
NPM Is Joining GitHub - mholt
https://github.blog/2020-03-16-npm-is-joining-github/
======
throwaway78359
Microsoftie here — throwaway for obvious reasons.

Microsoft doesn’t do everything right but the GitHub acquisition has honestly
gone better than I ever expected. Rather than forcing GitHub to adopt
Microsoft centric policies, Microsoft has adopted more GitHub stuff,
especially from a product POV. GitHub still runs as a separate company
(different logins and health care and hiring systems) with its own policies
and point of view.

The reality is npm was in a bad place and in a land of not good options, this
strikes me as the best possibility. I’d rather have GitHub control this and be
able to give the resources to npm than a company like Oracle or Amazon or even
Google or Facebook to own it. In a perfect world, some independent entity
could fund npm out of gratitude but at the same time, consider how poorly npm
as a company was run for YEARS and the general lack of direction.

So yeah, I’m cautiously optimistic this won’t be fucked up by GitHub — but I
understand the concern.

As for those worried about Microsoft embracing, extending, and extinguishing.
Lol. Even if that was the goal (and I truly don’t think that’s the ethos at
all any more), Microsoft is laughably incompetent at achieving that sort of
strategy. Google and Amazon have the EEE under lock right now (Facebook too —
let’s be glad Zuck didn’t buy this after we saw what happened to yarn), but
Microsoft can’t even put coherent dev strategy outside of .NET on Azure.

~~~
lewisl9029
Given that Microsoft for all intents and purposes killed Atom (along with
their really promising xray project [0]) almost immediately after the
acquisition [1] even after explicitly claiming they wouldn't [2], please
excuse me for not seeing the GitHub acquisition in the same positive light.

[0] [https://github.com/atom-archive/xray](https://github.com/atom-
archive/xray)

[1] They never officially announced it, but they almost certainly de-staffed
it to the point where it's barely on life support:
[https://imgur.com/a/jQBHsUk](https://imgur.com/a/jQBHsUk)

[2]
[https://www.reddit.com/r/AMA/comments/8pc8mf/im_nat_friedman...](https://www.reddit.com/r/AMA/comments/8pc8mf/im_nat_friedman_future_ceo_of_github_ama/e0a2b2e/)

Update:

What a surprise, the VSCode fanboys are coming in droves to downvote and say
nothing more than how Atom was going to die anyways.

Sure, maybe it was, but that's not the point. The point is Microsoft _actively
pulled development resources away from Atom after explicitly claiming they
wouldn't_.

I get that a lot of people like VSCode better than Atom, but _please_ put
things into perspective for a moment and consider if you'd make the same
comment if the same thing happened to _your pet project that happened to be #2
in popularity but then got axed after being acquired by the company who owned
the #1 after claiming they wouldn't do exactly that_.

Whatever your opinion might be on Atom vs VSCode, can we not at least agree
that this kind of behavior is something we should hold acquiring companies
accountable for? It might not make any difference to their bottom line at the
end of the day, but the least we should do is hold them to the fire in the
court of public opinion.

~~~
chipotle_coyote
Counter thesis: what "killed" Atom is the balance of user enthusiasm quickly
shifting to VSCode. Well before the acquisition was even announced, VSCode
started grabbing developer mindshare real, real fast. I remember being an Atom
user who resisted that tide for a while, but it became pretty clear that
VSCode was taking off like a rocket and Atom, well, wasn't.

If commit activity graphs are really a meaningful measure, look at VSCode's:

[https://github.com/microsoft/vscode/graphs/commit-
activity](https://github.com/microsoft/vscode/graphs/commit-activity)

The number of commits per, uh, date unit (the graph is not super clear on that
axis, honestly) across the entire length of VSCode's activity graph rarely
drops as low as the _highest_ number of commits per date unit for Atom.

I'd have preferred to see both survive and do well, but that really hasn't
been the way the text editor space seems to have worked. Editors that are
conceptually awfully similar to one another tend to have one dominant player:
TextMate (at least for Macs), then Sublime Text, then Atom, then very quickly
Code. Given that Code and Atom are probably the closest of any two in that
list, this just isn't that surprising.

~~~
lewisl9029
It would be delusional of me to claim that VSCode wasn't already winning in
terms of mindshare by a large margin when the acquisition happened. That's not
what I'm claiming here.

Atom still had a healthy number of active contributors (presumably most of
them were from GitHub) making improvements to the product on a daily basis to
make it a perfectly viable tool for the people who chose to use it (and
despite the much smaller developer base they continued to innovate with
projects like xray and tree-sitter)... That is until the Microsoft acquisition
happened.

Before anyone jumps in with the causation vs correlation argument, I think any
reasonable person looking at the evidence would agree that the timing is
convenient enough to make it highly unlikely to have been a coincidence,
especially considering that most of those contributions were from employees at
GitHub who were _getting paid to work on Atom_, so the only reasonable
explanation for the contributions to stop abruptly within a month is that they
_stopped getting paid to work on Atom_.

To add insult to injury they even had the audacity to claim they wouldn't do
exactly what they did. That is the crux of my issue with how they handled this
acquisition.

