A maintainer dispute in fsnotify, a widely used Go filesystem notification library with 321k dependent projects, briefly raised supply chain concerns after contributors were removed from the GitHub organization and recent releases came under scrutiny. Maintainer Martin Tournoij removed access from Yasuhiro Matsumoto (mattn) and others, citing rushed merges, insufficient cross-platform review, and an unauthorized sponsorship file update. Matsumoto had stepped in to help after automated scanners flagged the project as unmaintained due to no release in over a year. No malicious code was found, but the incident highlighted how governance ambiguity in low-level dependencies can trigger downstream verification efforts — with Kubernetes even evaluating potential forks. The episode underscores that unclear maintainer roles and release authority in critical packages can make routine access-control changes indistinguishable from early-stage supply chain attacks.
Table of contents
Removed maintainer sounded the alarm after losing access #Maintainer removed access over rushed merges and sponsorship changes #Kubernetes users weighed forks and alternatives #Sort: