Comment by bsder

> If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part.

I'm not sure how much he advertised it.

This is part of the problem I have with things like npm, cargo, etc.

They defaults are set to try to suck up your work and get you to make it public.

Consequently, semi-useful things get loose probably long before people intended them to and probably long before people realize how much work they just signed up for.