> What you're advocating for is that if an open source developer changes their code, even to say, prompt the user to confirm executing when before they didn't prompt and that somehow breaks automation that the user has built (not the developer) then they should be liable for harm.

We should probably divide the conversation into two threads: one on the tainted-food analogy, and one on the changing-code reality. Because they aren't the same, and one can reach weird conclusions trying to conflate them.

Liability for tainted food is pretty settled law. If someone eats your food and gets sick, it's a problem for you. If they eat it and get sick and can prove you poisoned it, it's a real problem with real legal consequences. Food handlers and preparers go out of their way to avoid both of those scenarios.

Intentionally modifying code knowing you'll break downstream consumers hasn't been tested (to my knowledge) in court, so we can set that aside. But is it immoral? That's going to depend on one's morality, but I have a hard time seeing my way to agreeing with the standpoint "Sure, it's moral. User beware." That principle, written large, creates a strictly worse world, where people are hiding in their digital caves, unable to trust anything outside. A lot of people (including GitHub and NPM's owners) are trying ot build something better than that.

Marak had a right to do what he did, but that doesn't mean it was right, we don't have to agree that "because he could, it was good" (that's just rule-by-power, and almost nobody thinks that's a good moral philosophy), and I applaud the open-source community who stepped in to minimize his harm.

His freedom to post what he wants in his repo does not extend to a freedom to screw users depending on the software he licensed for open source use working. GitHub and npm took steps to protect users from his malicious actions.