Seguridad
Código Abierto
Comunidad
18 jun 2026
Today we're changing how we accept contributions to Documenso. Going forward we will no longer merge external pull requests, with one exception: a small group of trusted contributors who we'll reach out to directly. If that's you, you'll hear from us.
This isn't a decision we made lightly. Documenso has been open source since day one, and contributions from people outside our team have shaped the project in ways we're grateful for. Here's why we're doing it anyway.
Why we're making this change
The supply chain attacks hitting our ecosystem have gotten worse, and they've gotten smarter.
Over the past while we've watched a steady stream of incidents move through open source as a whole, and through the npm ecosystem in particular. Compromised maintainer accounts, malicious post-install scripts, typo-squatted packages, dependencies that behave perfectly until the moment they don't. The targets keep getting higher profile and the techniques keep getting harder to catch by eye.
We feel this every day. There's already a real amount of caution that comes with simply running npm install, even with package cooldowns and the other guardrails we have in place. When pulling dependencies carries that kind of weight, merging code written by someone we don't know carries more.
Why this lands on pull requests
A pull request is an invitation to run someone else's code inside your project. That's what makes open source collaboration powerful, and it's also what makes it a vector.
A signing platform is a sensitive place for that risk to live. People trust Documenso with legally binding documents, and self-hosters trust the code they pull from us to be safe to run in their own environments. Every line that lands in the project is something our users and self-hosters end up depending on. As these attacks grow more sophisticated, we're no longer comfortable accepting the risk that comes with merging external code into a project this many people rely on.
Reviewing harder doesn't solve it. The more sophisticated attacks are built to survive a careful review. The only reliable way to keep this class of risk out is to not take it on in the first place.
What we still want from you
Closing PRs doesn't mean closing the door on the community. We still want your input, just routed differently.
The best way to contribute going forward is through high-quality issues. A strong issue, for us, looks a lot like a spec. The more detail the better:
The problem you're trying to solve, and who it affects
How you'd expect the feature or change to behave
Edge cases, constraints, and anything you've already considered
Examples, mockups, or references where they help
If a proposal is well thought out and fits where Documenso is heading, we'll pick it up and build against it. A clear, detailed issue is far more useful to us than a PR we can't safely merge.
What happens to existing and new PR's
If you already have a pull request open with us, it may still be merged as normal. We're not closing the door on work that's already in flight.
For new pull requests, expect most of them to be closed with a request to open an issue instead. If that happens to you, it isn't a judgement on your work. We're applying this consistently so the rules stay clear for everyone.
Documenso is still open
Documenso stays open source. The code is still public. You can read it, audit it, learn from it, run it yourself, and fork it if need be. We've always been fine with forking, and that hasn't changed.
What we're adjusting is who can merge code directly into the project we ship and maintain. That's narrower than openness, and we'd rather be upfront about tightening it than quietly carry the risk instead.
Closing thoughts
This was a hard call. But weighing the openness of our contribution process against the safety of the people who depend on Documenso, their safety has to come first.
This is the right call for where things stand today. As the ecosystem and the tooling around supply chain security improve, our approach can change too, and we'll keep you posted if it does.
If you want to talk it through, come find us on Discord. And if you have a feature in mind, open an issue and tell us about it.
