; Date: Mon Mar 16 2020
From the beginning of Node.js, npm has been a faithful companion providing useful package management service to the Node.js community. Node.js would not have risen so high without a good package manager, and npm served that role. By rights we should celebrate that Github is buying npm since a big question mark about npm has its level of funding. But - it raises a big question mark about the continued independence of the npm registry once it falls into the clutches of a big corporation (Microsoft owns Github).
The announcement promises - "npm will always be available and always be free".
The first red flag comes from this statement:
we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it. Open source security is an important global issue, and with the recent launch of the GitHub Security Lab and GitHub’s built-in security advisories, we are well-positioned to make a difference.
That sounds nice and it is important to increase scrutiny of packages in the npm registry. But -- this announcement contains an assumption that a package in the npm registry will be managed in a Github repository. Will things be twisted such that npm will require all packages to be maintained in a Github repository? What about those who want to use a self-hosted Git repository, or use Gitlab, or any other Github competitor?
In other words, will Github (Microsoft) impose a field of use restriction on the use of the npm registry?
“Why aren’t you trying to buy us?”
In the official npm blog, Isaac Schlueter wrote his own post describing the acquisition and what he hopes will result. It all sounds nice - he likes the culture at Github - he is excited for the future of npm under Github's control - It's all about Github, and positiveness.
He (izs) describes npm's corporate goals as:
- Keep the npm registry running forever (not only for the life of the company).
- Be a company that we can all enjoy working at, and do the best work of our careers up until now.
- Get a big enough exit that I can quit my job and see what comes out of me a second time.
- Share the rewards equitably with the people who got npm to where it is.
So ... we the Node.js community should keep an eye on what's happening, and judge the result accordingly.
What stands out for me in the blog post is his description of meeting the Github team and the Github Packages beta announcement. He (izs) says he turned to Shanku Niyogi (Github) and clumsily asked “Why aren’t you trying to buy us?”
To me - this indicates that izs was already thinking in the mindset that npm needed to be bought by some big company. In another section, izs describes his answer to the “what might your exit look like?” question as
the big tech companies as possibilities, and GitHub as a sort of “wishful thinking” option.
In other words, izs was not committed to the goal that the npm registry should not remain an independent organization.
Shouldn't npm be an independent entity?
This announcement isn't that Github bought out npm -- it's that Microsoft bought out npm.
Here's the section of the blog post where we start reliving Microsoft's past as a big villainous corporation.
Microsoft as the enemy of the computer industry - 80's and 90's -- But maybe Microsoft is different today?
Like many, I have a long history of being leery about Microsoft. I came of age in the computer industry during the 80's and 90's when Microsoft really was the big villain trying to control everything. Two years ago when Microsoft bought Github, I had a similar reaction for example what's the risk from Microsoft having access to the private repositories of other corporations? But at the same time we have to recognize there's been a Shift in Microsoft - there is an Old Microsoft that really was a villain, and there is a New Microsoft that might be pretty much okay.
The Old Microsoft woulda done none of those things. The New Microsoft might be truly and honestly changed.
Voice of the community
Maybe it'll all be okay. Let's hold positive vibes for the result of this.
But we need to remember the promises that were made and judge whether the corporate owners continue to live by those promises.