It is the third such effort to emerge since March, when clashes between NPM Inc's newly appointed management and employees led to layoffs and complaints by axed employees alleging union busting. The first was developer Victor Bjelkholm's Open-Registry. The second was Microsoft's GitHub Package Registry.
Former staff have another idea
NPM clings to its cuddly image – as senior staff vote with their feet: Now longtime product boss quits JS package bizREAD MORE
"The registry that lists all of this shared code is also part of our commons," she said. "It’s how we share all that stuff with each other, how we find it. Another thing that’s part of our commons is the set of conventions we’ve evolved around that – the ways we agree to name and update the things we share. But all of that is wholly owned by a VC-funded private company. This is the thing we’ve given away."
"NPM does not love you," she said. "NPM cannot love you. NPM, Inc is a Delaware corporation founded as a financial instrument intended to turn money into more money for a handful of men."
Pointing to the recent layoffs that even NPM Inc has admitted it handled poorly, Silverio said the Oakland-headquartered biz cannot be trusted because the community has no way to hold it accountable for its actions.
Not just about the money
"Every time you run an audit, NPM gets a look at your package-lock file, chock-full of interesting data nuggets about what you’ve been up to," she said.
Entropic, available under an open source Apache 2.0 license, aims to provide an alternative, one that's trustworthy because everyone runs their own repository.
"Entropic is federated," Silverio explained. "You can depend on packages from any other Entropic instance, and your home instance will mirror all your dependencies for you so you remain self-sufficient."
She added that the software will mirror any packages installed by a legacy package manager, which is to say npm. As a result, the more developers use Entropic, the less they'll need NPM Inc's platform to provide a list of available packages.
At the moment, the project is suitable for those interested in improving the code. In time, she hopes it will become robust enough for the broader developer audience.
Silverio argues that coming decade will bring more federation, which distributes costs, after years of consolidation and monolithic services.
"We should not be owned by a single company, and we shouldn’t let that company control our destiny," she concluded. "We need to take back control. I’d like us all to rebuild the future together." ®
PS: NPM Inc has a new CTO: Ahmad Nassri.