~~~
sequoia
From Microsoft's perspective, what's the advantage to them or their users to
pay for two somewhat similar free offerings to be worked on in parallel? Given
that one was gaining in popularity by leaps and bounds while the other was
rapidly losing market share and relevance, what course would you recommend?
"Fund both indefinitely, to keep the handful of atom users that want new
features happy"? Be reasonable.

~~~
ss3000
I don't think anybody's expecting them to fund both indefinitely, but given
that their soon-to-be new CEO went on the record to say that they would
actually keep funding Atom development, I feel it's fairly reasonable to
expect that they wouldn't pull funding from Atom almost completely as soon as
the acquisition went through. That's a really shitty move no matter how you
look at it.

~~~
chipotle_coyote
He said "we will continue to develop and support both Atom and VS Code going
forward," which at least of right now is still happening -- Atom 1.45 was
released last week, along with 1.46 beta 0. The conjecture that they've
effectively defunded it is reasonable, but it's still conjecture, and even if
they have it doesn't actually break Friedman's (possibly quite deliberately
worded) statement.

------
K0nserv
This seems like a good outcome overall. NPM being such an important pillar in
the software supply chain while having an unviable business model and largely
being funded by VC money was never a good position to be in. There are
problems with more of the software ecosystem consolidating with a single
entity but it still feels like an improvement.

~~~
mbesto
> NPM being such an important pillar in the software supply chain while having
> an unviable business model and largely being funded by VC money was never a
> good position to be in.

Why does NPM need to be funded as a commercial entity at all? What other open
source library has a private company running its package manager? This one
still boggles my mind.

~~~
timrod
For programming languages, there are several examples of commercially run
package managers:

    
    
        - the Java/Kotlin/Scala ecosystem is based around maven central, which is run by Sonatype, Inc.
        - Go modules are hosted by Google. Previously, most libraries were hosted on Github
        - Rust's crate index is on Github
        - The Docker/Moby registry is run by Docker, Inc. (though that might be a stretch for "package manager" :))

~~~
monadic2
I wasn’t aware that I was a commercial entity because I use github!

~~~
iterator5
I think the point is that you are using a commercial entity to host your code.
There is a bill for the code you have hosted, and you aren't the one paying
for it.

~~~
monadic2
If that was the point why did they write “commercially run”? That is
explicitly about management, not hosting or single points of failure.

------
sytse
Thanks to Microsoft/GitHub for this acquisition. NPM is essential to the
Javascript eco-system and it is hard to have a business model for just a
registry. In the ruby eco-system the awesome Ruby Together
[https://rubytogether.org/](https://rubytogether.org/) was started to run the
registry. In this case one of the worlds most valuable companies will run it,
which means it doesn't need a not-for-profit.

Regarding "trace a change from a GitHub pull request to the npm package
version that fixed it" will there be an API to add a source in case the change
was made outside of GitHub? Although I recognize that the vast majority of
changes to npm packages happen on GitHub.

~~~
Vinnl
That must make you nervous over at GitLab, no? GitLab's integrated workflow is
one of its main selling points (I love it), and GitHub now seems to be well
underway to cross that moat.

~~~
sytse
It is exciting to see that having everything in a single application is being
validated by GitHub. Last year it was very clear they are switching from a
marketplace model to a single application by including Verify (CI), Package,
and Secure.

We think Git(Lab|Hub) will become the two most popular solutions and we look
forward to this competition
[https://about.gitlab.com/handbook/leadership/biggest-
risks/#...](https://about.gitlab.com/handbook/leadership/biggest-
risks/#competition)

I think the companies that should be nervous are ones that have only one stage
or ones that have multiple stages but as a suite of applications instead of a
single application [https://about.gitlab.com/handbook/product/single-
application...](https://about.gitlab.com/handbook/product/single-application/)
There are a lot of these [https://about.gitlab.com/devops-
tools/](https://about.gitlab.com/devops-tools/)

~~~
IAmEveryone
> It is exciting to see that having everything in a single application is
> being validated by GitHub

I wish Gitlab would get over this passive-aggressive negging of GitHub.

