Last week the maintainer of a JavaScript package decided to monetize installation of its package through NPM by showing ads after the install.

The response to this was surprisingly quite mixed. I did not expect so many people supporting this idea. Most of the supporters justified this as a valid means to earn money of maintaining the open source project.

The above incident was not the first case. A few months ago an other developer decided to beg for a job in a similar way. And there are some more.

I was rather supersized that NPM allows arbitrary code execution during package installation. Seems like a major security issue, which can clearly also be abused in other ways.

So what is your take on this? Is your console output available for others to rent out?