This has been a problem in the open source community - and particularly those using npm (leftpad anyone?) - for far longer, and for different reasons in history.

The problem isn't that people are doing this for political reasons.

The problem is that people blindly update open source code, sight unseen.

And I am not blaming them per se, no more than I blame someone for leaving their windows open on a nice spring day and then an army of squirrels eats through their screens and destroys the house. There is no reason to think that doing an update on a perfectly normal, well-tested, lots of "eyeballs on code" package will wipe out your server or crash your app or whatever. People *should* be able to just blindly update their packages from an open source repo and have nothing go wrong because of a deliberate decision from the developers.

But the history shows this isn't the case, and at this stage in the game, organizations who continue to act as if code updates are always safe are negligent.

If CTOs, CIOs, etc. aren't willing to accept and manage this risk, they need to stop depending on open source code.

J.Ja