It took some time, but I’ve now updated several of my popular open‑source packages.
Background
I won’t say I didn’t use AI — it’s gotten much better recently and can handle some of the maintenance load. The focus here is on some, not all: I'm still planning to ship software as if nothing had changed on this front, before autonomous processes and LLMs.
That means manually reviewing commits and, most importantly, performing the actual upload of a release by hand on a machine I have physical access to.
By now we’ve all read stories about hacked package versions (for example in the npm ecosystem) being published because someone gained access to a single point of failure that allowed control of the whole CI/CD toolchain.
I was lucky enough to be contacted early by the PyPI maintainers to strengthen the publishing process, along with thousands of authors of the most‑downloaded Python packages. I’m definitely not handing that over to a machine.
Bottom line
As is often the case with AI and automation, the tricky part is knowing when to stop. Tests and integration pipelines are great, but I'll still have to go through the hassle of publishing packages by hand.
If you want to see more about the updates, check out my GitHub profile.
Shoutout to the Mataroa platform — glad to be here.