←back to thread

Open Source is one person

(opensourcesecurity.io)
433 points LawnGnome | 3 comments | 28 Aug 25 01:54 UTC | HN request time: 0.381s | source
Show context
didgetmaster ◴[28 Aug 25 14:11 UTC] No.45052400[source]
Has anyone seen any stats on what happens to a single maintainer project when said person is hit by a bus (or meets some other demise)? With that many data points, there should be enough of them by now to study it.

Is the project taken over by another, single developer? Is it replaced by a similar project? Does it just go away?

replies(10): >>45052476 #>>45052805 #>>45053517 #>>45053735 #>>45053828 #>>45055027 #>>45055031 #>>45055306 #>>45056138 #>>45062323 #
1. thayne ◴[28 Aug 25 18:22 UTC] No.45055306[source]
It depends. More common than getting hit by a bus is that the maintainer loses interest, or doesn't have the time to put into it anymore. When that happens I've seen all of the following happen:

* Someone forks the project, and eventually the fork replaces the original

* Another, possibly new, project that fills the same niche becomes more popular, and eventually replaces most usages of the first project.

* The original maintainer hands off maintenance to someone else.

* People keep using it, even though it is no longer maintained, and maybe make their own forks to fix issues they have, but none of the forks really catch on

One of the strengths of OSS is that if the developer disappears, or goes rogue, or changes the license terms, someone can fork the project and keep it going. With proprietary software, if the company (or individual) who makes it disappears, or decides to discontinue it, or change the terms to something unacceptable, you are just out of luck. Hopefully, you can find a competing product that meets your needs.

replies(2): >>45056333 #>>45057898 #
2. worik ◴[28 Aug 25 19:54 UTC] No.45056333[source]
This is theory
3. tracker1 ◴[28 Aug 25 22:48 UTC] No.45057898[source]
Definitely seen this a lot in the JS/NPM ecosystem... You go searching for a module that does $thing... you find about 10, you sort and look at say the 3 most recently published an the 3-5 most downloaded/popular... is the repo open (github, usually), are there a lot of old issues left lingering with an old last publish date? Might take a passive look at the codebase to see if I can grok it and fix any issues I find if needed.

Choose what I feel is the best option. Trying to avoid dead packages, but not afraid to deal with older packages if they aren't just stale, but functionally complete. The shift towards ES import statements and TypeScript defs has also influenced my selection process.

I've seen plenty of cases where either a fork or new option effectively takes over. A lot of people are leaning towards Zod over Yue or Hono over Express. There's instances where the dev goes off the rails like with Faker and the community comes together to fork a solution.

All of the above examples definitely happen in practice. I'm guessing many packages all over the place have replaced various dependencies over the years.