I would squirm seeing something like that among any two competing companies.
But it takes a strange configuration of overcompensating an inferiority
complex to use it for the specific case of one company starting out as an
explicit clone of another, to then lord any small feature the original company
may have followed over them.

This isn't the first time. I've seen it dozens of times, and I don't even
specifically care about these two companies.

~~~
slimsag
I don't think GP's comment was negging or passive-aggressive at all. The
original GP said "That must make you nervous over at GitLab, no?" so it only
seems rational to explain that they see this as validation and not as a risk.

Somehow, you took this explanation of why they aren't worried about this and
turned it into a passive-aggressive stance..

------
batmansmk
VsCode, Typescript, Github, NPM.

And Microsoft doesn't even have to maintain the main runtime, Google does.
What a clever strategy!

~~~
BiteCode_dev
Yes, they almost own the entire JS ecosystem at this point.

They lost a decade of battles for the web, but it seems they just found a way
to get back in the fight.

Now at the IE 6 times, that meant monopoly, and it was terrible news.

But today, it means more competition between the giants, which is very good
for us.

~~~
sbarre
One could argue that the IE6 of our times is Google Chrome at this point..

~~~
impatient_bacon
Safari.

~~~
dlivingston
Care to explain? Safari has one of the highest standards compliance of any
modern browser [0], which IE famously did not.

It has been argued with various success [1] that Chrome is the new I.E., due
to "Chrome exclusive" web standards.

[0]:
[https://html5test.com/compare/browser/safari-11.2/chrome-30/...](https://html5test.com/compare/browser/safari-11.2/chrome-30/firefox-60/edge-12.html)

[1]:
[https://news.ycombinator.com/item?id=16070595](https://news.ycombinator.com/item?id=16070595)

~~~
Spivak
I think the honest truth is that a lot of developers see Safari similarly to
IE because Firefox and Chrome are quick to jump on and ship new features and
"if only Safari kept up" they could be used "everywhere". Combined with the
fact that iOS is large enough that you can't just drop Safari support and tell
them to use Chrome.

It's a weird world where webdevs apparently ideally just want everyone on the
6 second old version version of Chrome. I totally get it -- it's an absolutely
rational stance but it feels a lot like how devs felt about IE6 at the
beginning.

~~~
oorza
You're right, IE6 was amazing at the time. It made a ton of things possible
that previously hadn't been, and the standards bodies were lagging behind it.
Had MS actually kept updating IE6 and kept it ahead of the standards, the
standards would never have mattered, and we'd never have developed this sick
taste for IE. No one hated that they had a monopoly, we hated that they had a
_stagnant_ monopoly.

~~~
aduitsis
Those of us that were using non-MS OSes like Linux or FreeBSD or Solaris back
then hated it that sites were made to work correctly only on IE.

------
flanbiscuit
I wonder if more people will look into adopting Deno[1], the new node
alternative by one of the creators of Node. It does not use NPM, you pull in
packages Go-style (via URLs[2]). It's supposed to be more secure because you
have to explicitly give it access to anything (i.e. network, file system,
etc).

[1] [https://deno.land/](https://deno.land/)

[2] example import in Deno:

    
    
        import { serve } from "https://deno.land/std@v0.36.0/http/server.ts";
    

Previous HN about Deno:
[https://news.ycombinator.com/item?id=22102656](https://news.ycombinator.com/item?id=22102656)

~~~
wwweston
The thought that's going into Deno about permissions and upstream package
issues have me considering it where I've generally rejected node.js for
anything serious (also recognizing that it's probably early for production
use).

------
skrebbel
Assuming this was an acceptable exit: I'm impressed that NPM pulled this off.
They were basically doing the "no revenue model to speak of, hope we'll get
acquired by a bigco" startup play that was starting to go out of vogue already
when they were founded.

I wonder to what extent they've had influence over their own success at all
though. Basically they had to hope that JS stayed popular (it did), that Node
stayed relevant (it did) and that the entire JS ecosystem would move over to
NPM (it did, but I'd say rather despite NPM than because of it) (I mean,
otherwise Yarn wouldn't even exist, right?).

So basically their bet was:

\- Turn NPM into a startup

\- Keep the lights on

I bet I'm missing all kinds of key behind-the-scenes stuff, but still, I don't
know many startups that manange to successfully exit by "just" keeping the
lights on. In a weird cringey way, it's motivating.

~~~
tdumitrescu
Here's what isaacs writes in the NPM blog post
([https://blog.npmjs.org/post/612764866888007680/next-phase-
mo...](https://blog.npmjs.org/post/612764866888007680/next-phase-montage)). It
doesn't seem like anyone on the NPM team did great financially from this:

"I have a set of goals that I wrote down back then, and have shared openly
with the team.

