alt Hacker NewsDon't like it? just use another library. I don't understand why people think they are entitled to have a say in what another person's open source library should or should not do.
Also to the ones saying this is malware or would qualify as "causing harm to computing equipment". How about you read the license? not that I would expect any vibecoder to even care, but:
"6. Disclaimer of Liability
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."
Replies
Making something open source does not release a project from criticism any more than it entitles the users to get something out of it. It's alright to criticize parts of a library and still use it as much as it is to fork it to have the changes you want. As usual, it's up to people everywhere to have respectful discussion rather than rely on universal ideals and heated exchanges, and that's where reality can be rougher than it should be.
It's a general principle of US law that warranties cannot disclaim liability for intentional misconduct or gross negligence, and prompt injection malware is intentional misconduct.
This isn't legally very much different from other supply chain attacks that steal data or credentials, or act as ransomware. That is why people object to this open source software.