There wasn't even a "what is this" or "please explain". I feel like blocking should be reserved for disruptive behavior or spam. At best this seems like an accident, at worst it seems wildly immature.
But to my eyes, this PR does look like spam. It has no description, its title and commit messages are meaningless. Changing random auxiliary files is also a common sign of PR spam. This PR really looks no different from other spam PRs that popular GH repos have to deal with all the time.
This is not the right way to contribute to a project. If I were the maintainer, I wouldn't engage with it either, just like I don't reply to spam emails.
Your spam detector is broken. It was opened by an account that's clearly human with more than 10 years of history. It was closed by the author themselves 2 hours after they opened it. It's got WIP commits that were clearly written by a human thinking through the process.
What about this reads as spam to you? They just forgot to fill the description portion of the PR
If someone opens a PR to one of my repos with no context, I ban them.
There’s too much AI spam out there right now.
Publishing ‘@provenance-labs/lodash’ as a test, I suppose. Ok. Leaving it up? Looks like spam.
Badgering the author an a private email? Mmm. Definitely not.
This isn’t a bug, it’s a feature. There’s a contributing guide which clearly says; unless a feature gets community interest, it’s not happening. If you want a feature, talk about it rouse community interest.
Overall: maybe this wasn’t the right way to engage.
Sometimes you just have to walk away from these situations, because the harder you chase, the more it looks like you’re in the wrong.
…it certainly looks, right now, like the lodash author wasn’t out of line with this, to me.
> Overall: maybe this wasn’t the right way to engage
Lex Livingroom. If you are among friends you can surly criticize a sweater, but if you come barging in uninvited and criticize the same sweater, you're in for a bad time.
Foreign PRs with malicious GitHub Actions attached are a common vector for the very supply chain attacks OP was trying to mitigate, from what i understand. At first glance a PR like that is incredibly suspicious.
I sympathize with the OP, GitHub makes it outrageously easy to accidentally open an upstream PR when you meant to open one on your own fork, it's happened to me twice. But i don't blame lodash for blocking them.
Regardless, opening an issue about their release process obviously should have been done first.