...

3\. Get a big enough exit that I can quit my job and see what comes out of me
a second time. 4\. Share the rewards equitably with the people who got npm to
where it is.

...

On (3), well, I’m still working a jobby job, but I always knew that was a long
shot, and “make npm a better package manager” is a job I enjoy. And as for
(4), I’m proud of the deals that we’ve been able to negotiate for the team.

It’s not a kajillion billion dollar 10x startup cinderella story, and we’ve
taken our hits, but in the end we’ve done right by our community, team, and
careers, and I’m extremely proud of what we’ve achieved."

------
franciscop
I'm surprised there's not a single mention of "Microsoft" in this or the npm
announcement [1], given the old-evil-history of Microsoft and the new-nice
Microsoft we have today.

I would expect that there was at least a mention, considering the reason that
most modules in npm are still in ES5 is _exactly_ because of the monopolistic
practices that Microsoft followed back in the day which makes Internet
Explorer still relevant.

Not negative, not positive comment. Just surprising there was no mention. And
I do think Microsoft is doing a great job recently with Open Source in
general.

[1] [https://blog.npmjs.org/post/612764866888007680/next-phase-
mo...](https://blog.npmjs.org/post/612764866888007680/next-phase-montage)

~~~
banachtarski
I installed Windows Subsystem for Linux 2 on an older machine just now. The
MSFT of today is definitely a far cry from the MSFT of yesteryear. Such a
thing would have been unheard of 15 years ago.

~~~
fredsted
Embrace, extend, extinguish?

~~~
reaperducer
My prediction, that my IT department hates to hear, is that Windows is going
away.

Microsoft doesn't want to be Microsoft anymore; it wants to be Oracle and IBM
and primarily make money off of business consulting and the cloud.

I think Windows will eventually become a presentation and slowly-phased-out
compatibility layer on top of Linux, similar to the way macOS became Unix, but
even less different than its underlying OS.

However, it should be noted that I'm not very good at predicting things.

~~~
dnautics
> I think Windows will eventually become a presentation and slowly-phased-out
> compatibility layer on top of Linux.

I think this is unlikely. In many ways the NT kernel is superior to the Linux
kernel. I just wish it were open source and didn't have the rest of windows
around it.

~~~
ForHackernews
Since when has technical superiority ever determined which product wins in the
marketplace?

The Linux kernel is ubiquitous and free-as-in-beer, so it might win out.
Android has already shown how you can build a proprietary userland on top of
it.

~~~
pjmlp
And how fragmentation on Linux profits OEMs, each with their own little
distribution, not giving anything back.

------
sandov
"Github acquires npm" would be a better title IMO.

~~~
hinkley
I am glad that the npm team will finally have some adult supervision.

Meanwhile, I _almost_ have my team switched to yarn.

~~~
Normal_gaussian
yarn v1+ or yarn v2/berry?

Switching to berry has been a huge PITA over here, but I don't want to give up
workspaces

~~~
hinkley
Our 'workspace' is so ornate that yarn couldn't handle it. 1.21+ almost looks
right, but something very bad is still going on with mocha deduping, such that
tests are failing with really bizarre error messages.

I check yarn about every three months, or when I find a new, infuriating bug
with the npm CLI (so, every couple of months on average). I think npm install
suffers greatly from not having a formal spec. It has been bugfixed by so many
different individuals now that it has reached a truly astounding level of
schizophrenia.

If yarn didn't exist, I would have started trying to break down the install
problem into many independent concerns that can be reasoned about individually
and tried to solicit help in making a full installer out of it. If I'd known
I'd still be trying to make yarn workspaces work for us 18 months later I
probably would have.

Node modules in general have some bad patterns of delegation that are utterly
antagonistic to self-documentation, and both yarn and npm seem to suffer from
this as well. I think in the next week or so I'm going to have to set up a
small test case that exhibits the yarn bug I'm seeing, or any of the half a
dozen interlocking (emphasis on 'lock') npm bugs that now have me painted into
a very tiny corner.

~~~
IsaacSchlueter
Your take on the installer in npm v6 is not wrong. It got that way by a
process of gradual iterative evolution, and it has lots of warts.

npm v7 features a ground-up rewrite of the tree resolution and deification
logic in the @npmcli/arborist module. I recommend checking it out, or at least
staying tuned for the beta coming soon.

------
Brendinooo
I occasionally forget that Microsoft bought GitHub. They certainly don't do
anything here to remind me of that fact.

