We've been trying to keep up with nodesecurity.io's recommendations -- always trying to keep ahead of the issues, but the npm module pkgcloud has fallen far behind in updates.

Rather than rewrite our backend to use a different packages (we need Rackspace Cloud & AWS S3) I worked on a fix to at least address the security issues, nothing else, simple short PR that just updates versions and fixes some broken unit tests (they broke due to having incompatibility with the newer versions of one of the dependencies with security issues), but admittedly does not fix all unit tests (leaves alone the ones already broken in the master branch/current release).

It's been 7 days, I've been contacted by two of the four admins, who say they wish they had more time, but never responded to requests to join the team, or even just review the PR (it would take minutes!).

Now comes the absurd portion: this repo is the official SDK of Rackspace Cloud for Node.js! One of those that contacted me was their representative on the project.

It seems ridiculous to me not only that they've gotten this far behind, but one of their own customers gives them the code to solve the issues, and they still don't take it. Granted, this repo serves many other cloud services too, but they're not calling this their official SDK (as far as I know).

So, do I put more effort into putting pressure on this? I hate to go into full out name & shame mode but we all know whenever major security incidents happen it's generally been found that the solution was out there for a while and ignored. I could (quietly) fork as well -- just have an alt-repo that has the security patches and nothing else until something happens in the main repo.

So the main thing I wondered was if in the history of Node.js modules, is there some kind of accepted waiting period until repo admin teams can get organized before you start sounding the alarms, or do people usually just quietly fork projects and carry on that way?