I was reading through the github issue exposing the attack, and some people had some less then nice things to say about the dev who handed over the project (event-stream) to another dev who put the payload in.
You put at risk millions of people, and making something for free, but public, means you are responsible for the package.
If you read through the thread, there are more salty people.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY…
There is a responsibility for the dev to make sure they vet what is being put into, but also a larger responsibility for large company’s to vet dependency themselves, such as this package event-stream
Bonus:Commit which added bad dependency, flatmap-stream
submitted by /u/1fabunicorn