I didn't get into JavaScript development until about 2016-ish. Therefore, I missed a lot of the early stages of Node.js (and the io.js fork), npm
, the rise of all of the frontend frameworks, etc.
To my surprise, I learned recently that npm
, the package manager that ships by default with Node.js, is actually controlled by a for-profit company and it is not open source.
Python's pip
and Java's Maven are both open source, and that seems to be the default for other programming language's package managers.
There has been a lot of chatter and concern on Twitter about:
- moving the registry to the JS Foundation
- making it decentralized
- contingency plans should the company sell to a bad actor.
I have some questions I'm hoping someone with context can answer for me:
- Was
npm
always a for-profit company or did it start open source and eventually incorporate? - How did Node.js decide to partner and ship with
npm
?
Top comments (2)
I would like to start with saying this is categorically untrue. The source is 100% available on GitHub and – as per the SPDX license list and the Open-Source Initiative – their license is technically open-source compatible.
npm itself does not have open-governance which is an entirely different matter.
Addressing some of your other points:
The JS Foundation will no longer exist after the merger into the OpenJS Foundation is finalized. The discussion has been about the OpenJS Foundation.
This line of discussion is – in my opinion – sensationalist, intentionally meant to scare people. It's based on context that was derived from an understanding that only a few people have from some investigation they did ~3 years ago that doesn't hold up in today's state of the world. It's just as much a possibility as npm finding critical success with npmE and personal accounts and eventually IPOing.
Addressing your questions:
npm was started as an open-source project, but as it turns out maintaining a registry of tens of thousands of modules can't be done for free. To keep the registry up it needed to be funded somehow.
This was an early decision (~0.1? ~0.2?) and is honestly (IMO) the reason that Node.js, npm, and JavaScript are as successful and widespread as they are today.
The open source claim is only partially true--the cli is open source, but the actual registry is not.