"Pin vulnerable package versions like lodash to attract security fix PRs." That is actual advice from Andrew Nesbitt's new satirical guide on attracting AI bots to your open source project. It reads like a how-to. It functions as an autopsy.
Nesbitt, a well-known figure in the open source dependency ecosystem, published the piece as a deadpan instruction manual: write vague issues without reproduction steps, label everything "good first issue," maintain 200+ open issues to signal you are understaffed, and for maximum effect, commit your node_modules directory. The fake stats are pitch-perfect too - a claimed "3:1 ratio of AI to human PRs" as an industry benchmark, and early adopters supposedly seeing a "400% increase in weekly PR volume."
The joke lands because the problem is real. JavaScript repositories, Nesbitt notes with a straight face, receive 3.8x more AI-authored pull requests than projects in other languages. Anyone maintaining a popular open source repo in 2026 has seen this firsthand: drive-by PRs that fix typos nobody reported, security patches generated by bots scanning for outdated dependencies, and "contributions" that break more than they fix.
The Real Cost of Junk PRs
The satire's sharpest edge is in what it implies about maintainer time. Every AI-generated PR still needs a human to review it, test it, and close it. When your repo is getting nearly 5 bot PRs a month (Nesbitt's fictional target for 500+ star repos), that is real labor being extracted from people who are usually unpaid volunteers.
Nesbitt's suggested "AI amendments" to the Contributor Covenant and his recommendation to add a .github/copilot-instructions.md welcoming automated contributions are funny precisely because some projects are already doing the opposite - adding explicit policies to reject AI-generated contributions, or requiring contributors to confirm their PR was not auto-generated.
What This Means for AI Coding Tools
Tools like GitHub Copilot, Cursor, and Claude Code are genuinely useful for developers working on their own projects. The problem is not AI-assisted coding. The problem is AI-automated contributing - bots that scan for open issues, generate patches, and submit PRs with zero human judgment about whether the change is wanted or correct.
The distinction matters. A developer using Copilot to write better code for a project they maintain is productive. A bot that reads a vague issue titled "something is off with the auth flow" and submits a hallucinated fix is a tax on everyone involved.
Nesbitt's piece is short and worth reading in full. It is the kind of satire that works because you cannot immediately tell if it is serious - which says everything about where open source contribution culture stands right now.