Microsoft's GitHub absorbs NPM into its code-hosting empire: JavaScript library vault used by 12 million devs now under Redmond's roof

Developers! Developers! Developers! And all their infrastructure!

41 Reg comments Got Tips?

On Monday GitHub announced it plans to buy NPM Inc, which operates the npm repository relied upon by 12 million JavaScript developers.

The deal, announced by GitHub CEO Nat Friedman and NPM co-founder Isaac Schlueter, brings another major piece of open source code infrastructure under the control of GitHub's owner, Microsoft.

And it saves NPM from running out of money: Last summer, after going through an ugly labor relations battle that involved layoffs, union-busting, the departure of key talent, and the exit of its CEO, the company looked like it might run short on cash early this year.

A GitHub spokesperson declined to reveal the price to be paid for NPM.

Schlueter downplayed the undisclosed windfall. "It’s not a kajillion billion dollar 10x startup cinderella story, and we’ve taken our hits, but in the end we’ve done right by our community, team, and careers, and I’m extremely proud of what we’ve achieved," he wrote in a blog post.

The npm repository hosts 1.3 million JavaScript-oriented libraries that get downloaded 75 billion times a month, popularity that has made it difficult for NPM to police its vast code holdings. Under GitHub's roof, JavaScript developers can look forward to better vetted code components for their applications, more reliable infrastructure, and ties to GitHub's other services.

"Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it," said Friedman in a blog post.

"Open source security is an important global issue, and with the recent launch of the GitHub Security Lab and GitHub’s built-in security advisories, we are well-positioned to make a difference."

Friedman said the CLI will remain free and open source. And later this year, he said, NPM customers paying for private package hosting will be able to move their code to GitHub Packages, a multi-language package registry.

The deal should also dovetail nicely with NPM's efforts to steer funds to under-compensated open source maintainers. GitHub has a service called GitHub Sponsors designed to facilitate donations.

Illustration of a JavaScript platform

Are we having fund yet, npm? CTO calls for patience after devs complain promised donations platform has stalled

READ MORE

"The acquisition is good for the JavaScript ecosystem," CJ Silverio, a principal engineer at Eaze who previously served as NPM Inc's CTO, told The Register. "Github is the best possible home culturally. To cap it, Microsoft has the money and the incentives to fund all the world’s Javascript development."

Silverio said this has been her predicted endgame for years and she's surprised it took this long.

“The major takeaway from this is that it gives npm - a major component of a very large number of developers’ workflows - stability moving forward,” said Stephen O’Grady, co-founder of consultancy Redmonk, in an email to The Register.

“The business model for NPM as a standalone entity moving forward was always uncertain, but it should fit in nicely with GitHub’s macro direction and strategy.”

While GitHub's stewardship of the npm repository may be good for the JavaScript community overall, it has dampened the ardor to develop alternatives like the federated Entropic project, as did GitHub's entry into the package registry business.

In an emailed comment, Brian Fox, co-founder and CTO of Sonatype, which runs Java-focused Maven Central Repository, said it's important that critical open source infrastructure is well managed. It makes sense, he said, that NPM would "lean into Microsoft and GitHub to further their mission." ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020