Github buys npm: Might cause more angst about npm as de-facto package manager for Node.js?

; Date: March 16, 2020

Tags: Node.js »»»» Microsoft »»»» Open Source

From the beginning of Node.js, npm has been a faithful companion providing useful package management service to the Node.js community. Node.js would not have risen so high without a good package manager, and npm served that role. By rights we should celebrate that Github is buying npm since a big question mark about npm has its level of funding. But - it raises a big question mark about the continued independence of the npm registry once it falls into the clutches of a big corporation (Microsoft owns Github).

The announcement is that "GitHub has signed an agreement to acquire npm." The announcement talks about (github.blog) npm playing a critical role in the JavaScript world. Obviously, as the announcement says, hundreds of thousands of developers have trusted npm to distribute their packages.

The announcement promises - "npm will always be available and always be free".

The announcement claims the focus will be to Invest in the registry infrastructure and platform, giving the JavaScript community a rock-solid registry, to Improve the core experience, adding some new features, and Engage with the community, supposedly to look for new ideas for npm.

The first red flag comes from this statement:

we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it. Open source security is an important global issue, and with the recent launch of the GitHub Security Lab and GitHub’s built-in security advisories, we are well-positioned to make a difference.

That sounds nice and it is important to increase scrutiny of packages in the npm registry. But -- this announcement contains an assumption that a package in the npm registry will be managed in a Github repository. Will things be twisted such that npm will require all packages to be maintained in a Github repository? What about those who want to use a self-hosted Git repository, or use Gitlab, or any other Github competitor?

In other words, will Github (Microsoft) impose a field of use restriction on the use of the npm registry?

The Node.js and broader JavaScript community were already anxious about the npm registry being corporate-owned. As a result several alternative package systems have sprang up as direct competitors to npm. So far, except for yarn, they've stayed small operations, and in some cases outright experiments. But it seems likely some in the community will pull away from using npm and focus on the alternatives.

“Why aren’t you trying to buy us?”

In the official npm blog, Isaac Schlueter wrote his own post (blog.npmjs.org) describing the acquisition and what he hopes will result. It all sounds nice - he likes the culture at Github - he is excited for the future of npm under Github's control - It's all about Github, and positiveness.

He (izs) describes npm's corporate goals as:

  1. Keep the npm registry running forever (not only for the life of the company).
  2. Be a company that we can all enjoy working at, and do the best work of our careers up until now.
  3. Get a big enough exit that I can quit my job and see what comes out of me a second time.
  4. Share the rewards equitably with the people who got npm to where it is.

So ... we the Node.js community should keep an eye on what's happening, and judge the result accordingly.

What stands out for me in the blog post is his description of meeting the Github team and the Github Packages beta announcement. He (izs) says he turned to Shanku Niyogi (Github) and clumsily asked “Why aren’t you trying to buy us?”

To me - this indicates that izs was already thinking in the mindset that npm needed to be bought by some big company. In another section, izs describes his answer to the “what might your exit look like?” question as

the big tech companies as possibilities, and GitHub as a sort of “wishful thinking” option.

In other words, izs was not committed to the goal that the npm registry should not remain an independent organization.

Shouldn't npm be an independent entity?

Why should the npm registry be anything but an independent entity? How is the Node.js community specifically, and the broader JavaScript community, to trust that a big corporate owner is going to operate the registry in a way that serves the community's needs?

This announcement isn't that Github bought out npm -- it's that Microsoft bought out npm.

Here's the section of the blog post where we start reliving Microsoft's past as a big villainous corporation.

Microsoft as the enemy of the computer industry - 80's and 90's -- But maybe Microsoft is different today?

Like many, I have a long history of being leery about Microsoft. I came of age in the computer industry during the 80's and 90's when Microsoft really was the big villain trying to control everything. Two years ago when Microsoft bought Github, I had a similar reaction for example what's the risk from Microsoft having access to the private repositories of other corporations? But at the same time we have to recognize there's been a Shift in Microsoft - there is an Old Microsoft that really was a villain, and there is a New Microsoft that might be pretty much okay.

As evidence of the New Microsoft is the many open source projects that Microsoft is contributing to, or managing. I'm using Visual Studio Code to write this blog post and all my other coding -- a Microsoft project. Microsoft already makes big contributions in the JavaScript scene, from embracing the Chromium browser engine in its own browser, to contributions to the Node.js project, to the TypeScript project. There are plenty of other examples - one I noted in October 2019 is when Microsoft officially joined the OpenJDK project. To those of us who lived through the Java battle of Sun versus Microsoft (I worked for Sun at the time) for Microsoft to be openly collaborating with the OpenJDK project is a big thing.

The Old Microsoft woulda done none of those things. The New Microsoft might be truly and honestly changed.

Voice of the community

Rosy sunglasses

Maybe it'll all be okay. Let's hold positive vibes for the result of this.

But we need to remember the promises that were made and judge whether the corporate owners continue to live by those promises.