1. 69
  1. 49

    Note how the author carefully avoids ever mentioning the word “Microsoft” in this announcement.

    1. 6

      GitHub is an independent business unit within Microsoft. So saying GitHub is acquiring npm is correct.

      1. 17

        What is highlighted is that the word Microsoft has been avoided. That is more than correct.

        To understand the concerns, for example, one would not take notice if Oracle was trying to buy Java. And surely it would not have any impact on the open source spirit of the language. No. If that happened we would already know.

        1. 1


          1. 1

            GitHub will retain its developer-first ethos and will operate independently Source

            GitHub is a legal subsidiary of Microsoft, and has a separate CEO, separate healthcare systems, separate hiring process, etc. I’m just trying to make the point that the omission of Microsoft is correct from a technical standpoint. In fact, I’d argue that it’d be weirder for the statement to say Microsoft was acquiring npm.

      2. 31

        I don’t like all this centralization.

        1. 28

          All the packages were already centralized, though, and TBH I think Microsoft / Github are likely to be better stewards of the npm system, given all their resources.

          1. 10

            This. One can make the argument that there should be a fundamental shift in how we do package management, but that feels like a very different conversation. This is a critical piece of centralized architecture changing hands to an organization that is objectively better equipped to manage it, and that feels like a net win for the ecosystem.

            That doesn’t mean we can’t still have that conversation about shifting away from that centralized architecture, but I think we can still take this win.

            1. 6

              This is a critical piece of centralized architecture changing hands to an organization..

              ..that has a history of pulling crazy stunts just to make money. Uncomfortable indeed.

              1. 12

                Honestly, I was always kind of concerned that NPM, Inc. would do something insane / evil to make money. MS / GitHub don’t actually need to make money on this, that’s the benefit as I see it.

                1. 5

                  What stunts are you referring to? None really come to mind in the last decade, and the Github acquisition, while admittedly still in or close to the honeymoon phase, has overall seemed to go well. On the open source side of things, Microsoft’s management of TypeScript has been fine, and I haven’t heard too many complaints about how they’ve been doing in terms of maintaining VSCode.

                  1. 1

                    I agree that recently, I assume after Nadella started as CEO, MS has been doing a lot of great work to clean their track record.

                    So perhaps (hopefully!) things have structurally changed since the times they introduced their own version of Java, or since their tricks to retain a monopoly over internet browsing, or indeed originally their repackaging other people’s work just to sell an OS to IBM without primary experience in building it.

                    1. 6

                      Except for testing the waters whether it is time to be evil again.

                2. 3

                  The tools for decentralized package management already exist, to some extent. Both npm and pip, for example, support directly installing dependencies from sourcecode repos (ie. git). Granted, this means you have to ‘compile’ as part of your install process, which isn’t always feasible, but most of the time that’s fine.

                  1. 3

                    From working with Go, installing dependencies from repos leads to less reliable builds because when a single fetch fails go’s module resolver will abort. We ended up having to wrap lots of build tasks in retries in our tooling to handle network hiccups, and that still didn’t help that a single third party server being down can break everything.

                    The solution seems to be to run a centralized proxy that itself calls out to the repos to insulate your build from this problem. That is what go is doing now, and it seems to work pretty well. That gets you (theoretically) the best of being both distributed and reliable, buts it’s more involved than a centralized system.

                    1. 5

                      We use vendoring with Go. imho that’s the best: you do get decentralized repos, but you don’t need to download anything on dev machines or CI server.

                      1. 2

                        Another benefit of the Go proxy approach is that it does not require git and hg installation.

                      2. 2

                        Yep, totally agree! npm already can be run without needing an npm registry at all, but you can also run your own registry if you’d like (or use someone else’s). I was more trying to address calls for things like Entropic that always happen when npm, inc news comes up.

                  2. 6

                    In these trying times it’s important to remember that we need letrec.

