GitHub has signed an agreement to acquire npm, the company responsible for the Node.js package manager of the same name, enhancing parent company Microsoft’s position in the JavaScript space.
The news was spread by GitHub CEO Nat Friedman and npm creator Isaac Z. Schlueter via their respective company blogs, without either party disclosing financial information about the deal. Schlueter just mentions it not being “a kajillion billion dollar 10x startup cinderella story” and him failing to succeed at his goal of one day getting “a big enough exit that I can quit my job” but being proud of “the deals that we’ve been able to negotiate for the team”.
How those deals might look like isn’t part of his “next phase montage” titled announcement, another play on his “npm doesn’t stand for anything” mantra, either. Instead of looking into organisational details, Schlueter looked to reassure the user base of the “world’s largest software registry” instead. In anticipation of the insecurities a step like this might stir, he for example used the blog entry to promise “to keep the npm registry free for open source development for the foreseeable future”.
With GitHub’s support and backing, the npm team will “be making things more reliable, convenient, and connected for everyone across our vast interdependent JavaScript ecosystem”, Schlueter writes. Which is a thing Friedman also highlighted. According to him, GitHub is especially looking to invest in the registry’s infrastructure and platform to make npm “fast, reliable, and scalable”.
The company is also planning to improve the core experience by supporting the work on npm v7 CLI, Workspaces, and improvements on publishing and multi-factor authentication capabilities. In the long run, GitHub will integrate npm, which is meant to “improve the security of the open source software supply chain” and was something Schlueter had in mind at least since GitHub introduced its own go at packages in 2019.
He writes “When I saw the GitHub Packages beta announcement and demo at GitHub HQ in San Francisco, I remember turning to Shanku Niyogi and clumsily blurting out, ‘Why aren’t you trying to buy us?’”
Paying npm customers are meant to continue to get support, although GitHub is planning to also enable them to move their private packages to GitHub Packages later in the year. This should “allow npm to exclusively focus on being a great public registry for JavaScript” says Friedman, somewhat giving users an idea in which direction things will develop from now on.
After a troubled 2019 in which the company made the headlines with a rapid succession of leadership changes and union-busting complaints, the sale might indeed have been necessary to stick to Schlueter’s vision of allowing the registry to be “running forever”. And more importantly to guarantee a stable future for all the projects relying on the registry, a problem also known to the communities around other languages.
Quasi-equivalents to npm include Java-centric The Maven Central Repository. Brian Fox, CTO at Sonatype, one of the project stewards, commented in an emailed statement “Open source projects are created by the community, for the community, and so initial reactions of concern around such news are understandable. But it’s important to remember that public code repositories are critical infrastructure, relied upon by millions of developers and businesses. To illustrate that point: npm had 64B pull requests in January 2020 alone.”
So while the deal implies a bit more security for those businesses, it will inevitably spark fears that it will increase Microsoft’s influence on the open source space – as the company’s GitHub buy did back in 2018.
Ultimately, developers will vote with their feet.