23 articles
A CVE filed against your open source project can feel like a crisis. It doesn't have to be. Here's a clear, step-by-step playbook for triaging, disclosing, and patching a vulnerability without burning trust with your users.
Your pull requests are piling up, issues go unanswered, and the maintainer hasn't been seen in months. Here's how to assess the situation, find your legal footing, and move the project forward without burning bridges.
A trusted open-source package turns malicious overnight when a maintainer account gets hijacked. Here's exactly what to do β from detection through remediation β before the damage spreads to your production systems.
You have a Code of Conduct, but now someone has actually violated it. What do you do next? This guide walks through the concrete steps maintainers take to investigate, respond, and enforce β without burning the project down.
You've built something useful and published it under an open source license β but commercial users keep asking if they can use it in proprietary software. Dual-licensing is how you say yes without giving everything away.
If two developers build your project from the same source and get different binaries, you have a trust problem. Reproducible builds fix that β here's how to set them up so anyone can verify your releases.
Removing or changing a public API is one of the most politically charged moves in open source. Get it wrong and you break consumers silently. Get it right and you build trust with your community for years.
The bug is real, the reporter is credible, but you can't reproduce it on your machine. Before you close the ticket as 'works for me', here's a systematic approach to bridging the environment gap.
Your favorite open-source library hasn't had a commit in two years, the maintainer is gone, and a hundred dependent projects are quietly rotting. Here's how to take ownership without fracturing the community around it.
You just realized a database password or API key is sitting in your public GitHub repo's commit history. Here's exactly what to do, from revoking credentials immediately to scrubbing the history so it never shows up again.
A poorly written CONTRIBUTING.md sends first-time contributors down the wrong path and floods your review queue with half-baked PRs. Here's how to write a guide that sets expectations clearly and gets you code worth merging.
Your OSS project just got featured somewhere big and the issues are pouring in. Before you drown in duplicates, vague bug reports, and feature requests, here's a practical triage system that keeps you sane and your contributors productive.