Making commercial vendors who rely on open source software liable for bugs is fantastic news, that's how it always should have been. You can't have a commercial company throw their hands up and say "well github.com/cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!"
I'm not certain the second order (or later) effects will necessarily be unequivocally good. Software supply chains are more like a double pendulum in that changes are probably chaotic enough to obscure their effects.
For example, my very first thought was that large businesses are generally risk adverse specifically in the realm of liability. Have you ever read a TOS? It feels to me the major elements of that interminable document are statements that limit liability. It is to the point of humor that we engage in the clicking through the "I accept" of a software license like some strange universal ritual. This is the realm we are dealing in here, deep and arcane. The ubiquitous TOS ritual should remind us all that software is beholden to forces outside of itself.
Companies go through insane effort to avoid legal liability. This law is going to change that calculus. If the cost of covering that change is high this could precipitate a change to closed-sourced alternatives that come with some delegation of liability. For the cynically minded, companies that offer equivalents to OSS that come with a liability waver might see an ascendance and potentially offer a good investment opportunity. Alternatively, repackaging existing OSS as a commercial product while only adding some legal liability as an add-on might become a viable business.
Those considerations challenge any argument towards unequivocally stating this is a good thing, even if there are definitely positive aspects to this change.
bingo
... from a longer transcript here https://www.infoq.com/presentations/security-supply-chain-os...