Hi HN, I'm maintaining an OSS project, and someone raised a PR a few days earlier, and since then, 20K+ LoC has been added to the PR. There are two new accounts, but they lack details on how to contact them, only providing usernames.
PR: https://github.com/srbhr/Resume-Matcher/pull/497
Accounts: 1. https://github.com/lololop67 2. https://github.com/ririyoungG
I've also found out from the PR that they're hosting the project somewhere, without any data disclaimer. Since this project is an AI resume builder, the accounts hosting the project can easily extract private data, such as phone numbers, emails, and addresses, and use it for malicious purposes, scams, etc. And that's what I'm more worried about. :(
I never intended to paywall this project. My goal was to provide a local first alternative to some online resume builders, and the accounts are doing the exact opposite, and they've hosted it at: https://gojob.ing/
I've tried commenting on the PR about the features they're working on, but I haven't received any replies so far.
What am I supposed to do here?
You probably want to turn on manual approval for running ci on external prs
As much as it's great to have a fully automated process, sometimes a thin audit layer is worth it's weight in gold. Seems like the volume on this repo wouldn't be too bad in this case.
Close the PR, and if they open a new one, block them from the org.
There is a setting to prevent PRs from recently created accounts, you might want to turn that on too: https://docs.github.com/en/communities/moderating-comments-a...
Close it?
just close it