This is not an "open source project", this is a service. When I use a open source project I take it as it is now and take a risk on it not being updated, but any updates are "pull", as in that I willingly take in changes.

In this case the service is "push", which is very different. Any website that used polyfill.io can have any changes pushed to it, regardless of if the author even had known about a change being made.

If my popular project is replaced with a single poop emoji on NPM any existing user is fine (especially since NPM keeps old versions after the whole left-pad thing) and will find an alternative. If polyfill.io replaces their code with

    document.documentElement.innerHTML = '💩'

that's not fine, since it affects existing users without any update step.

I think that nobody should use these public CDNs at all, including things like unpkg and cdnjs, or at the very least using subresource integrity. Either way this has been something that has been on the horizon for years and similar to the buying of popular webextensions.

I don't have an answer, but the idea that the person providing you with a free service owes you anything at all just reminded me of this Simpson's quote I think about sometimes.

---

Comic Book Guy : Last night's Itchy & Scratchy was, without a doubt, the worst episode ever. Rest assured that I was on internet within minutes registering my disgust throughout the world.

Bart Simpson : Hey, I know it wasn't great, but what right do you have to complain?

Comic Book Guy : As a loyal viewer, I feel they owe me.

Bart Simpson : What? They've given you thousands of hours of entertainment for free. What could they possibly owe you? I mean, if anything, you owe them.

Comic Book Guy : Worst episode ever.