⚙️ Tech

Open Source Maintainers Owe You Nothing — Stop Acting Surprised

You took the gift, shipped it to production, billed your client for the work, and now you're angry that the gift didn't come with a service contract. Read the license again.

By Staff●7 min read●April 2026

Every popular open-source license contains the same paragraph, usually in screaming all-caps. The MIT license puts it like this: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. The Apache, BSD, and GPL versions are functionally identical. You agreed to that paragraph the moment you ran npm install. You agreed again when you committed the lockfile.

And yet, with metronomic regularity, the public watches a maintainer set their own project on fire — sabotage a release, lock issues, walk away — and reacts with shock. The shock is the part that should embarrass us. The deal was always this deal. We just stopped reading.

The myth we built

For two decades, the industry has been freeloading on the unpaid labor of a handful of weirdos who happened to enjoy writing parsers and crypto libraries on weekends. We built trillion-dollar software stacks on top of their hobbies. We absorbed their work into our companies, their work into our resumes, their work into our IPOs. And in exchange we offered: a GitHub star and a tweet.

Then, when one of them gets tired — or has a kid, or develops an opinion we don't like, or simply stops finding the project fun — we react like a customer denied a refund. How could they? They have users. They have responsibilities.

To whom?

Real cases, not hypotheticals

Marak Squires, the maintainer of colors.js and faker.js, sabotaged his own packages in early 2022. The discourse called him unhinged. He had been begging for sponsorship for years. Tens of thousands of companies depended on his code. He had thirty-seven dollars in his Open Collective.
Andrey Sitnik, who wrote PostCSS and Autoprefixer — used by basically every CSS toolchain on Earth — has spoken openly about the math: hundreds of millions of weekly downloads, full-time burden, donations that wouldn't cover rent in any major city.
Daniel Stenberg wrote curl. It runs on every smartphone, every car, every Mars rover. Companies bill him for security questionnaires. He bills them nothing.
Lasse Collin maintained xz-utils alone, was social-engineered for years by a state-actor-grade attacker, and the resulting backdoor (CVE-2024-3094) almost shipped to every Linux distribution on Earth. The lesson the industry took away was "single maintainers are a supply-chain risk." The lesson should have been "we built civilization on one guy."

The obvious counter

"But they chose to publish it. They chose to accept users." They did. They chose to give you a gift. The act of giving a gift does not establish an ongoing obligation to maintain the gift, accept feature requests about the gift, fix the gift on your timeline, or be polite when you demand they do. That is not how gifts work. That is how vendors work, and the maintainer is not your vendor — unless you have paid them, in which case, sure, file a ticket.

If you want a vendor, hire a vendor. If you want a gift, accept the gift on the gift's terms.

The "community" sleight of hand

Watch what happens when a maintainer announces they're stepping back. The replies are almost never "thank you for years of free labor." They are almost always "but who will maintain it?" — as if the project's continuity is the maintainer's moral problem to solve before they're allowed to leave. It isn't. The project's continuity is your problem, the consumer's problem, the company's problem. If continuity matters to you, fund it, fork it, or replace it. Those are the three options. Guilt-tripping the person who built it is not on the list.

The response

If your business depends on an open-source library, treat it like the asset it is. That means:

Pay maintainers. Not "consider sponsoring." Allocate a real budget line. The math is absurdly favorable: a $50k/year retainer to a critical maintainer is cheaper than one mid-level engineer and saves you ten of them.
Vendor your dependencies. If a single repo disappearing breaks your build, that is a risk you chose. Mirror it. Audit it. Own the consequences.
Stop emotional projection. The maintainer is not abandoning you. You were never in a relationship. They were writing code in their free time and you happened to use it.

The open-source social contract was always: here is a thing I made, do whatever you want with it, don't yell at me. The yelling is the violation. Everything else is just software.

⁂

← Back to all essays