What Does GitHub’s Npm Acquisition Mean For Developers?

Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.

So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.

What is npm?

Many Hackaday readers will be familiar with npm (Node Package Manager), one of the backbones of the open-source JavaScript community. If you’ve played around with any kind of web or JavaScript project recently, you’ve probably used npm to install and manage dependencies, with it currently servicing 75 billion downloads a month. It is the most popular package manager for JavaScript, and enables re-use and sharing of modules throughout the JavaScript community; it’s what’s responsible for the node_modules folder in your project munching all your disk space.

At its most basic level, npm allows you to download and install JavaScript modules from the online registry, either individually, by running for example, npm install express, or installing from a package.json file, which contains details of all a project’s dependencies. If you want to read more about how npm manages dependencies and how its parallels with the Node Module Loader allow some neat simultaneous version loading, npm have written a nice explainer here.

npm is certainly not without criticism or competitors, but most developers are familiar with basic use, and I think would agree that it’s played a vital role in the growth of the JavaScript ecosystem, whether that’s new frameworks, niche modules, Typescript, polyfilling or testing.

What is its history?

npm was started in 2009, by [Isaac Schlueter], who details in a blog post his thoughts on the recent acquisition.

npm Inc is a company, not an entirely open source project. They provide the open-source registry as a free service, and charge a fee for private, commercial packages. It has previously been rumored that there was trouble making ends meet from low quantity, low fee license sales.

As a business, it has previously received venture capital funding, and also brought in new executive management to attempt to dramatically increase revenues. Under new management, numerous employees were dismissed, with many claiming they were dismissed unfairly. Further employees resigned voluntarily, raising questions about company culture and the stability/longevity of npm. We hope that the acquisition by GitHub will relieve the financial pressure on the company and allow it to resolve these issues whilst serving the open-source community more effectively, under stable conditions.

Enter GitHub

In npm’s blog post, [Isaac Schlueter] talks about how an acquisition by GitHub has been on the cards for a while, even going so far as recounting asking the GitHub product lead [Shanku Niyogi] why on earth they hadn’t already bought npm.

Why did it seem so obvious? With the source for so many npm packages hosted on GitHub, and GitHub launching the moderately popular GitHub Packages, it seemed only natural that both could benefit from tighter integration. So what might we see in the future?

Many users of GitHub will be familiar with its automated security alerts for vulnerabilities. When your project contains a dependency that has had a security vulnerability disclosed, GitHub will send you an automated email/notification containing the level of risk, the affected code, and an automatically generated pull request which fixes the issue. This is a pretty neat feature, and this author has been glad of it on numerous occasions. While this works well in theory, in complex projects with many interdependent packages, I’ve found that the automated security fixes can sometimes awkwardly bump package versions without fully propagating through the dependency tree, requiring a lot of manual hassle to fix.

I’m very hopeful that this acquisition can bring about a security update experience with much tighter integration with npm, whether that’s making the automated updates more intelligent and frictionless for the developer, or making it easier for maintainers to disclose vulnerabilities and release automated GitHub patches faster. In GitHub’s blog post announcing the acquisition, they state their commitment to using the opportunity to improve open source security, and their aim to “trace a change from a GitHub pull request to the npm package version that fixed it”.

As far as GitHub Packages is concerned, the aim is to move all private packages from npm’s paid service to GitHub Packages, with the view of making npm an entirely public package repository.

Even with these obvious benefits in mind, there is still some uncertainty as to whether the move was driven and initiated by GitHub for these reasons, or whether it’s because of the value it provides to Microsoft as a whole instead.

What npm means to Microsoft

Microsoft’s appetite for open source is growing. It seems like yesterday that we wrote about Microsoft acquiring GitHub, and despite all the speculation on its future at the time, it only seems to have grown stronger with the extra resources available. Since the acquisition, we’ve notably seen the release of free unlimited private repos, GitHub Security Lab and GitHub Actions, all welcome and overdue features that have been well-received in the open-source community. GitHub mobile apps for iOS and Android have also been released in the past few days, attracting a few raised eyebrows for not being open source.

