Tech News
← Back to articles

Being blocked from contributing to lodash

2025-10-31 | original
read original related products more articles

On Being Blocked From Contributing to lodash

06 Oct, 2025

My Github account was blocked from contributing security improvements to the lodash project. This was my first open source work in a while, and unfortunately, it appears it was a waste of time. That said, I did learn a few lessons about contributing to open source projects that others might benefit from.

Background

I've been going down a rabbit hole to figure out how to improve supply chain security in the JavaScript ecosystem. A common problem is the inability to trust the true origin of code within a package and how that package was built and published. Phishing attacks on npm registry users exploit this weakness - threat actors with stolen credentials will directly publish malicious package versions to the npm registry, bypassing CI/CD entirely. A consumer of the package will be none the wiser. npm install will happily install the malicious package version if configured to do so.

One way to detect this type of attack is through package provenance. Publishing packages with provenance is the process of creating a signed statement of attestation during the building of a package so that the build process can later be verified. The statement of attestation contains metadata about the build, provided in part by a trusted CI/CD platform, like Github Actions runners. While not a security panacea, dependent projects can check the statement of attestation to detect whether a package was published by a trusted CI/CD process or directly uploaded to the artifact registry, bypassing CI/CD.

The npm client itself has made the process of generating and publishing a statement of attestation trivial - all you need is a Github Actions workflow that runs the publish command with these flags.

npm publish --provenance --access public

For packages that already use Github as a code forge, adopting a workflow to publish packages with these additional flags is, in most cases, a low-effort task. Despite this, the adoption of package provenance appears abysmally low. Of the ten most popular packages on the npm registry, only two are published with provenance. Even the typescript package is not published with provenance.

Trying to Help

... continue reading

Related:
OpenAI built an AI coding agent and uses it to improve the agent itself
Oracle says there have been 'no delays' in OpenAI arrangement after stock slide
$1B for AI Slop? Why Disney Is Spending Big and Bringing Its Iconic Characters to OpenAI
Oracle reportedly delays several new OpenAI data centers because of shortages — tight material and labor supply frustrate expansion plans, possibly by a year or more
Oracle made a $300B bet on OpenAI. It's paying the price

© 2025 GoKawiil