How separate from MS has GitHub been in day-to-day operations?

~~~
kdaigle
I've been at GitHub for 7 years and we operate independently but have the
support and resources of Microsoft when we need them. IMO, they've been
amazing partners but day to day the GitHub team builds, prioritizes, and
supports GitHub.

~~~
nojvek
It's totally the smart thing to do. Github needs a ton of cloud compute with
github actions, Azure powers it. Github brings a very strong brand that
developers love, which gives Microsoft a good rep amongst technical folks.

This is as good as Google acquiring Youtube because Youtube needs an insane
amount bandwidth and it was a perfect fit for Google's infrastructure and ad
platform.

It's just sad to see Google not playing the Developers game well.

------
rtsao
I hope this doesn't alter the current GitHub npm package registry policy where
all packages _must_ be published under a scope corresponding to name of the
owning GitHub user/org. The resulting increased transparency and clarity of
ownership will be great for the JS ecosystem.

The existing npm ownership model is markedly less clear and has led to several
problems, including the transfer of package publishing rights to bad actors
without anyone being aware. On the whole, npm accounts and orgs were always
just an unnecessary abstraction that obscured the actual provenance of
software, of which GitHub is the de facto source.

~~~
toastal
Does this mean using alternatives (GitLab, et. al) is not an option?

The worst option has been Elm's system where the whole package system requires
you to not only use GitHub, but when GitHub in down (which isn't uncommon
unfortunately) packages that weren't cached locally were inaccessible with no
mirroring options.

------
cfv
Microsoft does have a much better track record in terms of keeping their
products alive than other Way Way Large companies that could have made this
acquisition, and for that I'm pretty glad.

That said, and just in case their notoriously warlike legal team manages to
fumble this somehow, I'd like to take the opportunity to remind every other
frontender that Verdaccio ([https://verdaccio.org/](https://verdaccio.org/))
exists, is easy to implement, and relatively low maintenance.

------
bepotts
Gotta respect how Microsoft couldn't build anything the open source community
wanted to work with/on so instead they used their Windows and Office monopoly
to buy everyone's favorite playgrounds.

~~~
mythz
They should get props for TypeScript & VSCode.

~~~
bepotts
They do and I will give them props for that. But no company should have as
much control over open source that Microsoft does.

~~~
mythz
They should & deserve to have full control over everything they've created.

You can blame AWS/GCP for letting GitHub & npm be acquired, how many years
were they on the open market?

Most of the $$$ in OSS is being funneled towards rent-seeking major cloud
providers that are hosting OSS software, whom should all have blank checks
with the money they've reaped so far, but seems only Microsoft has the
strategic savvy to focus on acquiring the obvious targets for increasing dev
mindshare. I don't fault them for their M&A's, it's just good business.

~~~
roguecoder
It's also not like Amazon is being an amazing open source citizen; I don't see
them acquiring the tech to be an automatically-better outcome than the current
version of Microsoft doing so.

IMO this shows the importance of separating technology from platform. Ideally
we would have non-profit groups with good governance & corporate support
(rather than control) to grow these technologies. If an open source project
can be acquired, it's only so free.

------
brenden2
This kind of consolidation is probably not good for everyone who depends on
open source projects. Microsoft now owns a significant portion of software
distribution.

------
mythz
Just like GitHub this is a cloud play to make Azure more appealing by meeting
developers where they're at, increase dev mindshare/reach, hosting their
packages, CI Scripts/Actions then making it seamless to deploy to Azure.

Smart, have no idea where AWS or GCP's control team are at when these
strategic plays are going down.

~~~
Jaxkr
I honestly think that Google cloud platform will be shut down within a couple
years. It seems like it’s losing the war very badly.

~~~
IceWreck
I am honestly amazed that there is no official way to install Fedora or Fedora
CoreOS on GCP. There are no images even on the GCP marketplace.

Stuff like this is what irritates me. Even small vps providers have this.

------
simlevesque
I did not see that coming. I trust Microsoft to be able to offer great
availability and nice software. It is maybe not the best overlord we could
have hoped for but it's way better than the status quo.

------
no_wizard
I see this as a straightforward play, simply put, I think (to summarize,
perhaps a little to broadly)

\- They want to sell Azure Services

\- Most (if not all) NPM packages already live on github

\- NPM has a business revolving around package management, including private
npm instances and increasingly around node/package security

\- This being primarily a business that will sell to has-money businesses
(e.g., medium to large businesses, Fortune 500 corporations etc)

So, given all of the above, it makes sense to have a vertical selling into one
of the fastest growing package management ecosystems where you can be the
"full stack" provider of developer/enterprise tools.

I don't think its anything beyond this, personally. I expect to see a lot of
pushes to integrate with Azure Pipelines, cloud deployment etc. centered
around this.

I wonder if they'll buy Passenger[0] next, its a popular (in my experience) to
deploy nodejs applications.

[0][https://www.phusionpassenger.com/library/](https://www.phusionpassenger.com/library/)

------
Phenix88be
I'm always worried when thing like this happen :

Critical open source entities are bought by private company. I understand the
need for money and sustainability these entities need, but it's really a shame
that the open source community doesn't "own" themselves.

------
talawahtech
Ok now Microsoft just needs to acquire what remains of Docker and their
Developers, Developers, Developers, Developers collection will be complete.

------
duxup
I understand some folks trepidation but where was npm going anyway?

