Express.js Spam PRs Incident Highlights the Commoditization of Open Source Contributions

A tidal wave of spam pull requests recently hit the popular Express.js open source project on GitHub after a YouTube tutorial demonstrated how to submit a PR. Apna College, an account with 4.86M subscribers published a tutorial on Git and GitHub for beginners, which received 1.4M views. Instead of using a practice repo, the tutorial featured the open source Express.js project repo.

What followed was a cascade of meaningless spam PRs, as students blindly followed the tutorial in hopes of landing a low-effort open source contribution.

Apna College has since added a pinned comment to the video, instructing students not to test PRs on official repos:

“Note - Don’t create test PRs or issues on official repositories of projects as it is unprofessional. Try to test all the things in your own repo.”

Commenters called for the account to delete the chapter from the course or remove the tutorial. Unfortunately the damage had already been done, and hundreds of spam PRs have been submitted to the Express.js project, diverting maintainers' attention from meaningful development work.

Although this incident is an unintended consequence of an imprudent demonstration using an official project repository, OSS contributors across the ecosystem were outraged at the wasted time and energy. Some characterized it as an “attack on open source” that filled the Express.js repo with “pages and pages of UTTER GARBAGE.” One commenter likened it to the equivalent of blowing up a place to teach someone about explosives.

Others accused the YouTube channel owners of “selling that ‘Fake FAANG dream’ to millions of students, hurting the rest of programmer ecosystem.” The response escalated to where one of the Express.js maintainers said people began emailing maintainers and harassing people in the repo for opening the spam PRs.”

No matter how well-meaning the educator may have been, it’s clear the viewers were so new to GitHub that they didn’t understand the impact of what they were doing.

Open Source Contribution Is Not a Shortcut to Employment#

The incident is a symptom of a larger issue where people with no experience are being recommended to contribute to open source as a magic bullet for getting hired to their first jobs in tech. It’s not bad advice, but some jobseekers have reduced it to a performative exercise for professional visibility without any understanding of the open source ethos.

The incident is strongly reminiscent of Hacktoberfest spam PRs, which maintainers get to experience on an annual basis. This virtual event, sponsored by DigitalOcean and other community partners, requires participants to make four pull requests in order to get a limited edition Hacktoberfest t-shirt. Over the years it has degraded to attract some of the lowest quality contributions like single-line code and grammar fixes, amounting to an influx of spam PRs for many participating projects.

Express.js’ current spam situation has inspired multiple reaction videos. Most notably, Ping Labs CEO Theo Browne’s spicy take, titled “Don't Contribute to Open Source” predates this incident but got more play as the result of it.

He posits that “most developers probably shouldn’t contribute to open source.” Part of Browne’s take was inspired by a post on the reactjs subreddit where someone asked for a good open source project that doesn’t require Typescript, as they “need to start doing open source but can’t find the suitable project.”

“Open source was never about helping someone get started with development,” Browne said. “Open source is about sharing contributions to things you use so others can use them and benefit from them as well. If you don’t know which projects you should be contributing to, it’s because the cart is being put before the horse here.”

Beginners desperately trying to get in open source contributions as part of their resume building are bypassing the intrinsic motivation that is required to contribute to projects in a meaningful way. Learning through engagement with real problems is fundamental to the spirit of open source.

“Open source contributions aren't valuable because they exist,” Browne said. “They're valuable because they show that you've run into real problems with software. Not only did you have those problems, you fixed them, and have been part of the community in that way.

“And even then you should be starting with an issue not with a bunch of code that you're hoping somebody will take the time to mentor you through fixing. Open source is not a place to go for free mentorship. Open source is not a place to go to get a free job. Open source is an ecosystem of people working really hard to keep the web and all of software development alive.”

Browne blamed Hacktoberfest for contributing to this systemic problem and cited a post Domenic Denicola wrote in 2020, calling for an end to the event:

In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.

So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage.

The rate of spam pull requests is, at this time, around four per hour. And it’s not even October yet in my timezone.

Denicola’s conclusion was that “Hacktoberfest does not support open source. Instead, it drives open source maintainers even closer to burnout.”

Make Yourself Useful#

“Make yourself useful,” is a phrase plucked from ancient philosophies and religious texts and later repurposed for the Industrial Revolution. It is something many of us heard growing up. As a kid, you could engage in nearly any self-determined activity as long as you made yourself useful. This broadly applies to open source contribution as well.

Maintainers on popular OSS projects are already impossibly laden with more work than they could ever be paid to do. The vast majority are volunteering their efforts without compensation.

They are also keen to persevere the magic of open source, as, in most cases, the act of contributing is both its own reward and the only reward. In its ideal form, OSS provides a collaborative space where people work together to advance technology and in the process of doing so build a higher level of trust amongst each other.

For those looking to improve their resumes - don’t consider open source contributions a shortcut to getting a job or a ticket for free mentorship. Those positive byproducts may come to you but are not guaranteed.

Focus on solving real problems. Discover the problems you enjoy solving and improve the projects that you already use. Gain collaborators’ trust by becoming a person who is willing to put in the work. This is far more valuable than trying to convince maintainers to merge meaningless, no-effort PRs so you can add “open source contributor” to your resume.