GitHub Acquires npm, Buying Microsoft a Presence in the Node/JavaScript Community

Code repository service GitHub is in the process of acquiring the preeminent software registry for Node.js and JavaScript modules, npm , the two companies announced Monday.

GitHub plans to invest in npm’s infrastructure, with the hopes of bringing some much-needed modernization to the platform, GitHub CEO Nat Friedman promised in a blog post . It also may help free the rapidly-growing registry from the considerable financial and personnel turmoil that it has been inflicted with over the past few years.

” We will make the investments necessary to ensure that npm is fast, reliable, and scalable,” Friedman wrote. “We will actively engage with the JavaScript community to get your ideas and help us define the future of npm.”

The npm service houses 1.3 million packages, which currently get 75 billion downloads a month. The Node.js runtime makes it easy for developers to download packages that help run their own software, and these dependencies, as they are also called, are also widely used across other parts of the JavaScript community.

GitHub has pledged to keep the public registry free for use, and to bring substantive improvements. The company wants to “improve the core experience,” vowed Friedman. “Some bigger features that we’re excited about are Workspaces and improvements to the publishing and multifactor authentication experience,” he wrote.

In the long term, GitHub will work to integrate npm into GitHub, which could tighten the security of the supply of open source dependencies. The work will allow developers to “trace a change from a GitHub pull request to the npm package version that fixed it,” Friedman wrote.

Like GitHub itself, npm supports private registries through services such as npm Pro, Teams, and Enterprise. These services will continue to be offered, as well as enhanced through integration with GitHub Packages, a multilanguage packages registry. “Later this year, we will enable npm’s paying customers to move their private npm packages to GitHub Packages — allowing npm to exclusively focus on being a great public registry for JavaScript,” Friedman wrote.

The acquisition should also be a good move for GitHub parent company Microsoft, which has been expanding its reach into the open source community over the past few years. In turn, Microsoft will be able to bring financial stability to npm operations, while maximizing the use of these assets, notedLawrence Hecht, an analyst for The New Stack.

Source: Sonotype.

No Cinderella Story

First created in 2009, npm (short for Node Package Manager) was designed as an online package manager for sharing JavaScript modules. The company npm.inc was formed in 2014 to scale the technology necessary to meet its tremendous demand. It ran into a number of issues along the way, not the least being the security, and subsequent unavailability, of the Left-Pad package , which left an untold number of JavaScript programs inoperable. And even as the service grew in popularity, it continued to experience monetization issues. It also faced criticism over labor management and executive hires .

“It’s not a kajillion-billion-dollar-10x-startup cinderella story, and we’ve taken our hits, but in the end, we’ve done right by our community, team, and careers, and I’m extremely proud of what we’ve achieved,” wrote npm inc co-founder Isaac Z. Schlueter , in a blog post.

Early reaction to the news seems to be positive. In “the case of GitHub buying npm, it’s good news all around (and nicely solves the npm monetization issue),” wrote Amazon Web Services developer evangelist and long-time open source observer Matt Asay , in a Tweet .

“Today’s news that GitHub will be acquiring npm is a positive and logical step to ensure the stability and security of the open source npm registry for JavaScript developers. We know and trust the GitHub leaders who have the experience to build upon the important contributions by many, which made npm the leading open source package management resource it is today.” said Robin Ginn , executive director, OpenJS Foundation , in a statement.

My primary motivator for five years at npm was to keep the registry running forever. That is now assured. GitHub was always the company that made the most sense to integrate with npm, and I’m glad it became possible.

— Laurie Voss (@seldo) March 16, 2020

Sonotype is a sponsor of The New Stack.