~~~
CivBase
Am I weird for thinking it didn't need to go anywhere?

~~~
duxup
My understanding was that financially they were not going to last long doing
what they were doing.

~~~
ThrowawayR2
That raises the question of how GitHub/Microsoft plan to profit off the
acquisition though? It can't be just for goodwill or marketing.

~~~
ecnahc515
These companies don't need to profit off of acquisitions. If they're going to,
it doesn't have to be direct either, it can be a method of growing their sales
funnel if nothing else, or even just acquiring talent.

------
TAForObvReasons
NPM's blog post: [https://blog.npmjs.org/post/612764866888007680/next-phase-
mo...](https://blog.npmjs.org/post/612764866888007680/next-phase-montage)

------
ryanmarsh
How much did Microsoft pay? What did the founders take away?

Most people don’t know, in these open source acquisitions by for profits
there’s money involved and “founders” get an exit. Not always clear To the
public who those are or what they took home from a mostly volunteer effort.

~~~
lioeters
I too was curious about how much the acquisition cost. According to
TechCrunch:

> GitHub, the developer repository owned by Microsoft, made a little deal of
> its own this morning when it bought JavaScript packaging vendor npm for _an
> undisclosed amount_.

[https://techcrunch.com/2020/03/16/github-nabs-javascript-
pac...](https://techcrunch.com/2020/03/16/github-nabs-javascript-packaging-
vendor-npm/)

------
austincheney
Is this a too big to fail kind of charity acquisition?

~~~
markovbot
no, this is microsoft "embracing" (buying control of) a huge point of
centralization in a software distribution ecosystem, positioning them to have
greater power over a huge number of developers.

~~~
JMTQp8lwXL
Microsoft turned their reputation around in recent years with developers but I
wonder how long it will last.

~~~
bepotts
I think people are "okay" with Microsoft because so many hackers have a
problem with the data agglomeration and monetization strategy of Google and
Facebook, but this Microsoft "embrace" will come to a head within the next
couple years and I just can't wait for it.

The way people think Microsoft's embrace of open source, GitHub, and now NPM
is genuine is completely ridiculous. Microsoft had to change because much of
where the action was is on *nix systems. Microsoft will start to use these
companies to make developers embrace Microsoft services. It's only a matter of
time.

~~~
KarlKemp
I can't even come up with a scenario of _how_ MS would realistically do so?
Sure, making GH actions easier to set up with Azure than AWS seems plausible,
but also strikes me as somewhat benign.

Banning python from Github? Requiring \r\n for NPM packages? What's the move
you're afraid of?

~~~
Vinnl
One question GitLab's CEO (sytse) is rightfully asking is whether the ability
to trace code from npm back to the repository will be available to
competitors. If not, less competition is bad for users.

I still think this is good news, given where npm is coming from, but it's
certainly not risk-free.

~~~
roguecoder
This is where effective anti-trust enforcement is important and valuable.

Until we come up with better trusted federation protocols there will be
natural monopolies, but that doesn't mean they get unchecked power. We have
laws for that.

------
hateful
They could probably save tons just by deduping the npm and github homepages of
every package!

