GitHub's CEO Nat Friedman has announced an agreement to buy npm, the default package manager for the Node.js ecosystem. Npm will remain free to use and will get the required investments to keep it fast and reliable, says Friedman, as well as more secure.
Npm hosts over 1.3 million packages, serving about 75 billion downloads a month. GitHub's plans to grow it even further will focus on three different dimensions: improving the infrastructure, improving the developer experience, and engaging with the community.
GitHub also confirmed its commitment with npm's current plans for the next npm CLI tool, which will include support for Workspaces. Workspaces will introduce a number of features to make it possible to manage multiple packages from within a single top-level package, as it is already possible using npm competitor package manager yarn.
One specific focus for npm improvements, says Friedman, will be security. Npm was hit by a number of major security incidents in the past, and many developers think its use entails an unnecessarily high risk.
GitHub has been steadily improving its support for security, along the last few years, including security alerts, automated dependency checking, and more. Among the security improvements announced by Friedman for npm, it will be possible to trace a change from a GitHub pull request to the corresponding npm package version including it.
In a statement to InfoQ, a GitHub's spokesperson further clarified the company's intentions to improve npm security:
Central to our approach is the belief that the security of open source can only be achieved by all members of the open source community working together. We think npm, as a core part of the open source infrastructure, will let us move open source security forward in meaningful ways. The biggest opportunities are around making the workflows from authoring, validation, and publishing more consistent and secure.
This would include using two factor authentication and combining and strengthening GitHub's and npm's separate vulnerability databases.
In a separate announcement, npm’s founder Isaac Schlueter expressed its persuasion npm will get better through GitHub's acquisition and highlighted GitHub pre-existing efforts to enter the repository arena with GitHub Package Registry, later simply GitHub Packages.
GitHub's announcement sparked many reactions among developers, with the biggest share of them bringing up the fact that Microsoft, which bought GitHub less than two years ago, is actually acquiring npm, and that big corporations often do not do a great job keeping up with their initial intentions after acquiring a product or service. A few pointed out that GitHub's case is exactly a proof that this must not be always the case, although GitHub's acquisition is still very recent in relative terms.
Other commenters brought up the idea that a large developer community should not depend on a single for-profit entity and that the ideal case is represented by most Linux distros, Perl's CPAN, Python's PyPi, RubyGems, and others, which are all run by volunteers and donations. The latter usually include also large donations from corporations using them, without any of them being able to control the future of the repository.