Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.
So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.
What is npm?
node_modules folder in your project munching all your disk space.
npm install express, or installing from a
package.json file, which contains details of all a project’s dependencies. If you want to read more about how npm manages dependencies and how its parallels with the Node Module Loader allow some neat simultaneous version loading, npm have written a nice explainer here.
What is its history?
npm was started in 2009, by [Isaac Schlueter], who details in a blog post his thoughts on the recent acquisition.
npm Inc is a company, not an entirely open source project. They provide the open-source registry as a free service, and charge a fee for private, commercial packages. It has previously been rumored that there was trouble making ends meet from low quantity, low fee license sales.
As a business, it has previously received venture capital funding, and also brought in new executive management to attempt to dramatically increase revenues. Under new management, numerous employees were dismissed, with many claiming they were dismissed unfairly. Further employees resigned voluntarily, raising questions about company culture and the stability/longevity of npm. We hope that the acquisition by GitHub will relieve the financial pressure on the company and allow it to resolve these issues whilst serving the open-source community more effectively, under stable conditions.
In npm’s blog post, [Isaac Schlueter] talks about how an acquisition by GitHub has been on the cards for a while, even going so far as recounting asking the GitHub product lead [Shanku Niyogi] why on earth they hadn’t already bought npm.
Why did it seem so obvious? With the source for so many npm packages hosted on GitHub, and GitHub launching the moderately popular GitHub Packages, it seemed only natural that both could benefit from tighter integration. So what might we see in the future?
Many users of GitHub will be familiar with its automated security alerts for vulnerabilities. When your project contains a dependency that has had a security vulnerability disclosed, GitHub will send you an automated email/notification containing the level of risk, the affected code, and an automatically generated pull request which fixes the issue. This is a pretty neat feature, and this author has been glad of it on numerous occasions. While this works well in theory, in complex projects with many interdependent packages, I’ve found that the automated security fixes can sometimes awkwardly bump package versions without fully propagating through the dependency tree, requiring a lot of manual hassle to fix.
I’m very hopeful that this acquisition can bring about a security update experience with much tighter integration with npm, whether that’s making the automated updates more intelligent and frictionless for the developer, or making it easier for maintainers to disclose vulnerabilities and release automated GitHub patches faster. In GitHub’s blog post announcing the acquisition, they state their commitment to using the opportunity to improve open source security, and their aim to “trace a change from a GitHub pull request to the npm package version that fixed it”.
As far as GitHub Packages is concerned, the aim is to move all private packages from npm’s paid service to GitHub Packages, with the view of making npm an entirely public package repository.
Even with these obvious benefits in mind, there is still some uncertainty as to whether the move was driven and initiated by GitHub for these reasons, or whether it’s because of the value it provides to Microsoft as a whole instead.
What npm means to Microsoft
Microsoft’s appetite for open source is growing. It seems like yesterday that we wrote about Microsoft acquiring GitHub, and despite all the speculation on its future at the time, it only seems to have grown stronger with the extra resources available. Since the acquisition, we’ve notably seen the release of free unlimited private repos, GitHub Security Lab and GitHub Actions, all welcome and overdue features that have been well-received in the open-source community. GitHub mobile apps for iOS and Android have also been released in the past few days, attracting a few raised eyebrows for not being open source.
It’s yet to be determined whether npm will have any integration with any of Microsoft’s offerings, or if it’s purely of use to GitHub. At this stage, it’s hard to say, though it’s telling that GitHub announced the move along with their strategy, whilst Microsoft has stayed quiet on the topic.