The negligent part is relying on npm. If you want reliability then pay for it. Corporations crying about morality is just a smokescreen for them to avoid paying.
Most users of npm aren't corporations. They are individual developers or small operations taking advantage of a very clever ecosystem for distributed package management.
The leftpad stunt hurt everyone in that ecosystem. It was dropping a stink bomb at a party because the host had offended him, but everyone in the room got to suffer the consequences.
The leftpad stunt hurt everyone in that ecosystem. It was dropping a stink bomb at a party because the host had offended him, but everyone in the room got to suffer the consequences.