[Gigachad]

He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.

Yes, it is particularly shitty to intentionally screw it up. But the system that put so much value on something not happening without any safeguards or obligations is the real problem.

The move fast and break things attitude of web development is the cause. A single rogue dev is just an example of the worst happening. In the future I imagine we will have package managers which do not give random individuals so much power. And we will rely on packages from trusted names, Google for example has a very very low risk of sabotaging a package compared to a no name individual. If companies had paid for this package, they could take legal action against the author. But they paid nothing and had no assurances of anything other than a vague hope it would continue to work.

[butlerm]

He did something much worse than break a contract, he committed a crime that he could probably be prosecuted for. He did the whole thing with malice aforethought. It looks like fraud at the very minimum - he released a version with the intent to deceive, victims relied on his deception, and they suffered damages as a consequence.

[torstenvl]

Fraud requires that he used deception (I don't see any evidence that he did) to obtain something of value (again, I don't see it).

The code was open source. The code was published under a new major version number. The code had a descriptive change log that definitely didn't seem congruent with earlier versions. And he wasn't getting paid for it. What thing of value did Marak Squires defraud people of?

I get the sense that people are reacting with extreme hyperbole in their accusations, out of anger that he did something assholish.

Serious question: how is this different from 1Password publishing an upgrade that removes the ability to use standalone vaults in the iOS Safari extension?

At the end of the day, Marak published an update, knowing some people would update the software automatically due to their own workflows, and the update had negative effects on the users. Companies do this all the time and nobody accuses them of installing a "Trojan Horse" or committing a felony.

How did it come to this? Where HN, a place that is supposed to be genuine and curious, believes an act should be acquiesced to or branded a felony based on the individual's personality? Because that seems to be the consensus here and I find it disturbing.

[WarChortle]

He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.

If there was a bug in his logic that caused an infinite loop in some scenarios he was under no obligation to fix it. While I think he should in that scenario, I would defend his right to leave it. Another maintainer could fix it, someone could fork the package, whatever.

I am not arguing he owed anything to anyone. I am arguing that he is not entitled to maliciously break things on people. He committed it knowing full way most packages would grab it automatically, most people are okay with that as if it breaks things they can go back a version no big deal. His package is so popular some people might not even realize that one of their dependencies relies on it.

We can argue about how much time you should invest in knowing your dependencies and checking every commit for them, until we are blue in the face. The reality is he knew most people just can't or won't especially in npm world.

There is no defending a malicious act. He is not entitled to commit code maliciously. OS works because we trust maintainers to do their best to have the best interests of the users at heart. The flip side of that is they are under no obligation to work on it. They can walk away at anytime.

If peoples idea of OS software starts to include that someone could do something malicious at any moment, that's the beginning of the end of OS.