I'll leave it as an exercise for the reader to understand the difference between "I am not liable if I have a bug that ruins your production environment" and "I am not liable if I maliciously introduce a fatal bug knowingly into your production environment".
Of course he did. Intent matters, and this was a reasonably foreseen consequence of the way the system is set up.
He knew how npm works and he knew the implication of adding that code is that hundreds of libraries and production systems would automatically upgrade and install it.
In fact, the whole point of what he did was to introduce the code into production environments.
Most of those (malice, who introduced it to your environment, fatal bug) seem contestable, even if we grant for the purpose of argument that the as-is disclaimer does not cover all cases.
The commit had a comment to the effect of being test / toy code not meant to be put into a release. I don't think a claim of randomly producing the snippet would be put forward in the hypothetical court case. Then there's the question of malice vs some other motive of expression in looping and printing some ASCII / zalgo art in your own terminal art lib.
Any reasonable expert in the field will tell you you don't plug an auto-updating dependency into production. Marak wrote code. You, (the consumer), pulled, and deployed it without due diligence. That is entirely on you.
Not one person is obligated to keep your crap working except you. This has really outed all the people who really should know better.
If you put a bomb in a box and attach a button with a note that the button is provided as-is and author disclaims any liability, then leave it in public place and someone presses it, do you think you will not be found liable?
