> In fact, I also take issue with GitHub / Microsoft taking over the package and am very worried about the precedent that sets, regardless if their motives this time appear to be entirely selfless.
Is there more on this? This is the first I’ve heard about this npm package being modified which I would have just ignored as regular npm problems, but hearing that GitHub took over someone’s repo sounds crazy. Does their ToS claim to override copyright or something?
I do not think NPM altered a package, they unpublished the nonfunctional/infinite-loop version, so that the prior, functional, version (pushed by marak) becomes the "latest" version again
Yes, that is a very dangerous precedent. This isn't like the leftpad issue where someone stole credentials from the project owner. This is the project owner himself publishing a new version of his project.
They supposedly took over the npm packages[0,1], not the github.com repos. npm is a system where you push archives as package versions, it doesn't do its own pull from a github repo or otherwise.
To add, unused/squatted npm package names regularly get reassigned[2].
Is there more on this? This is the first I’ve heard about this npm package being modified which I would have just ignored as regular npm problems, but hearing that GitHub took over someone’s repo sounds crazy. Does their ToS claim to override copyright or something?