Why I'm Discontinuing A11y-Lens: Supply Chain Security and Ethical Responsibility

Published: September 2025

Today, I made the difficult decision to discontinue my npm package @karameht/a11y-lens – a real-time accessibility checker for React applications. This wasn't a decision I took lightly, but recent events in the JavaScript ecosystem have made it clear that continuing would be irresponsible.

The Package That Was

A11y-Lens was my contribution to making web accessibility testing more seamless. It brought axe-core directly into the development workflow – no browser extensions, no tab switching, just drop it into your React app and get instant feedback on accessibility issues.

The package gained some traction, developers found it useful, and I was proud of creating something that served the accessibility community. But sometimes, the right thing to do is to stop.

The Wake-Up Call: September 2025

The past few weeks have been brutal for the npm ecosystem:

September 8, 2025: Attackers compromised 18 widely-used npm packages (including chalk, debug, ansi-styles) with over 2.6 billion weekly downloads combined. A sophisticated phishing campaign targeting maintainers led to malicious code being injected to steal cryptocurrency. (Qualys Blog, ArmorCode Analysis)

September 14-16, 2025: The "Shai-Hulud" worm emerged – the first self-replicating malware in the npm ecosystem. Over 180 packages were compromised, including packages from major security companies like CrowdStrike. This wasn't just another supply chain attack; it was an automated, self-propagating threat that used stolen credentials to infect more packages automatically. (Wiz Security Blog, Krebs on Security)

The worm was particularly insidious:

• It scanned for developer credentials using legitimate tools like TruffleHog
• Automatically published malicious versions of packages using stolen tokens
• Created public repositories to dump stolen secrets
• Spread exponentially without human intervention

Even experienced maintainers at established companies fell victim. If CrowdStrike's packages could be compromised, what chance does a solo developer have? (SecurityWeek, ReversingLabs Research)

The Reality Check

As I watched these attacks unfold, I had to confront some uncomfortable truths:

I Cannot Guarantee Security

Despite my best efforts, I cannot monitor every dependency, every update, every potential attack vector 24/7. The threat landscape has evolved beyond what individual maintainers can reasonably handle.

The Responsibility Is Real

Every person who npm installs my package trusts that I'm keeping their projects safe. That's not a responsibility I can fulfill with the resources and time I have available.

My Life Context Matters

I'm a father, family guy, and full-time employee. My side projects, no matter how well-intentioned, cannot receive the level of security oversight they now require. Between family responsibilities, work commitments, and the basic need for work-life balance, I simply don't have the bandwidth to be a responsible package maintainer in today's threat environment.

Choosing Ethics Over Ego

The hardest part wasn't admitting I couldn't maintain the package – it was letting go of something I'd built and was proud of. There's an ego component to open source. You want your packages to live forever, to grow, to be useful.

But ego doesn't protect users from supply chain attacks.

I believe it's more ethical to discontinue a project than to maintain it inadequately. In a world where malware can self-replicate through developer credentials and compromise hundreds of packages automatically, "good enough" maintenance isn't good enough anymore.

What I Did

Rather than just abandoning the project, I took a responsible approach:

1. Updated the README with a clear explanation of why the project was discontinued
2. Made a final commit documenting the decision
3. Marked the package as deprecated on npm with a clear warning
4. Published a final version so the deprecation notice appears on npmjs.com
5. Archived the GitHub repository to prevent further changes
6. Provided alternatives for users who need similar functionality

The deprecation message is honest: "Package discontinued due to supply chain security concerns. See README for details."

Recommended Alternatives

For developers who were using A11y-Lens or need similar functionality:

• @axe-core/react – Official axe-core React integration with professional backing
• eslint-plugin-jsx-a11y – Catch accessibility issues at build time
• Browser extensions – axe DevTools for manual testing
• Professional services – Dedicated accessibility testing platforms

These alternatives have better security infrastructure, more maintainers, and professional backing that individual developers simply cannot match.

A Message to Other Solo Maintainers

If you're maintaining npm packages as a side project, please consider:

• The current threat landscape – automated attacks are the new reality
• Your capacity for security monitoring – be honest about your limitations
• The responsibility you carry – users trust you with their security
• Whether continuation is ethical – sometimes stopping is the right choice

There's no shame in stepping back. The JavaScript ecosystem has grown beyond what hobbyist maintainers can safely manage alone.

Further Reading

For more details on the recent supply chain attacks that influenced this decision:

• Technical Analysis: Wiz Security - Shai-Hulud npm Supply Chain Attack
• Industry Impact: Krebs on Security - Self-Replicating Worm Hits 180+ Software Packages
• Security Perspective: Arctic Wolf - Wormable Malware Causing Supply Chain Compromise
• Developer Response: StepSecurity - @ctrl/tinycolor and 40+ NPM Packages Compromised
• Enterprise Analysis: Qualys - When Dependencies Turn Dangerous

To the Accessibility Community

My decision to discontinue A11y-Lens doesn't reflect any loss of faith in web accessibility. If anything, it reinforces how important it is that we build accessible experiences with reliable, well-maintained tools.

I encourage you to:

• Keep building inclusive web experiences
• Choose tools with professional backing and security infrastructure
• Contribute to established accessibility projects rather than starting new ones
• Support organizations like Deque Systems who can maintain tools properly

Final Thoughts

This wasn't the ending I envisioned when I started A11y-Lens, but it's the right ending given current realities. The supply chain attacks of September 2025 have fundamentally changed what it means to be responsible in open source.

Sometimes leadership means knowing when to step aside. Sometimes ethics means disappointing people who depend on your work. Sometimes the most helpful thing you can do is stop.

I'm proud of what A11y-Lens accomplished during its brief life. I'm even more proud of how it ended – responsibly, transparently, and with users' security as the top priority.

Stay safe out there. Build accessible. Choose your dependencies wisely.