Interesting questions. I don't know the answer and I believe even lawyers might have trouble with this. I guess it would come down to 1) how technically savy is the user(is it a FAANG engineer or a grandma? is it expected from a FAANG engineer to look at the diffs when applying updates? Is a grandma expected to read the release notes?) and 2) how malicious is this code change?

Are the users updating the only ones wronged or first-time users too? Say you're installing a library for the first time. The library says it does A, you install it and realizes is does B, are you then allowed to sue the author? I guess it depends on how far A is from B and how malicious B is, but the author explicitly stated the code comes with no guarantees. Should anyone that installs "left-pad", but then realize the lib only does right-padding be able to successfully sue the author? The code explicitly comes with no guarantees! It seems very tricky and I'm not sure we can write deterministic black-or-white laws for this, but again, maybe I'm applying a higher standard based on SWE practices for other trades. As far as I know, the legal system is on the hands of politicians who write non-total functions and judges who interpret those functions as they wish.