                    1. 1

                      The alternative to npm is yarn, which is owned by Facebook. I’m not super comfortable with Github owning NPM, but I also think it will be fine considering you can run your own private repositories.

                      1. 13

                        yarn is still based on the NPM registry.

                        1. 7

                          The alternative to npm is yarn, which is owned by Facebook.

                          This is refuted in their own Q&A: https://yarnpkg.com/advanced/qa#is-yarn-operated-by-facebook

                          1. 5

                            A more relevant alternative is Entropic, which is actually decentralized and integrates with npm as a legacy source and was specifically developed to address the SPOF of an investor-backed startup.

                            However, development seems to have stalled at the end of last year: https://github.com/entropic-dev/entropic/commits/master

                            1. 2

                              Two of the core maintainers made statements this week on twitter that they cannot really work on it for a multitude of reasons.

                            2. 1

                              At the end of the day, you’re still using the Node.js ecosystem with all of its problems, one of which is how deeply entrenched npm and its registry are. The solution would be an alternative to Node.js.

                              If server-side JS is a requirement, then Deno looks interesting.

                          2. 18

                            Apparently I’m in the minority here, but thank god. Npm is too important to too many builds to be left in the hands of an independent company that owed investors and needed to monetise the network somehow. Microsoft the tools vendor has a long history of good works, and Microsoft the corporate steward has a recent history of mostly doing the right thing. Here’s hoping they can steer the product away from some of the questionable decisions of the past and into a more sustainable future.

                            1. 4

                              I’m with you. I’m glad that npm has a stable home now. For better or for worse, it’s an cornerstone of the modern Web and its disappearance would throw modern development into chaos. I also agree that MS has shown a good track record for being a steward of Open Source. Without companies like them, it’s hard to maintain these common resources.

                            2. 8

                              What do you think GitHub (and Microsoft) have to gain from purchasing the money pit that is npm?

                              1. 19

                                Controlling and being able to influence a piece of infrastructure critical to their other smash hit, TypeScript.

                                1. 2

                                  That makes sense to me. They have an investment in Typescript and an unstable npm makes it riskier.

                                2. 13

                                  Making Node.js cheaper and more reliable drives up demand for cloud servers.

                                  1. 7

                                    Brand awareness? github will be the first thing new JS developers get into contact with now, and they will never use anything else anymore.

                                    1. 6
                                      1. Developers, developers, developers.
                                      2. ???
                                      3. Profit.

                                      Having npm, GitHub, TypeScript and VSCode, Microsoft now owns large chunk of tooling used by huge group of developers. I’m not sure what the step 2 is, but probably Azure.

                                      1. 2

                                        Control and user-exposure to their services and products. Creating convenience for users is going to gear them towards using more services that the company provides, which in turn can make them more money.

                                      2. 6

                                        There are people in this thread who are concerned about 1) centralization in general, and 2) npm specifically.

                                        I’m surprised none of them have mentioned deno.

                                        Deno does not use npm: It uses modules referenced as URLs or file paths

                                        Deno does not use package.json in its module resolution algorithm.


                                        1. 1

                                          Probably not mentioned because no-one is using it [0] (I have nothing against deno, and think it’s an interesting project)

                                          [0] Ok, I’m sure someone is using deno. But on the scale of Node + web, no-one is using it.

                                        2. 6

                                          I hope the process of moving everyone over from NPM to NuGet will be smooth.

                                          1. 3

                                            The JS ecosystem had many problems already without Microsoft getting full control over a critical part of it. The ripples of this acquisition might change the web in the next years.

                                            1. 13

                                              Meh; Microsoft has had “full control” over TypeScript for many years (i.e. they started it), and that seems to be doing just fine. Similarly, Google has had “full control” over Go for many years and that’s doing just fine as well, etc. etc.

                                              I think that with companies the size of Microsoft or Google it’s a mistake to think of them as a single monolithic entity; they’re comprised of many different people, teams, goals, and priorities.

