Making commercial vendors who rely on open source software liable for bugs is fantastic news, that's how it always should have been. You can't have a commercial company throw their hands up and say "well github.com/cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!"
"What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable. But who?
The EU is grappling with that very question, and it culminates in whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in. But lawmakers know enough to realize that much of the open source out there – by definition – belongs to no one, or many someones, or really nobody that can be named and made liable. So waiting on a court case might provide clarity but no compensation and no one to even argue the case. Not the clarity a law is designed to provide."
But I rather think that no, the law just talks about products where you pay money for. And when I pay money for something, I do expect liablity in some way and this is allright. But it is not allright to mix them both up for politicial support (or whatever the motivation here is).
Ianal but my intuition is that you're on point.