The news was spread by GitHub CEO Nat Friedman and npm creator Isaac Z. Schlueter via their respective company blogs, without either party disclosing financial information about the deal. Schlueter just mentions it not being “a kajillion billion dollar 10x startup cinderella story” and him failing to succeed at his goal of one day getting “a big enough exit that I can quit my job” but being proud of “the deals that we’ve been able to negotiate for the team”.
How those deals might look like isn’t part of his “next phase montage” titled announcement, another play on his “npm doesn’t stand for anything” mantra, either. Instead of looking into organisational details, Schlueter looked to reassure the user base of the “world’s largest software registry” instead. In anticipation of the insecurities a step like this might stir, he for example used the blog entry to promise “to keep the npm registry free for open source development for the foreseeable future”.
The company is also planning to improve the core experience by supporting the work on npm v7 CLI, Workspaces, and improvements on publishing and multi-factor authentication capabilities. In the long run, GitHub will integrate npm, which is meant to “improve the security of the open source software supply chain” and was something Schlueter had in mind at least since GitHub introduced its own go at packages in 2019.
He writes “When I saw the GitHub Packages beta announcement and demo at GitHub HQ in San Francisco, I remember turning to Shanku Niyogi and clumsily blurting out, ‘Why aren’t you trying to buy us?’”
After a troubled 2019 in which the company made the headlines with a rapid succession of leadership changes and union-busting complaints, the sale might indeed have been necessary to stick to Schlueter’s vision of allowing the registry to be “running forever”. And more importantly to guarantee a stable future for all the projects relying on the registry, a problem also known to the communities around other languages.
Quasi-equivalents to npm include Java-centric The Maven Central Repository. Brian Fox, CTO at Sonatype, one of the project stewards, commented in an emailed statement “Open source projects are created by the community, for the community, and so initial reactions of concern around such news are understandable. But it’s important to remember that public code repositories are critical infrastructure, relied upon by millions of developers and businesses. To illustrate that point: npm had 64B pull requests in January 2020 alone.”
So while the deal implies a bit more security for those businesses, it will inevitably spark fears that it will increase Microsoft’s influence on the open source space – as the company’s GitHub buy did back in 2018.
Ultimately, developers will vote with their feet.