October. Home to a lot of nice festivals like Oktoberfest and Hacktoberfest. But since this is more of a developer blog than a beer-drinking enthusiasts blog (although, there seems to be a lot of overlap between the two circles) I will focus on the latter.


Every single year, without fail, thousands and thousands of spammy, low-quality pull requests are generated because of Hacktoberfest, and this year is no different. On Twitter, hundreds of open-source repository contributors are already reporting and complaining of spam.

The spam and abuse are so bad this year that there’s even a hashtag on Twitter called #Spamtoberfest - which is not a good look for this year’s Hacktoberfest.

If you want a more in-depth look at the spam and trash that are being submitted on Hacktoberfest, check out this blog article from Drew DeVault.

So why is this? Well, it’s because Hacktoberfest pushes the entirety of moderation over to repository owners. To disqualify users, repository developers must manually mark their contributions as invalid. Only then will the Hacktoberfest system delete the pull reuqest from the user’s submissions.

Now, this is a pretty bad idea. Because now developers need to handle two things - developing on the original repository and filtering out the spammers from Hacktoberfest.

(If you’re a spammer reading this, come on, guys. It’s literally a freaking T-shirt. It’s not worth spamming others over and making developers and maintainers tired. If you are that desperate, shut off your computer, save a couple dollars on your electricity bill and buy yourself a T-shirt. You get all the benefits of Hacktoberfest without actually poorly participating and pissing off developers.)


So here is my “Pull Request” to Hacktoberfest, asking for some regulations to be changed so that next year (or perhaps even this year if the admins could quickly adapt their system) we will have a better experience.

  1. Remove the 4 pull requests requirement. You Hacktoberfest organizers said it yourself - quality over quantity. But by setting an arbitrary quantity of pull requests, thousands of beginners are now submitting low-quality pull requests because they believe any pull requests count. Instead, set the limit to one quality pull request. One. Idiots are not going to be deterred by the 4 count requirement, since they will submit spam anyway, but by reducing the requirement down to one quality pull request less pull requests will be submitted overall.
  2. If a pull request is marked as invalid, even one pull request, then the user should be disqualified from this year’s Hacktoberfest. I know this rule might be up for abuse, but hear me out. We developers actually like pull requests that are not even that big - things like small typos in documentation and what not. So to get your pull request marked as invalid would mean that your pull request is actually very low-quality and not worth consideration. Of course, users should have a way to appeal the invalid marker just in case the pull request is legitimate.
  3. In addition to pull requests, Hacktoberfest participants should submit a report of how they contributed to open source during Hacktoberfest. Then DigitalOcean should review these reports and award participants if they think the contributions to open source were worth it. You can’t brag about adding spam to repositories, and even if you do, there should be a moderation team at DigitalOcean just to be fair. Why should us developers have to be the sole source of moderation? Now that is not fair at all.
  4. Or, Hacktoberfest should move away from the model of “submitting pull requests” entirely. Why not “fixing bugs in open source software?” Or “improving documentation?” There are probably millions of bugs, with most of them being low-hanging fruit for contributors. If Hacktoberfest was actually about making open source software better for everyone, then why not focus on things that actually help these repositories? Why not make it so that contributions are bug fixes instead of random pull requests? This will filter out a significant chunk of spam and it will make it so that actual developers looking to get their feet wet can participate in Hacktoberfest.


In the meantime, if you’re a developer, here are some of the ways you can stop the barrage of spam.

First off, there is even a tool on GitHub Marketplace (wow) that filters out the spam pull requests. Yup, the situation is that bad. So you can probably try using that with blocklists in order to filter out the nasty little spammers.

Or, as this tweet suggests, you could archive the repository until November. But doing so will likely block out actual contributors, so this is not a very good solution.

Or, ask the Hacktoberfest team to mark your repository as an illegible repository - that will definitely stop spammers, since there is no longer an incentive to submit to your repository. This might sound like a bad thing, until you consider that all you’re blocking out is free T-shirts anyway.


I’m not saying Hacktoberfest is a bad thing. I’ve participated in Hacktoberfest myself since 2018, minus the spamming and abuse. In 2019 I wrote a blog post (unfortunately lost through blog migrations) detailing the current state of Hacktoberfest and how maintainers had to deal with spam pull requests.

Hacktoberfest isn’t necessarily a bad idea. It’s just that the execution is flawed. And with the suggested changes above, I hope that DigitalOcean and the participating companies could help restructure the execution of the project so that we would get less spam and abuse overall, while still creating a fun environment for developers to get started with open source contributions.

Update - October 3

Hacktoberfest now requires repositories to opt-in to the challenge as of October 3rd (any pull requests made before today are exempt from this requirement).

This is a good step in reducing overall spam. Maintainers who do not wish to participate don’t have to go through an opt-out process, and repositories where there are a lot of maintainers and developers that can moderate pull requests can opt-in to Hacktoberfest. It’s not a perfect solution, but it’s better than nothing.