| He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything. If there was a bug in his logic that caused an infinite loop in some scenarios he was under no obligation to fix it. While I think he should in that scenario, I would defend his right to leave it. Another maintainer could fix it, someone could fork the package, whatever. I am not arguing he owed anything to anyone. I am arguing that he is not entitled to maliciously break things on people. He committed it knowing full way most packages would grab it automatically, most people are okay with that as if it breaks things they can go back a version no big deal. His package is so popular some people might not even realize that one of their dependencies relies on it. We can argue about how much time you should invest in knowing your dependencies and checking every commit for them, until we are blue in the face. The reality is he knew most people just can't or won't especially in npm world. There is no defending a malicious act. He is not entitled to commit code maliciously. OS works because we trust maintainers to do their best to have the best interests of the users at heart. The flip side of that is they are under no obligation to work on it. They can walk away at anytime. If peoples idea of OS software starts to include that someone could do something malicious at any moment, that's the beginning of the end of OS. |