If you didn’t think the maintainer should invest the time to ‘vet’ a replacement, *you wouldn’t have said the maintainer should ‘vet’ a replacement*. Period.
And, quite frankly, I don’t believe you. If the maintainer had deprecated the package and left it at that, you would be screaming bloody murder about how irresponsible it was to leave a popular package without finding a successor to maintain it.
And, again, you entitled asshole: “other industries” *turn a profit*. Asshole. You are literally asking a *volunteer* who did you a *favor*, basically because it cost him *nothing*, to be *legally liable* if he screws up. When we do get regulations, they will probably exempt this situation, because who fines amateurs doing people a favor if they screw up; but if they don’t, it will mean the end of open source as we know it, and probably a reversion to proprietary software, because, thanks to selfish assholes like you, that’ll be the only way for programmers to make enough money for undertaking the risk under the regulations to be worth it.
And, of course, nobody ‘vetted’ the package to make sure it didn’t have malicious code in the first place. Because who does that? If the package was deprecated, the first person to come along could have forked it and put in anything they want, anyway.
The blame here goes 100% with the *bad actor* who uploaded malicious code to npm. You want to fine someone, fine him (he’s already broken federal law). But your bullshit ‘professionalism’ is just blaming someone who did you a *favor* for not doing it to your standards. Asshole.