------
petey283
I worry that this is too much consolidation.

~~~
Analemma_
I hope you're spending lots of money at independent places then, because this
is the inevitable result of the current "OSS infrastructure funded by VC
charity" model. NPM was losing money, as was GitHub when Microsoft bought
that. Under such conditions, getting bought out by a megacorp is the only path
forward.

------
hn_throwaway_99
Current me loves this, and I love all the GitHub tools they've added recently.

Future "5-10 years down the road" me _knows_ this will suck, ending up where
all concentrated monopolies end up...

------
nojvek
Github announced the Github packages feature a while back, but without npm it
didn't quite make sense. Acquiring npm means github not only hosts source
code, but packages as well. With Github Actions, they want to be the one stop
shop for code lifecycle and be at the forefront of javascript ecosystem.

If developers love Github, they love the cloud. Microsoft is betting big on
the cloud, they lost the Mobile war but they definitely want to be the
developer and cloud darlings.

------
KaoruAoiShiho
There's plenty of alternatives already so I don't see MS being able to do
anything untowards. /shrugs, I'll panic only if something bad happens.

------
okareaman
I'd like to see Microsoft bring Ryan Dahl (original author of node) back in
the fold by sponsoring/buying Deno with TypeScript. It's a good fit.

------
jrimbault
Interesting transitive ownership/dependencies here.

------
aikah
Who predicted it 5 month ago? hmm?

[https://news.ycombinator.com/item?id=21031266](https://news.ycombinator.com/item?id=21031266)

I also predicted a few more controversial things but if you think it terms of
ecosystem and cloud market strategy, then it makes perfect sense.

------
mekster
What I'd hope : Somehow make packages more secure than hoping that nothing is
tainted in the dependency. I think this is the biggest issue of volunteer
package repo.

What I'd not hope : MS changes strategy with change of people etc and npm and
GitHub rot.

------
cjamesd
Most important question: Will you still be able to see user-submitted phrases
explaining the npm acronym? (See upper left-hand corner of
[https://www.npmjs.com/](https://www.npmjs.com/))

~~~
kyle-rb
Damn, someone just beat me to "Now Part of Microsoft"

[https://github.com/npm/npm-expansions/pull/2936](https://github.com/npm/npm-
expansions/pull/2936)

------
rodgerd
Microsoft have been making their code analysis tools available in GitHub post-
aquisition; doing the same for npm could really help improve the risks JS
programmers face when pulling in libraries from npm.

------
ryanmccullagh
Microsoft owns so may day-to-day tools and platforms. LinkedIn, GitHub, NPM.

------
breatheoften
(Wishful thinking ...) Does this mean the next release of npm will be yarn v2
and that typescript will implement support for the pnp spec so we can converge
the javascript packaging space to a sane place?

~~~
Vinnl
There already is a Yarn v2: [https://dev.to/arcanis/introducing-
yarn-2-4eh1](https://dev.to/arcanis/introducing-yarn-2-4eh1)

~~~
breatheoften
Does typescript support pnp somehow now? (That's actually the thing I'm
wanting ...). npm's cli going away was an attempted tease (in bad-taste i
think)

------
hrjd
At anytime in the future, the product might have licensing gotchas to run
elsewhere than Microsoft cloud products.

This is already happening with Windows and SQL server licensing. This will
happen sooner or later.

------
thawkins
Time to get behind Deno

[https://en.m.wikipedia.org/wiki/Deno_(software)](https://en.m.wikipedia.org/wiki/Deno_\(software\))

Built by the node team to replace node.

------
cpr
Interesting subtle implications that the NPM paying users are going to be
moved to Github's distribution system, while maintaining the OSS version of
NPM for everyone else.

------
z3t4
Was gonna write about all the bad stuff that can happen, but don't want to
give any ideas. Instead I give advice; embrace and empower, rather then extend
and extinguish.

------
pmwatson
After how Microsoft have handled GitHub I'm not worried.

However even a non-.NET web-developer now could be using quite a bit of
Microsoft owned tech; VSCode GitHub npm Azure

------
classified
So essentially, Microsoft has bought npm. Smart move. Seeing that node.js
builds on top of Googleware, this is not the worst that could have happened.

------
dubcanada
Wait, so is it joining Microsoft? Or is it under Github, which is under
Microsoft?

I don't fully understand the way it's governed from this article.

~~~
clarkbw
Part of GitHub (I work at GitHub and lead the Packages team)

~~~
mceachen
Can I be so bold as to suggest a new feature?

It'd be wonderful, as a package consumer, to have visibility into some
security metrics for a given package. This would be useful both at initial
install time, and when the package is upgraded. Something like:

1) who are the latest commits GPG signed by?

2) is the package publisher using 2FA?

3) what is the security profile of all dependent packages?

4) are there any new authors (directly or via dependencies) since the last
version (with links to the author and their contributions).

These might help avoid prior situations where popular packages get injected
with malware by new maintainers.

~~~
clarkbw
Yes, we (internally) call this a "Bill of Health" and believe that all
packages should have this kind of diff-able information available.
Understanding what's happening at the source level is key to being able to
trust any package published.

~~~
mceachen
NICE! It would be wonderful to expose that information!

Somewhat related, I believe NPM pulled in (or co-opted) some of the heuristics
from this: [https://github.com/npms-io/npms-analyzer](https://github.com/npms-
io/npms-analyzer) (but those don't seem to include any of the aspects I
suggested above).

