
GitHub has completed its acquisition of NPM - theBashShell
https://github.blog/2020-04-15-npm-has-joined-github/
======
throwaway894345
For those who were having deja vu, this is a notification that GitHub
completed its acquisition of NPM.

~~~
behindsight
Indeed, and here is the accompanying HN discussion when they first announced
their intent

[https://news.ycombinator.com/item?id=22594549](https://news.ycombinator.com/item?id=22594549)

------
VonGuard
This is a good thing. When they were independent, NPM was a disaster area. The
company spent 100% of its time chasing down social issues and insanity in the
community and never figured out how to make money, or at least, it took them
FOREVER to figure that out.

Years ago, they introduced "orgs" which they sat there and explained to me
with slides and pictures and concepts and business bullshit for an hour. I did
not understand a thing they'd said. Finally, they were like "We're selling
private namespace in the npm registry for blessed packages for groups or
businesses." I understood that. If they'd just said that up front....

They had some great people, some very smart folks like CJ, but they completely
biffed every business decision they ever made, and when you'd go in and talk
to the leadership, they were always acting as if they had some sort of PTSD
from the community. I mean, people were putting spam packages in NPM just to
get SEO on some outside webpage through the default NPM package webpages.
People were squatting and stealing package names. Leftpad... the community
management here is nightmarishly hard, and I was never convinced they'd ever
make money on it. MS doesn't NEED to make money on it. They can just pump in
cash and have a brilliant tool for reaching UX developers around the world,
regardless of whether they use Windows or not.

I feel like the GitHub group at Microsoft is now some sort of orphanage for
mistreated developer tool startups. GitHub had similar management issues: they
refused to build enterprise features at all for years unless they were useful
to regular GitHub.com. And there were other people issues at the top for
years. Chris seemed more interested in working with the Obama administration
on digital learning initiatives than with running GitHub, for example.

~~~
zozbot234
> I mean, people were putting spam packages in NPM just to get SEO on some
> outside webpage through the default NPM package webpages. People were
> squatting and stealing package names. Leftpad... the community management
> here is nightmarishly hard

It's not NPM's fault (well, other than wrt. the leftpad thing), it's all about
the "community". The Javascript open source community is a dumpster fire.

~~~
gedy
Oh please... I’ve solved more customer needs and business value from this
"dumpster fire" than I have with other "real languages" I've worked with in my
career. Give it some credit.

~~~
411111111111111
What does your productivity in js have to do with js having a terrible
community?

~~~
nindalf
Their productivity is directly related the to vast ecosystem of packages
available. Those packages were written and maintained by the community. They
are rebutting the assertion that this community is bad. It can't be that bad
if they're helping millions of developers solve real problems around the
world.

~~~
411111111111111
People can be ptsd inducingly toxic and still deliver quality code. These
things aren't related

------
sytse
Someone asked "Would this have made sense for a company like GitLab if they
didn't have the corporate backing of something like MS?" and deleted their
comment while I was writing the answer below:

Being the canonical registry for a language (Rubygems) or technology
(DockerHub) tends to be a huge expense.

The main expenses are cloud costs (bandwidth and storage) and security
(defense and curation).

I've not seen examples of organizations turning this into a great business by
itself. For example Rubygems is sponsored by RubyCentral
[http://rubycentral.org/](http://rubycentral.org/) who organize the annual
RubyConf and RailsConf software conferences.

Please note that running a non-canonical registry is a good business. JFrog
does well with Artifactory
[https://jfrog.com/artifactory/](https://jfrog.com/artifactory/) and we have
the GitLab Package Registry
[https://docs.gitlab.com/ee/user/packages/](https://docs.gitlab.com/ee/user/packages/)
that includes a dependency proxy and we're working on a dependency firewall.

~~~
gramakri
It's a mystery how DockerHub remains free. The network and storage costs must
be massive. Docker also sold it's enterprise business, so I am not sure who is
paying for all this.

~~~
diggan
If you're running a package registry, you'd be painfully unaware of your own
requirements if you're using a host/cloud that you need to pay for the amount
of bandwidth.

Hosting a package registry on AWS for example, unless you figure out a way of
seriously reducing the amount of traffic (which seems to be against working
towards making a popular registry), is suicidal because of the bandwidth
costs.

------
montroser
I never quite got a warm-fuzzy feeling from npm -- the tool, the service, the
company. This announcement does nothing to help, from my perspective. Is my
dependency on this or that JavaScript library something that really needs to
be owned by a for-profit company?

I also kind of wonder what is the real value of a centralized repository
versus just directly referencing git repos. I haven't used this gpk[0] project
yet, but it looks like an interesting alternative, on paper.

