The deal, announced by GitHub CEO Nat Friedman and NPM co-founder Isaac Schlueter, brings another major piece of open source code infrastructure under the control of GitHub's owner, Microsoft.
And it saves NPM from running out of money: Last summer, after going through an ugly labor relations battle that involved layoffs, union-busting, the departure of key talent, and the exit of its CEO, the company looked like it might run short on cash early this year.
A GitHub spokesperson declined to reveal the price to be paid for NPM.
Schlueter downplayed the undisclosed windfall. "It’s not a kajillion billion dollar 10x startup cinderella story, and we’ve taken our hits, but in the end we’ve done right by our community, team, and careers, and I’m extremely proud of what we’ve achieved," he wrote in a blog post.
"Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it," said Friedman in a blog post.
"Open source security is an important global issue, and with the recent launch of the GitHub Security Lab and GitHub’s built-in security advisories, we are well-positioned to make a difference."
Friedman said the CLI will remain free and open source. And later this year, he said, NPM customers paying for private package hosting will be able to move their code to GitHub Packages, a multi-language package registry.
The deal should also dovetail nicely with NPM's efforts to steer funds to under-compensated open source maintainers. GitHub has a service called GitHub Sponsors designed to facilitate donations.
Are we having fund yet, npm? CTO calls for patience after devs complain promised donations platform has stalledREAD MORE
Silverio said this has been her predicted endgame for years and she's surprised it took this long.
“The major takeaway from this is that it gives npm - a major component of a very large number of developers’ workflows - stability moving forward,” said Stephen O’Grady, co-founder of consultancy Redmonk, in an email to The Register.
“The business model for NPM as a standalone entity moving forward was always uncertain, but it should fit in nicely with GitHub’s macro direction and strategy.”
In an emailed comment, Brian Fox, co-founder and CTO of Sonatype, which runs Java-focused Maven Central Repository, said it's important that critical open source infrastructure is well managed. It makes sense, he said, that NPM would "lean into Microsoft and GitHub to further their mission." ®