All legality, copyright law, etc. aside, how did this even create a problem?
Even on small projects, basic build engineering dictates that you are cognizant of which package versions against which you are building. Furthermore, all packages should be locally cache-isolated on your build server (or local box if you do not have a build server). Building against the most "up-to-date" versions of remote dependencies puts you completely at risk for situations such as this, let alone at the mercy of malicious updates to such remote dependencies.
What sane (pun intended) person would ever build against the most recent version of all packages (including small ones such as this) from a remote build server? Also, for larger (i.e. more than several employees) type operations, how could QA possibly function when building from "most recent version of all packages"?
All these entities that are suffering because of this should immediately fire all their build engineers, because they are not only a reliability concern, but, more critically, a vulnerability concern.
Even on small projects, basic build engineering dictates that you are cognizant of which package versions against which you are building. Furthermore, all packages should be locally cache-isolated on your build server (or local box if you do not have a build server). Building against the most "up-to-date" versions of remote dependencies puts you completely at risk for situations such as this, let alone at the mercy of malicious updates to such remote dependencies.
What sane (pun intended) person would ever build against the most recent version of all packages (including small ones such as this) from a remote build server? Also, for larger (i.e. more than several employees) type operations, how could QA possibly function when building from "most recent version of all packages"?
All these entities that are suffering because of this should immediately fire all their build engineers, because they are not only a reliability concern, but, more critically, a vulnerability concern.