[0]: [https://github.com/braydonf/gpk](https://github.com/braydonf/gpk)

~~~
Touche
Immutability and semver are the reasons

~~~
montroser
Can't we get all that directly from git repos and signed tags?

~~~
AgentME
People can take down their git repos, or remove branches/commits/tags.

------
animalCrax0rz
This brought up in my mind the thought that while Deno is still WIP (for
example, packaging of Rust plugins is not yet resolved) and the ecosystem
around it barely exists it was designed to have no dependency on 3rd party
tools like npm and yarn.

~~~
jakear
It also provides none of the benefits of npm/yarn. In my understanding it’s as
if every package you used pinned all of their deps.

~~~
Tistron
Wouldn't you just include a file by it's minor version like this:

    
    
      import * as E from 'https://cdn.jsdelivr.net/npm/fp-ts@2.5/lib/Either.js';
    

Whenever you `--reload` you'll get the latest 2.5.x release, no?

This should work out recursively for all the deps if they follow the same
pattern, no?

~~~
Tistron
This seems to be what is suggested as per [https://dev.to/pika/introducing-
pika-cdn-deno-p8b](https://dev.to/pika/introducing-pika-cdn-deno-p8b) that was
posted by somebody else.

~~~
jakear
I wasn't aware of the semver URL scheme, but it just brings more problems.

At this point they've just replaced `npm` with `pika` and expect people to
think it's an improvement to not have a centralized file containing package
dependencies and the last resolved versions of packages. Criticisms:

1\. Updating dependencies becomes much more of a diff (every file that uses it
needs to be updated). The alternative solution to this is creating a single
`packages.ts` file that imports all the external deps, and all your modules
import from there. Which just `npm` with more steps.

2\. No lock file. I saw them present this at tsConf and I believe the original
idea was that this wasn't needed because the URLs are the lock, but as you
point out in practice people use URL's that aren't unique identifiers. This
means no way to guarantee that all developers or even users of the project
have the same dependency state. This will be a massive pain for debugging and
maintaining packages. (Edit: see below, you can lock deps (unclear exactly
how) - but only if you pay them!)

Looking at the Pika home page, they tell me I can build and release without a
bundler.... so you're telling me that they expect people to put out production
software that downloads it's dependencies at runtime and thus:

\- Is unstable because if they use the semver-URL scheme you mentioned and a
patch version comes out that breaks the website, all users are instantly
broken instead of the internal build being broken.

\- Is unstable because if a dependency/host goes offline, all users are broken
instead of an internal build being broken (think leftpad but much worse as
your users are instantly impacted, likely before you even know about it)

\- Is insecure because if a host is malicious, they can choose to supply
different packages for a small subset of the requests, such as those coming
from govt. requests against political targets, hosted build machines, etc. and
nobody will have any way of knowing because there's no lock file/integrity
hashes.

I further see on the Pika CDN page that they share packages _across websites_.
This is seems to be a massive security flaw, as websites are able to modify
these packages and now those modifications will apply to all websites using
the package. It's prototype pollution-as a-feature!

Oh, and at the bottom of the page:

> Want to get more out of Pika CDN? The CDN will always be free, but you can
> also access paid, production features like:

> Granular Semver Matching & Version Pinning

> ...

So base features that are the core of working with npm/yarn/any modern package
manager are a paid feature in Pika.

I'll pass.

~~~
animalCrax0rz
That's mostly unintended FUD (but still FUD) or problems that can be worked
around:

<< \- Is unstable because if a dependency/host goes offline, all users are
broken instead of an internal build being broken (think leftpad but much worse
as your users are instantly impacted, likely before you even know about it) >>

So you don't recall Leftpad?

<< \- Is insecure because if a host is malicious, they can choose to supply
different packages for a small subset of the requests, such as those coming
from govt. requests against political targets, hosted build machines, etc. and
nobody will have any way of knowing because there's no lock file/integrity
hashes. >>

Are you kidding me?

[https://www.zdnet.com/article/microsoft-spots-malicious-
npm-...](https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-
stealing-data-from-unix-systems/)

------
mtm7
Out of curiosity, what benefits does Microsoft/GitHub get from owning a
package registry? I'd be fascinated to learn more about their long-term
strategy here.

~~~
jawns
Others have commented on why the acquisition makes strategic sense from a
technological perspective, but I think it's also important to consider how it
makes strategic sense from a psychological perspective. For a long time, devs
loved bagging on Microsoft. I once saw some Microsoft guys demo something cool
at a conference, and they had to basically apologize that they were from
Microsoft, because dev sentiment toward the organization was so negative, even
though they were doing cool stuff.

The acquisition of GitHub was absolutely intended to capture a tool/ecosystem
that developers liked using and benefit from that positive sentiment. That's
why Microsoft has been so cautious about branding GitHub as a Microsoft
property out the gate. It's trying to ease devs into the idea that the company
is something devs can like, and I wouldn't be surprised if this psychological
strategy is at work with the npm acquisition, too.

