A dispute over maintainer access to the popular Go library fsnotify has raised supply chain security concerns, with contributors being removed from the project's GitHub organization. While no evidence of compromise exists, the incident highlights vulnerabilities in open source maintenance when project governance is unclear. The library, used by over 321,000 projects including Kubernetes, demonstrates how maintainer disputes can create security risks for downstream users.
Background
fsnotify is a widely used Go library for cross-platform filesystem notifications, with over 321,000 dependent projects including Kubernetes. The project has become critical infrastructure in the Go ecosystem.
- Source
- Lobsters
- Published
- May 12, 2026 at 11:49 AM
- Score
- 7.0 / 10