This is amazing:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
tl;dr:
1. a developer of a bunch of popular #npm packages publishes new, intentionally broken versions of them as he doesn't want to support for-profit companies with his free work;
2. NPM *reverts* the packages to older versions against developer's wishes;
3. GitHub *blocks* the developer for acting "irresponsibly".
That story again: developer blocked by #Microsoft #GitHub for making changes to his own code.
This is why #AGPL and @forgefriends are so important!
Both npm projects were published under the MIT license. Publishing them under the #AGPL would make Big Tech not touch it with a ten foot pole, while allowing other free software projects to still use them.
When publishing a project, consider using AGPL. I use it for basically all my public code.
Just to be absolutely clear, as @Gargron noted in a separate thread, this is absolutely shitty of the developer to pull the rug from under everyone (including plenty of FLOSS projects, I'm sure) using his npm packages. A breach of trust indeed.
But for me it is also worth noting GitHub blocking a developer for changes made by him to his own projects.
@rysiek if a developer is pushing changes or code clearly meant only to break things reverting and blocking are absolutely the right thing to do
This feels like the freezepeach argument, context matters
@reto @wim_v12e @dmoonfire dunno, seemed like dark comedy to me
@wim_v12e, it’s apparently impossible to do so: https://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy
@rysiek While GH obviously has the right to continue publishing an older version of the software, I wonder whether they retain the right to publish it *under the developer’s username*? That seems like something that should be covered by their TOS but perhaps they missed it?