Personally, it's not about the 'original' developer pulling out, but about the simple question: who or what do you trust?

1. The developer, 2. The content distributor, 3. The code (by git SHA ref perhaps), 4. The contract of the code (using formal verification), 5. The legal contract with the code supplier.

And if you trust 1, do you expect of him to sign the stable releases using GPG tags?

All the focus on OSS nowadays seems to be on 1, but as professional engineers, shouldn't we focus more on 4 and 5?

The OP is deliberately talking about a completely different issue that just happened to be spawned from the recent drama.

He is talking about learning to code vs asking google for implementations of even the most trivial things and about what a useful library is.

I know I wasn't interested in doing any JavaScript until they started modularizing it and npm was that on crack. Possibly once the kids had their shiny new npm, some went mad with power and took it too far. Take the good with the bad though as the JavaScript language is known for.