------
dzonga
in as much as I love Github, putting our eggs in one basket as developers is
gonna burn us soon or later. we need redundancies in the system, that if one
thing goes down, the world can go on as normal. now we're centralizing github
as a single failure point. we've already seen the the panic outages of Github
or S3 cause.

------
inputError
THANK FUCKING GOD

------
thulecitizen
Yay more centralization! What could possible go wrong with critical components
being hosted by one big corporation?

------
Jaxkr
This is pretty great. NPM was struggling to monetize and is a critical part of
the JavaScript ecosystem.

------
goofballlogic
A sad day I think. I wish more independent ecosystems were evolving, instead
of consolidating.

------
ilaksh
For how much money I wonder.

------
mtkd
Mid Oct 2009 -- Github ceased gems.github.com to focus on source control

------
debt
Thank god. NPM is so crappy it desperately needs institutional support.

------
mekoka
Next in line is Canonical.

------
jxub
NPM is joining GitHub, GitHub joins Microsoft, Microsoft joins... ;)

------
rambojazz
What are they buying, precisely? Open source software?

------
papito
You are all Microsoft developers now :)

------
nathcd
<tangent>

Sometimes I wonder what the business world (and the internet) would be like if
mergers and acquisitions weren't allowed. Like, if businesses had to be
sustainable or they'd just die, rather than capturing a whole market while
eating VC money, maybe we'd all be better off? All of the really embarrassing
stuff coming out of SV would just go away? Just Pinboards and Sourcehuts and
Mastodons ruling the web?

I'm capitalistically illiterate, so somebody please tell me why this thought
is stupid.

~~~
cortesoft
What would happen to all the tech, equipment, and employees after the company
goes out of business? We have to burn it?

If we did that, it would be a crazy waste of resources. The alternative is to
let another company buy the stuff... and if a company buys the failed
company's tech, equipment, and hires their staff... that is basically the same
as buying the company.

~~~
nathcd
I mean, what would normally happen is employees look for new jobs, equipment
is sold, and tech is thrown away (or open sourced in rare cases). Doesn't this
already happen all the time?

~~~
cortesoft
It happens when no one wants the tech... but if it has value, it will be sold
at liquidation time.

------
ginko
Am I the only one surprized that there's an npm Inc. to be acquired?

Why is there a for-profit corporation behind every open source project these
days?

------
larodi
i didn't so far realized that npm was a company, and not a tool . wow.

------
1337shadow
Any npm alternative yet ?

------
znpy
this should really be titled "npm is joining Microsoft"

------
collyw
I hope it's not going to do a left-pad fiasco on everything in github.

------
craftyguy
title should be "microsoft acquires NPM"

------
abledon
what does this mean for yarn?

------
lucaspottersky
WHAT. A. JOKE.

------
pavlov
Heh, I called this 10 months ago:

[https://news.ycombinator.com/item?id=19838122](https://news.ycombinator.com/item?id=19838122)

Somebody replied "Microsoft won't acquire npm for sure."

~~~
RuleOfBirds
Neat contribution! You guessed one thing, someone else guessed another, but
they were wrong, and you were right! Yay on @pavlov. Boo on them.

~~~
pavlov
A special day. The stock market is down 388% and 142% of people are predicted
to die, but I got Internet karma points for guessing something right and
that's what really counts.

------
justlexi93
Happy to hear this. Microsoft has been doing a great job with Github IMO.

------
ezekg
Sorry, but npm burned me too many times. It is (was?) the worst package
manager I've ever used. Not a fan of npm the company either. I'm sticking with
yarn.

~~~
joshiefishbein
Yarn is majorly only a CLI. It still uses NPM as the source for most packages.

The product Github is probably most interested in is NPM as a repository for
packages, not its CLI.

------
sergiotapia
I'm not liking the consolidation. Never ends well, ever. Not even in one case
in the history of humanity.

I'll be switching from Github to other providers for my own projects, and use
a different editor soon (using vscode now).

------
29athrowaway
Hopefully they don't drop Linux support like they did with Skype, Minecraft,
Xamarin[1], Corel Office and a long list of products.

Their strategy from my perspective is to ensure Linux does not become a
competitor for their desktop OS.

1: it never had Linux support.

~~~
chungy
Skype returned with a Linux client, and Minecraft never dropped Linux support
at all.

~~~
29athrowaway
Minecraft for Linux does not have the same features.

~~~
chungy
What features are you talking about? It literally uses the same launcher and
same jar files. It's exactly the same game.

------
zozbot234
It's on there already. [https://github.com/npm/](https://github.com/npm/) and
[https://github.com/npm/cli](https://github.com/npm/cli)

~~~
applecrazy
No, NPM _the company_ is being acquired by Github.

