At Tidepool we develop open-source software, but we also use a lot of open-source software to make everything work. It makes sense to give back, and we have done so in the past. For example, we gave a donation to electron-builder, as we use it to manage our build and auto-update process for the Tidepool Uploader.

One recent option to make it easier to support open-source efforts is Tidelift, which pays open-source contributors to maintain their software, notify users of vulnerabilities and assist with licensing issues. To be honest, I think NPM v6 already does a good job handling security vulnerabilities using the npm audit tool . GitHub now also notifies you of critical vulnerabilities. Licensing is complex and time will tell how Tidelift does there. That leaves paying contributors to maintain their software.

Another option that I tried in the past is npx thanks. It scans your package.json and tells you if there is a donations page, Patreon or something similar available for the maintainer of any packages you use. I think it's a great idea, but it does mean that you'll have to contribute to each maintainer individually, which is more time-consuming than just paying for a Tidelift subscription.