~~~
janee
> capture a tool/ecosystem that developers liked using and benefit from that
> positive sentiment

So...appeal to devs, something something, money??

I really like how MS are improving our tools and embracing open source, I
really do. But I've never quite understood how the return on investment in
these things justify the cost. I just struggle to the an obv big picture here.

I.e. is it incorrect to think of the GH acquisition as mostly an azure
marketing expense?

~~~
nindalf
I have a limited understanding of this but I think the goal is to have a
complete developer ecosystem. When most software was deployed to Windows
desktops, they owned the developer environment - Visual Studio.

Now most software is written and deployed on the cloud, but not their cloud.
But they could make the dev experience compelling and easy - write your code
in VS Code, which automaticallgy integrates with Github. Github is mostly free
until you're a large company so why not use it. Of course you need to run CI
and Github makes that easy so go ahead and add a single file to configure
that.

Now you have a build artifact ready to deploy on github. Would you like to
click a single button and have that deployed to Azure? They'll also throw in
monitoring if you do it. Azure bills is the pot of gold at the end of the
developer experience rainbow.

But this is just speculation. I don't understand business very well.

------
rl3
Curious world we live in, where the infrastructure behind so many OSS projects
can simply be _acquired_.

What's preventing the dream of decentralization from taking off? We have the
technology.

~~~
mjibson
Money prevents it. It takes money to host things and pay people to work on
infrastructure. While people often volunteer to contribute to OSS products
because they like or use them, not many are willing to write infrastructure
that can handle this kind of traffic in their spare time. Even if you can find
someone to donate the time, you'd still need to fund that infra in some way.
Having an infra company (say, Google donates a bunch of GCP credits) to cover
the hosting costs still puts the project at risk if the host company decides
to stop funding.

~~~
pluc
Whatever happened to people hosting things in an old computer in their
basement? That used to be a more popular thing back in the days before the
cloud came about and before we had these stable broadband connections.
Obviously an infra like npm couldn't deliver with such a setup but at scale,
who knows

~~~
whoopdedo
Was that ever really a thing though? When I dig through my memory (and READMEs
on old hard drives) I see a lot of .edu addresses. Seems the good-old-days of
the internet wasn't about hosting things on an old computer in your basement
but rather hosting things on an old computer in your school's basement.

And around the time when home connectivity became good enough that people
considered home hosting was also around the time Slashdot was created.

~~~
lwh
Many early dial-up ISPs offered static IPs for hosting FTP/HTTP/SMTP/MUDs etc.

~~~
benibela
Or you could host with the ISP

I had a members.aol.com/benibela site or something

------
doctoboggan
Question from a new JS developer: Should I be using NPM to manage my
dependencies?

I have recently started getting into JS programming. I have thus far avoided
NPM, because I've been trying to use CDNs for all my external dependencies.

My thinking is that it saves me bandwidth costs and potentially saves my
user's bandwidth as well if they get a cache hit.

I get the downsides are that I don't control the CDN and they could go
offline, but honestly I expect I am much more likely to go down from some
mistake in my own deployment rather than a well known CDN being offline.

I am wondering if I am missing something though, because absolutely every JS
package I read about suggests you use NPM (some also link a CDN, many don't).
Should I be using NPM to manage my JS dependencies instead of using CDNs?

~~~
giantDinosaur
IIRC it turns out the cache hits from CDN'ed Javascript files ended up being
fairly low and neglible, due to how many different versions there are of
everything. Better just reduce the file size.

~~~
doctoboggan
I feel like bootstrap and jquery stand a decent chance of being caches in a
large enough portion of the user base.

And even ignoring my user's bandwidth, it would still save me significant
bandwidth (depending on the size of my website).

I guess eventually your site might grow such that your dependencies are not a
significant portion of your total download size, but I am not currently there.

~~~
giantDinosaur
Do you 'feel like' or do you actually know? It's important to make decisions
based on actual data. I haven't researched it in depth, but if these asset
sizes matter to you, then it is worth researching.

------
fzil
dang, Microsoft going around acquiring dev tools like its a monopoly game

~~~
pezo1919
Same feeling. Next ecmascript might be called Microscript. :)

~~~
wp381640
It's called Typescript

~~~
tobyhinloopen
It’s called a joke

------
Pmop
I don't have a good feeling about this kind of centralization.

------
pavlov
“DEVELOPERS DEVELOPERS DEVELOPERS!” — Steve Ballmer, 2000

~~~
DeathArrow
Too bad he didn't act on it. He was just talking...

~~~
toyg
He didn't say _which_ developers though. Arguably, Office and enterprise
developers have been served fairly well even during his tenure. As long as you
colored between the lines, the experience was alright.

