For one, there is a limit to how much licenses absolve you from responsibility — like, you can’t say “eat my food, by doing so you accept responsibility” and turns out it’s poisoned. It’s still possible to go after the food producer.

I know that doesn’t apply 1:1 to software, but the point is less about individual OSS projects and more about the hosted service of package registries, which do have people & money behind them.

Npm, for example, is owned by Microsoft (through GitHub). MS has huge amounts of money. They could be scanning for malware on upload and adding so many more security mechanisms. But they don’t.

Didn’t Disney famously use an EULA contract for dodging responsibility after a deadly food poisoning?