A cynic might say that acquiring npm is a cheap way of Microsoft trying to win some sentiment from the open-source community, and of course, that may be a factor, but the move will have technical benefits for them too. Microsoft are increasingly big users of JavaScript, and are invested in the ecosystem. Notably, they’ve created Typescript, and they need a stable and solid package repository as much as any group of developers.

It’s yet to be determined whether npm will have any integration with any of Microsoft’s offerings, or if it’s purely of use to GitHub. At this stage, it’s hard to say, though it’s telling that GitHub announced the move along with their strategy, whilst Microsoft has stayed quiet on the topic.

Conclusion

I don’t think anyone can deny that the open-source JavaScript development experience has the potential to become significantly smoother when the largest source repository becomes more integrated with the largest package repository. It remains to be seen how these improvements are implemented, whether they’re made available for public/private users, and how kind they’ll be to open-source competitors, but only time will tell.

33 thoughts on “What Does GitHub’s Npm Acquisition Mean For Developers?

  1. GitHub growing is not remarkable if M$ puts some USD160000000 into it. But how many open source projects have left github since? Microsoft has personally cost me a month of my life while doing my end-year project for school, because of their FUD campaigns from back then, and deliberate deviations form existing long established protocols even as simple as FTP. Never again will I ever let that company into my live again.

    What would be the greatest threat for “Open Source” in general. Microsoft or Venture Capital?

    1. Funny, as FTP is one of the worst protocol. Requiring a second connection for data transfer? Many parts that are not well defined but more by conversion and “most do it like X”? Odd timing issues? Total lack of security? FTP has it all for you.

      And, I’ve not seen anything major leave github. And their service has only improved after Microsoft acquired it. Not saying Microsoft is a great company (I’ve had my own bad experience with them, much more directly) but github so far is going fine.

      Not sure what they want with NPM, as it promotes cargo cult programming…

      1. FTP is like the VGA connector.
        Simple lowest common denominator that always end up saving the day when other things falter.
        So crippling FTP is like puncturing your lifeboat and hoping your yacht never sinks.

  2. Why do you insist upon saying that Microsoft claimed another “victim”? Really? I’m not a Microsoft fan, but acquisitions aren’t necessarily evil. Microsoft is big enough that you can’t accurately label it’s entirety with a single good/bad label. There are some genuinely good people there and some truly reprehensible ones.

    I’m hoping that the result will be Microsoft actually supporting open source projects by putting their money into the ecosystem. I’m sure that npm will change, but time will tell.

    1. “Embrace, Extend, and Extinguish”
      I would wager we are on step 2, based on 35 years of past Microsoft corporate behavior. Most will not admit Google and Apple are just as distructive, but they have better PR around community feelings of goodwill.

      I have had code running since 1990’s, and have seen no acts of selfless-kindness from most of the corporate world so far. Generally if you are a M$ shop, than you are redeploying your product on an 18-month cycle out of necessity, and it is going to cost you… especially as a commercial entity when your IT department gets shaken down with a BSA license audit.

      Better to “cash in than sell out” as some folks say… you can’t spend ingratitude ;-)

        1. Ha! With Apple you would still use tiny monochrome monitor box with major overheating problems. Want to fix it? Good luck. Special Apple screwdriver will set you back $400 or so.

          1. Try to be more considerate, as that was an unfair comment…
            We all know that industrial designer did not try to patent rounded corners, and deserves some level of respect given its functional lifespan was far greater than the new macbook pro.

        2. Kinda ironic seeing as people are starting to miss computers you could fix yourself, and E-ink screens would be amazing for programming work or general reading/writing if it wasn’t for refresh rate.

