OpenSSL disclosed in 2014, which had very severe security implications.
Subsequently, people noticed OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code. 
Shortly after heartbleed it turned out openssl was funded by a couple of developers doing enhancements as contracting work and $9000/yr in donations despite being relied on by most of the internet.
And then some committee came along and thought everything was crap and they'd do it better. Featuring ESR: https://lwn.net/Articles/713901/
An Internet without a reliable way of figuring out the true time would be... messy.
If anyone is looking for alternatives, I created Pika CDN as a modern alternative for cdnjs/jsdelivr/unpkg. It runs off of npm (so no approval bottlenecks) and is 100% modern ESM (so you can `import` every package directly in the browser without a bundler).
What are we doing? Deploy the donations!
See for example https://github.com/Raynes/tentacles which now "moved" to clj-commons https://github.com/clj-commons/tentacles
Edit: just learned after looking up more about it that Raynes also seems to have been behind the creation of Elixir's Mix toolkit (Mix is Bundler, RubyGems, and Rake combined) so he touched on a lot of peoples life outside of Clojure as well.
If you haven't planned for it? Hopefully there are maintainers/contributors who care enough and have the resources to step up, figure out a plan, and execute it. If not? Have fun maintaining your own fork and finding out about security bugs on the front page of HN.
That gives you an idea of the scale of usage of the service. 157 billion requests last month.
Even then, it's not even clear how trustworthy any forks are. And the risk of the project fragmenting becomes high. Which is the "real" CDNJS if the original becomes stale and two credible actors both decide to fork it at the same time? In reality, there will end up being links to all three projects.
Unpopular opinion ahead: I find that demanding money after “voluntarily” contributing to an open-source almost offensive to the spirit of OSS. Money changes the incentives around a community project in an irreversible way. Note that the issue here has nothing to do with financial support.
EDIT: This is regarding the “core maintainers” comment in the linked thread, and not a judgement of anyone’s ability. I gave away years of my own time to open source projects earlier in my career. It was very rewarding in many ways, even financially - what I learned made me a lot better at my job.
Am I not allowed to be ok with that, and believe that a paid contribution model is not ideal for OSS?
When there are not enough interested persons to keep a project alive, let it die. As shown in other comments, the same infra can be achieved in an automated fashion without the need for lots of human intervention.