The Danger of "Modern" Open Source

An unpaid open-source maintainer holds up critical infrastructure for Fortune 500 companies, with no contract or accountability. The modern open-source model centralizes packages on registries like npm, exposing users to risks like malware injections, maintainer sabotage, and account takeovers. Incidents include left-pad, event-stream, ua-parser-js, Log4J, colors.js, node-ipc, xz Utils, and Axios. Large language models worsen this by generating code that developers ship without understanding, further eroding oversight. The author, js-cookie's creator, notes that the system's structural flaws remain unaddressed.