The Setup
In late 2021, a developer named Marak Squires deleted the source code for two npm packages he maintained: colors and faker. Combined, they had been downloaded roughly 21 million times per week. Thousands of open-source projects depended on them. When Squires wiped them, he left a message explaining why: he had been doing the work for free for years while companies built profitable products on top of it, and he was done.
Before Squires’s deletion, there was a subtler act of sabotage. He pushed a new version of colors that entered an infinite loop, printing gibberish to any application that used it. For a few hours, production software at companies around the world started outputting nonsense. Then the maintainer of a key dependency for the JavaScript community just… walked away.
The incident received some press coverage, generated a few days of Twitter debate, and then was largely forgotten. That forgetting is the real story.
What Happened
Squires had maintained colors since 2011, a decade of work with no compensation. He had at one point posted a note in the project’s GitHub issues asking for corporate sponsors, citing basic financial need. No significant funding materialized. The companies relying on his library, many of them generating substantial revenue, treated the project as furniture.
This is not unusual. The open-source supply chain that runs modern software is maintained by a small number of individuals, most of them unpaid or severely undercompensated. The Log4Shell vulnerability, discovered in December 2021 and considered one of the most serious security flaws in years, existed inside a Java logging library called Log4j. The library was maintained by a handful of volunteers. Apache Software Foundation, which hosts the project, released a statement noting that the maintainers had been working around the clock without pay to patch the vulnerability while the software industry, including many large enterprises, scrambled to protect systems that had relied on Log4j for years.
The financial math here is not complicated, which makes it more striking. A library with tens of millions of weekly downloads generates zero direct revenue for its maintainer. The companies consuming it capture the value. The individuals creating it bear the maintenance burden.
The open-source funding problem has a structural explanation. Most companies that use open-source libraries treat them as a procurement decision that already happened. The library is there, it works, and no one’s line item for it is zero because it was never a line item at all. Software purchasing processes are designed to evaluate vendors who send invoices. They have no mechanism for routing money toward a person on GitHub who has been fixing bugs since 2011.
Why It Matters
The Squires incident and Log4Shell happened within weeks of each other, which created a brief moment of industry self-reflection. The Linux Foundation and the White House held a meeting in early 2022 with major technology companies to address open-source security. Google committed $10 billion over five years to cybersecurity. Several companies pledged support for the Open Source Security Foundation.
This looked like progress. It was, in some respects. But the structural problem, who pays individual maintainers for ongoing work, was not resolved by pledges to foundations. Foundations fund security audits and organizational overhead. They do not necessarily put money in the hands of the person reviewing pull requests at midnight for a project that 40,000 companies depend on.
GitHub Sponsors and platforms like Open Collective exist precisely to close this gap. The results have been mixed. A small number of high-profile maintainers receive meaningful funding. The long tail of maintainers running critical but unglamorous packages receive almost nothing. The distribution of sponsorship money mirrors the distribution of attention, which means it does not correlate well with actual criticality.
This is relevant to anyone thinking about software risk. The unmaintained software running critical infrastructure problem is not hypothetical. It is the background condition of modern software development, mostly invisible until something breaks.
What We Can Learn
The colors and faker situation illustrates a specific economic failure. When something is abundant and free, users treat it as infinite. Maintainers experience the costs, which are real: time, attention, bug reports, security patches, compatibility updates across major version changes. Users experience none of the costs and therefore have no incentive to think about them.
This is sometimes called the tragedy of the commons, but it is more precise to call it a pricing failure. Open-source software is priced at zero by convention. That convention made it ubiquitous, which is genuinely valuable. It also made the labor of maintaining it invisible, which is genuinely dangerous.
The companies best positioned to fix this are not doing so at scale. There are exceptions. Cloudflare, Google, and a handful of others employ engineers specifically to maintain open-source projects they depend on. Shopify has paid engineers to work on Ruby on Rails. These arrangements are sensible business decisions: you are dependent on the software, so you fund its maintenance to ensure it continues existing. But they are the exception. Most companies that depend on open-source software have not done this calculation, or have done it and concluded that the free-rider position is economically rational as long as someone else pays.
The free-rider position is rational until it isn’t. Log4Shell was a moment when the cost of the free-rider strategy became apparent all at once. Security vulnerabilities that exist in unmaintained or under-resourced code don’t announce themselves. They accumulate, and then they become someone else’s emergency, usually at the worst possible time.
For individual developers, Squires’s story carries a different lesson. The maintainer relationship with corporate users who contribute nothing is not a partnership, it’s an extraction. Several maintainers in recent years have responded to this by changing licenses rather than deleting code. HashiCorp moved Terraform from an open-source license to a Business Source License in 2023. Elastic had made a similar move in 2021. The pattern is consistent: a company builds something useful, gives it away, watches cloud providers and large enterprises build profitable products on top of it, and eventually decides the original arrangement was not sustainable.
These license changes are market signals. They say that the social contract of open source, contribute back or at least acknowledge the gift you are receiving, broke down. The maintainers who can afford to make the change do. The ones who cannot, individuals without corporate backing or a clear monetization path, are left with the same choice Squires made: keep working for free, or stop.
The industry has not solved this. It has acknowledged it, occasionally funded it at the margins, and otherwise continued as before. The next Log4Shell is not a hypothetical. It is sitting in a package with 15 million weekly downloads, maintained by someone who has not received a dollar for it.
