(image copyright by Ministry of Defense of Ukraine, shared on flickr under CC-AT-SA)

Like any war, the current one in the Ukraine brings out the best and the worst in people. The best of us support the people of the Ukraine defending against the unlawful invasion by the Russian Regime. The worst of us commit package sabotage against users with a russian IP address.

On one hand, package sabotage is two-edged sword, as you cannot possibly know if the Russian IP currently installing your npm package is not actually against the war and just wanted to set up a site to spread knowledge on how to circumvent Russian net blockades – and now you've successfully stopped them from doing so and indirectly aided Russian Propaganda to prevail in the absence of that information. On the other hand, you undermine the global trust in the whole ecosystem that your package is a tiny part of.

For that reason, I'm rather convinced it's ultimately a really bad idea, but I wanted to hear your positions, too. What do you think about package sabotage? Also, shouldn't we be more mindful of the dependencies we pull from npm?