------
judge2020
I hope this only goes as far as being able to sign up with and link a GitHub
account to NPM. Any tighter integration seems like it would be in bad faith,
in terms of allowing integration with other git services/non-GH package
hosting.

~~~
ocdtrekkie
On the contrary, I'd vasty prefer if a package repository required the source
be hosted within the same account (even if just a mirror) that is offering the
package, so that they can verify the authenticity/reproducibility of anything
inside.

~~~
snazz
Isn't that kind of the point of the GitHub Package Registry?

~~~
ocdtrekkie
Presumably a good reason to push NPM over to it.

------
rhacker
They just made Github teams free, so I imagine npm private repos is next?

~~~
dcchambers
I think they've indicated that the plan is to make NPM the ultimate public JS
package registry and move paid plans to GitHub Packages.

See Nat's original words about the acquisition:
[https://github.blog/2020-03-16-npm-is-joining-
github/](https://github.blog/2020-03-16-npm-is-joining-github/)

GitHub Teams get 2GB of free private package storage (unlimated for public
packages)
[https://github.com/features/packages](https://github.com/features/packages)

He did mention that they were using their enterprise customers to subsidize
the cost to allow them to offer Teams for free, so maybe if they get enough
enterprise customers using GitHub Packages we might see unlimited free private
packages for individuals/teams. I don't see a ton of value for GitHub/MS in
that situation, but maybe.

------
aforty
I like how Microsoft basically just acquired a whole slew of open source tools
and no one seems to notice or care.

~~~
metreo
Why should anyone? Open source has always been about freedom. MS hasn't
acquired the tools to my knowledge, they've acquired popular infrastructure
built around tools. Anyone can still start GutBub based on the same `git`
source tomorrow if they wanted.

To be sure a lot of this may be about talent as well. They may need to be
liked in the community otherwise they have a hard time hiring top talent. They
are buying a community since they probably couldn't build it themselves.

~~~
frandroid
Because open source has always been defined in its very definition by its
definition to the for-profit software industry, which Microsoft basically
invented? Because in spite of having made a turn towards open source,
Microsoft once treated it like a mortal enemy, akin to cancer? Because of how
other large companies like Google have smothered open source projects?

I'm personally not worried about the acquisition (I think it's a net positive
for the community), but there are plenty of reasons to discuss this
interaction.

~~~
DeathArrow
Even people change, why do you find weird that companies change? >Because in
spite of having made a turn towards open source, Microsoft once treated it
like a mortal enemy, akin to cancer?

MS was in the business of selling operating systems and desktop software. Not
only they realized that open source doesn't threaten that territory (remember
year of the Linux desktop?), but they've changed the revenue model and are
making much more money now from selling services than by selling software.

>Because of how other large companies like Google have smothered open source
projects?

Why should we judge what one company does based on what other company does?

I am sure no company does something for "good of humanity" but to earn money.
What matters is if in the process of making money, they also do good things or
bad things.

Microsoft has stopped doing bad things and started doing good things. I only
hope more companies will follow.

~~~
frandroid
Parent was saying "why discuss this at all?" and I'm saying here are some
reasons! And you're doubling down while... having the discussion. Case closed.
:)

------
wp381640
I'd say the three biggest namespaces in dev are github, npm and docker hub -
will Microsoft go 3 for 3?

Docker Hub feels a bit neglected - it could be aliased to
docker.pkg.github.com and that'd be a huge improvement

~~~
paxys
Docker is definitely getting acquired in the near future, and Microsoft is as
good a guess as any.

~~~
jillesvangurp
Yep. IMHO if Google would want to make a move here, now would be a good time.
And as the creators of Kubernetes, they have some nice incentive to try to
stay relevant.

MS gobbling this one up would not be a big surprise.

------
kalium_xyz
NPM is joining GitHub => NPM has joined GitHub

------
chvid
It would be nice to have free private npm repositories like the free private
github repositories ...

------
asiachick
Hopefully they'll revisit the decision to allow ads in install scripts that
NPM sanctioned.

------
anm89
Npm has joined Microsoft _

~~~
mythrwy
Great. They deserve each other.

------
SenHeng
I'm curious what's the roadmap for the npm CLI tool. Any word?

------
tobyhinloopen
If you cannot beat them, buy them.

------
bamboozled
Which is now owned by Microsoft? :)

------
sdan
Next is pypi

~~~
brian_herman
I really hope so, there is probably a bunch of malware on there that people
don't even know about when is the last time that place has been audited? I
don't blame them they are probably running with limited funds etc...

------
metreo
What does that do for overall code quality on GitHub I wonder?

~~~
RussianCow
Why would it have any affect on that?

~~~
metreo
Isn't npm like a dumping spot for pretty much anything javascript good, bad
and ugly?

~~~
beefalo
Pretty much all of the code was already on github