                                              1. 1

                                                What specifically do you think might happen?

                                                1. 3

                                                  I’m not an expert of the JS ecosystem, but I see two potential factors:

                                                  • Microsoft can now map companies to their JS dependencies and infer processes. Probably interesting for their marketing department, not really for the community. I can see how they will have some kind of advantage but I think it’s gonna stay confined to sales and not spill into Open Source politics. I won’t be too surprised if they find a way to hurt some communities in the process though.
                                                  • Microsoft can now pull packages from NPM if they find a good enough excuse to do it and they can change rules and so on. They control access and this gives them power. They might want to use this power to hurt Google or Facebook. Obviously these are nuclear options. A nuclear option was also changing the home page of your search engine to break non-webkit based browsers, but it seems to be a regular occurrence nowadays. I wouldn’t be surprised if Microsoft slowly manouvered itself in the position of playing with what can sit in NPM.

                                                  These are very shallow analysis of power-relationships in the JS ecosystem, that I personally don’t use. I’m sure more experienced people can find flaws in these scenarios and probably find more nuanced strategies that Microsoft might use. What I said is true for any centralized (and that’s why we should avoid such centralization of power for new ecosystems); I didn’t say anything really specific to NPM.

                                              2. 2

                                                It amazes me npm was VC funded in the first place…

                                                1. 2

                                                  I assume this means that NPM is now affected by Microsoft’s patent-related contracts.

                                                  As you may know, if I write some some software and you have pantents on something my software does (shame on you BTW), and then I give it to someone who has a patent license from you, then that someone may give it to others without enlarging the set of people you can sue. You can sue me and hope to win, and you can sue the someone who has a license, but the people downstream are a matter between you and your licensee.

                                                  Microsoft has a lot of patent licenses, and there are a lot of people downstream of NPM (and Github).

                                                  1. 1

                                                    This doesn’t make any sense to me.

                                                    If I host my code on Github, the copyright and license is set by me. Github (wholly owned by MSFT, but its own legal entity) is just the service provider. They can’t impose any restrictions just because they ultimately host the code.

                                                    1. 0

                                                      It’s not a restriction. It’s protection.

                                                      Assume that Microsoft has a license to Apple’s patents (Microsoft has lots of cross-licenses, I picked Apple as example just because I ate an apple just now). If Apple has a patent that covers your code, Apple can sue you (with a hope of success). If, however, you upload your code to Microsoft, then Microsoft’s license means that Apple can’t sue people who merely download from Microsoft, because those people got it from a patent licensee, namely Microsoft. You’re the only entity Apple can sue with any hope of success.

                                                      The key question is whether NPM becomes a subsidiary of Microsoft as defined in Microsoft’s patent deals with other bigcos.

                                                      I’ve been told that this also covers second-level copies. So if I build an android app that pulls in a third-party library from jetpack.io, which in turn downloads the source from github, Microsoft’s many patent licenses protect me from evil patent suits.

                                                      1. 1

                                                        I see someone downvoted as factually incorrect. I’d be thrilled to hear an argument.

                                                        AIUI the effect on open source users is basically an effect of a very desirable effect: When you buy a toaster or a car or something, someone who has patent quarrels with the vendor can sue the vendor, but really, really, really should not be able to involve random customers in that fight. And it doesn’t matter whether the “vendor” is a manufacturer or just a thin shell that got the patentable matter from an OEM and passed it on unchanged.

                                                        1. 1

                                                          OK, thanks for clearing that up. I still think that you as the author are responsible for any patent infringement. Otherwise MSFT would have to scan each and every repository for possible license issues - whether violations or being in coverage.

                                                          1. 1

                                                            You are responsible for the code you write (and perhaps having your code on Github/NPM makes it simpler for evildoers to find you).

                                                            All this does is provide an effective defense to NPM/Github users. An effective protection for the several million lines of third-party code I use is not a small thing ;)