Dear Christ, I'm sick of this dichotomy. Deliberately releasing code like this is malicious, and was clearly done with intent. I'm not sure if you could sue, but there is such a thing as torts. You can't booby trap your yard and then be like "BUT I SAID NO WARRANTY!" when someone expects it to be a normal yard and then blows their leg off.
> If Lodash issued a breaking change...
It's called intent. Did Lodash _intend_ to break users' programs? Probably not. That's for a court to decide. Did this dude intend to break users' programs? The legal system is set up to resolve questions like this, not get fooled by clever gotchas from software developers. Intent matters in the eyes of the law and I'm utterly flummoxed and quite frankly concerned that so many developers don't understand that.
Simultaneously, pulling thousands of double digit layers deep of random-ass dynamic code dependencies is _also_ a bad idea at best, and professional negligence at worst.
The package author can be liable. The people who rely on him can, at the same time, make bad professional choices. Both things can be true.
You are raising point which noone is disputing. Yes stuff broke, people’s time was wasted, this was the intention. However that does not necessitate malice. IWW for example calls these kinds of sabotage a direct action. The malice is towards the oppressors. The goal is to slow down production and such that our oppressors suffer.
This act is really no different then a strike. A striking worker is only malicious towards those who unfavorably profits from their labor. Other workers might suffer, but a true worker will stand in solidarity, for direct action is an act of love for the entire working class.
Keep in mind Marak was active in the issue tracker afterwards pretending to be fixing the "bug". Marak didn't change the description, readme, or roadmap of the package. He passed the release off as a functioning library that deliberately crashes any process that used the library. That is a Trojan.
This still describes a very standard industrial sabotage. Quite often workers will continue deliberating confusion as part of the sabotage, either to cover their tracks or to maximize the time of diminished production. The goal is still the same.
> If Lodash issued a breaking change...
It's called intent. Did Lodash _intend_ to break users' programs? Probably not. That's for a court to decide. Did this dude intend to break users' programs? The legal system is set up to resolve questions like this, not get fooled by clever gotchas from software developers. Intent matters in the eyes of the law and I'm utterly flummoxed and quite frankly concerned that so many developers don't understand that.
Simultaneously, pulling thousands of double digit layers deep of random-ass dynamic code dependencies is _also_ a bad idea at best, and professional negligence at worst.
The package author can be liable. The people who rely on him can, at the same time, make bad professional choices. Both things can be true.