- Why you gave me a different coin today?
and the young man says:
- I got married and now I'm starting a family, I need more money so I can not give you as much anymore.
And the beggar cries out:
- People, look at this putz, he got married, and now I have to feed his family?!
I think the fact that we get so many awesome things for free is unbelievably lucky. I mean, not only we work in the one of the more generously paid jobs, we also get a lot of the tools we need for free! How cool is that? But some people think that if they are given those awesome things for free, they must deserve it and whoever gives them owes them forever. That's not the case. Yes, it is annoying to find somebody who contributed before does not want to do it anymore. It is mildly inconvenient and it can be improved. But let's not lose the perspective - the author does not owe us or npm continued support. It is sad he does not want to do it anymore, but that's what open source is about - people can take it over, and it happened within a single day. Such resilience is something to be proud of, not something to complain about.
- But you gave it to me!
- It was for free, so don't dare you to complain
If it was given with the (maybe implicit) clause that there was no limit of time, I don't see how the thing being free give you the right to take it back, especially from people who have used it to build something. Sure the first act was charitable, but in the end you cause more harm than good.
Relying on something continuing to exist on the internet, without making your own backups of it, and you're going to have a bad time.
On the other hand, he wanted his work published in the community registry where they got exposure and were made into dependencies in lots of projects.
When the author offered their modules and then suddenly walked away with them, lots of innocent devs who built their projects with his modules got hurt. He did more bad than good overall, especially that he unpublished hundreds of modules at once without warning, not just one. He should carry some responsibility for that.
The author can publish and unpublish all he wants from his personal site where there are zero expectations that it will continue to exist, but when he's doing it from a public repository where he received a lot of confidence from the community, he should at least make sure his users don't suddenly fall flat. Now people will start wondering if a module with millions of installs in the last month is still going to exist tomorrow.
That's a smart thing for people to wonder when there is a very real possibility that it won't. I'm not going to applaud the author's action here, which I consider reckless, but it did bring attention to how fragile this "essential" infrastructure really is.
Should really just be a 'publish is forever' mentality
You of course need to audit and improve your local store, but you need to do that with your dependencies anyway
Blame NPM. They were the ones shutting down his module and giving it to someone else. That's the first of the crazy parts.
That's a good thing. People should be aware of it - and be aware of the fact that all awesomeness of the open source world is maintained by continuous - and often unseen and unpraised - effort of thousands of people. Who are mostly known when something breaks but not much otherwise. It's ok not to think about it every minute, but it's also useful not to forget about it completely - and that we shouldn't take it for granted as it is in no way law of the universe, it is a consequence of continued effort and continued good will.
I would say that sans a cease and desist, if not a court order, they shouldn't have done anything at all. Certainly shouldn't have turned over the name to them. Better missing and breaking builds then being controlled by someone with completely different intentions.