Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps

Thank you for your analysis @vooteles
So this part in the MIT license is absolutely worthless if you claim that the creator was acting in a “bad faith”:

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

I would not say such disclaimers are worthless. They do provide protection against claims and that’s why they are sprinkled everywhere. But in a case where a package author just flat out goes nuts and intentionally acts maliciously the protection offered by the disclaimers should be severely diminished, if it exists at all.

If a legal system would allow a disclaimer to be absolutely limitless and fully, without exception, rule out any (civil) liability from any action, then the result would be a legal minefield. Every day millions of contracts are signed or entered into in some other capacity and the reality is that the vast majority of them are not read in full. So I’d say most jurisdictions are likely to have laws in place that restricts the effect of such disclaimers at least to some degree.

A somewhat relevant example is the application of contractual penalties. Let’s say you have a software development agreement where you undertake to write a fancy Meteor app for a customer for 10k EUR. Somehow the customer manages to slip a provision into the agreement which stipulates that you must pay a contractual penalty of 1 billion EUR to them for every day you go past the deadline of delivery. And you discover it after you have signed the agreement. A bad sitution, no doubt, but in most jurisdictions you have the possibility to request a judge to reduce that penalty to a reasonable sum. Despite the parties having signed a document which clearly sets out such penalty.

But as always in law, everything is a matter of interpretation :slight_smile:

1 Like

That is a good question, but I think that the license is re-applied to each version. Since the code is distributed with the license that would mean that each version has its own license (it just happens to be the same as the previous one). You can see it on software where the license changed. For example v1.0, v1.1, v1.2 is distributed with the MIT license. Then v1.3 onward is with another license. Since the license is attached to the code and is distributed with the code in the license file, you can always open the particular package in particular version and see the actual license. I think there might be some examples when a license change and community went in, forked the code before the license change and worked on its own fork (possibly LibreOffice comes to mind).

Here is the relevant section. It speaks about deleting packages that violate acceptable use:

1000% agree and I think that should be the main takeaway. I would have thought that the left pad fiasco would have schooled people enough. But in a way it is good that this happen as it brought up a whole lot of other issues.

Tends to happen to popular software.

1 Like

@alawi Thank you for sharing the story of Terry A. Davis.

2 Likes