[nailer]

This happened with node-inspector for a while: StrongLoop became the official sponsor, and basic stuff like 'var x = 1; console.log(x)' returning undefined was left unfixed for years while the company simultaneously used it as advertising for how great their node contributions were.

[STRML]

I've been frustrated with their code on a few occasions. We've seen breaking changes in patch versions on strong-remoting, PRs rebased out of patch releases with no explanation (and nobody could figure out why/how), and intentional abuse of npm's optionalDependencies to track users (https://github.com/strongloop/loopback/issues/1079).

This tracking is not only unethical but exceptionally dangerous, as the dependency is fetched over http, and as we know, npm modules essentially have full user access as they can spawn any command via the `postinstall` hook. So a mitm could pose as blip.strongloop.com and own any servers calling out to it.

I've ended up forking every strongloop package we use to trim this tracking abuse. I really shouldn't have to do that.