  3. “They provide the open-source registry as a free service, and charge a fee for private, commercial packages. It has previously been rumored that there was trouble making ends meet from low quantity, low fee license sales.”

    We may see more “acquisitions” as open-source struggles with the reality of making a living.

    1. You also see “acquisitions” as open-source companies like RedHat are raking in the profits and becoming takeover targets.

      Amazon and google are based on open source technology, Facebook and Netflix are also major open source contributors, who will be acquiring them?

      Remember that the world’s richest guy got to be where he is, because he embraced open-source technology. Amazon would never have come into existence if they had to pay the big $$$ for licenses for web servers and SSL libraries. Do you remember the. huge gouging prices for these items in the 1990s? apache and openssl were truly a blessing for the entrepreneur

  4. I’m not an expert on the open source community by any means, and I’m fairly green in the world of software (approx. 10 years hobbyist + professional)…
    But…as long as I and other conscientious geeks can burn a livedisk, boot a FreeBSD server, and run Apache on port 80, there will sure as #### be open source, and evilcorp can kindly go #### itself.

    1. watcha gonna do when your ISP blocks incoming connections on port 80 unless you pay $1000 a month for a business class connection?

      freebsd is a fun toy to learn BSD but it is maintained by volunteers who are generally not paid for their work. If you want a properly maintained BSD system then you should get a Macintosh.

      Watcha gonna do when there is a zero day in freebsd, all of the “volunteers” are too busy with revenue-generating jobs to work on your “free stuff” and your web server gets hacked? Here’s a hint for you: developers who are capable of fixing security issues are not cheap, they don’t work for free.

      1. Here is a hint for you: check how many processes you have running on your Apple box. Hundreds. Each one of them is security risk. Now check FreeBSD or OpenBSD. Less than 10. Now that’s a server.

        1. A great point, Miroslav! This is one of the reasons I got off Linux for hosting and personal projects and went down the BSD rabbit hole—it seems less cluttered, there is barely anything installed by default. I wish the community were bigger!

      2. Hmm…I would be sad if my ISP held :80 for ransom. But why would that change? If it came to that, I’d move hosting over to a Digital Ocean VM. I don’t expect DO, a major provider, would get hassled by an ISP like I might.
        I have a MacBook, and it’s a fine machine. But the kernel is the same as BSD, no? If I’m not mistaken, you’re making the argument that open source has inherent, deal-breaking security risks (this argument crops up often). I keep up with the CVE database, and for a major distribution like FBSD, that simply isn’t the case.
        I’m not sure that all, or even most open source contributors do it for free on personal time. My experience is they use the project at work, and extend and maintain the project so their employers can keep selling Ding Dongs and signing paychecks.

  5. Microsoft has great traditions of making insecure software. Using npm encourages to mindlessly install random packages googled on stackoverflow with hundreds of more random dependencies. It matches with these traditions perfectly :)

    1. I’m reminded of this:
      https://www.theregister.co.uk/2020/03/26/corejs_maintainer_jailed_code_release/
      And also of the trend for websites to downright depend on scripts from third-party sites to even work.
      I can’t help but imagine that managing to compromise one of the popular third-party site script sites must be a wet dream for black hatters.

      Keep your scripts on your own webserver, and update them only for security reasons.
      Outsourcing it to other is blind trust and a security nightmare.

  6. wow. I feel like I am back in high school / college. I cannot believe this same conversation has lasted well over 20 years! It has been long enough I have subscribed to at least 3 different sides of the argument.

  7. Interesting comments here. All about the technical side or on the financial side.

    What Microsoft got with github and nom is a list of skilled developers, an enormous database to wade through to learn about their skills, their behaviour, their code quality, their reactiveness, their soft skills when answering to questions.
    This is a gold mine for the HR department.

  8. Late to the party, but I was searching for something else when I stumbled on this article. I’m surprised nobody mentioned the competitive link between npm & fb-sponsored yarn…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.