Solo maintainers of critical npm packages have a 36% annual probability of abandoning projects depended on by millions
technologytechnology0 views
Of the 28 million npm package releases, 16 million are maintained by a single person, and 60% of these solo maintainers are unpaid volunteers. Critical dependencies have a 36% chance of losing their only contributor in any given year, meaning the entire JavaScript ecosystem rests on individuals who could walk away at any time. Why it matters: solo maintainers burn out and stop responding to issues, so critical security patches go unshipped for months, so downstream applications inherit unpatched vulnerabilities, so enterprises running production systems on these dependencies face breach risk, so end users' personal data and financial information become exposed at scale. The structural root cause is that package managers like npm have no mechanism to flag or intervene when a widely-depended-upon package has a bus factor of one, and neither corporations consuming these packages nor the npm registry itself provide systematic financial support or succession planning for solo maintainers.
Evidence
According to the 2024 Tidelift State of the Open Source Maintainer Report (surveying 437 maintainers), 60% of maintainers are unpaid, 61% of unpaid maintainers work alone, and 60% have quit or considered quitting. Socket.dev's 2024 analysis found that of 28 million npm releases, 16 million have a single maintainer, and critical dependencies have a 36% annual attrition rate. The Kubernetes External Secrets Operator project froze all updates after four of its five maintainers burned out, leaving enterprise users of a critical secrets management tool without security patches.