<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Upstream recap: why are we talking about supply chains?

Caitlin Bixby
by Caitlin Bixby
on June 21, 2023

Don't miss the latest from Tidelift

Two weeks ago, for the third year in a row, we hosted Upstream, a virtual, one-day celebration of open source, the developers who use it, and the maintainers who make it. It was our biggest Upstream yet, with hundreds of attendees joining us in discussions about the current state of open source and how to make it better for everyone. 

To start the day, Tidelift co-founder and General Counsel, Luis Villa, introduced this year’s theme: the accidental supply chain, and followed his welcome keynote with a fireside chat with Jordan Harband, a JavaScript maintainer who helped pick up the pieces when another maintainer of widely-used JavaScript packages deleted their GitHub account. 


Why are we talking about the accidental supply chain?

Many people disagree that there is an “open source supply chain”. And why shouldn't open source be considered a supply chain? Because it’s heavily made up of volunteers, people who oftentimes work independently and who do not label themselves as suppliers. 

Luis starkly put it, “The median number of maintainers of open source projects is one. Not one company. Not one group of maintainers. One person. Global supply chains are not built of solo artisans.” 

Luis Villa quote from Upstream 2023 keynote

How did we get here?

Luis outlined how we got to where we are today: how these systems came to be, the regulations and their consequences, and why maintainers see these government and industry checklists and requirements as unfunded mandates. With these continued requests, maintainers are feeling the pressure. 

“A majority of maintainers (58%) have either quit or considered quitting maintaining their projects,” Luis said. “And that’s just those who’ve stayed engaged enough to answer our survey.” 

How can we solve these problems?

Luis offered several ideas for how we can improve the current state of affairs:

  • We need to focus on the solo maintainers. In Luis’ words, “Often efforts to participate in this accidental supply chain focus on projects closest to you. Not a bad thing, but it ignores the 99% of projects that are in our dependency trees.”
  • We need to pay maintainers.
  • And we need to create an intentional supply chain.

A maintainer’s perspective

Following the theme of maintainer burnout and demand, JavaScript maintainer Jordan Harband sat down with Luis to discuss how he adopted a popular open source project from a maintainer who no longer had the bandwidth to maintain his projects that he had been maintaining for well over a decade. 

“The more you have a package that gets heavy usage and adoption, the more burden is placed on you, as people complain that things are broken as people ask you to add features,” Jordan said as he explained why maintainers could feel burned out from a project. 

Luis Villa and maintainer Jordan Harband

To experience Luis’ full keynote and to hear Jordan’s story, including how he took on the project, you can watch the Upstream talk on-demand here

Upstream 2023 watch now