
The Economics of Package Management - Osmose
https://github.com/ceejbot/economics-of-package-management/blob/master/essay.md
======
bmalehorn
This is a nice article, with a comprehensive if long history of npm and node.

I agree with the author that there will one day be a reckoning with npm, inc -
they'll shut down abruptly, or do something people are really unhappy with.

However, I'm afraid the package manager proposed at the end will have a lot of
trouble gaining traction. It sounds like package maintainers will have to port
their packages to the new package manager. Worse, developers won't be able to
build, say, React until all 1000 of its indirect dependencies have been
ported.

This will take a gargantuan effort to port over, all to avoid a vague future
threat. I know it's "the right thing" to use this more decentralized system,
but I can't see us getting to there from here with all the pain in between.

I think this is a more likely outcome:

1\. npm, inc does a bad thing that makes people angry 2\. A community-
governed, charity-hosted registry appears. This registry includes everything
in registry.npmjs.org, plus exclusive packages 3\. users and authors switch to
new community registry

In fact, we may already be poised for this coup. Did you know that 1/3 of all
package installations go through registry.yarnpkg.com?

~~~
allannienhuis
I noticed in TFA:

    
    
        Entropic will mirror all packages you install from the legacy package manager.
    

Not sure what that exactly means, but it _sounds_ like it will proxy packages
from npm in some manner.

------
tannhaeuser
Yeah, the economic situation of npm, Inc. is worrisome (not acutely to the
best of my knowledge, but structurally so). What they do is try to sell npm
enterprise with private, company-internal repos, but why don't they attempt a
business model where they mediate F/OSS (or similar licensed code) to
commercial users, handing out most of the money to the developers, and keep
something for themselves? If _they_ can't do it, github (MS) might be (right
now, though, there's only github marketplace for github.com, and GH sponsors),
or github might actually buy them. If they _don 't_ attempt to go into other
markets, npm, Inc. is suspectible to turn to the dark side by eg. limiting
access to the registry, inject ads (like SourceForge were doing), flood the
registry with dubious packages and sell security screening to enterprises, or
whatever. Not saying they will! But, pessimistically, these are the incentives
another group of investors might have when making the current owners an offer
for npm, Inc.'s assets.

Couple notes regarding TFA:

\- Author rightly points out to look at a company's incentive; what are their
incentives to release a new package manager?

\- "Javascript commons" is a bad term; node.js' API is based on CommonJS [1],
and these two are too close; besides, "JavaScript" is trademarked

[1]:
[http://wiki.commonjs.org/wiki/CommonJS](http://wiki.commonjs.org/wiki/CommonJS)

------
jpochtar
I think I'm out of the loop... can someone fill me in on relevant NPM drama?
Are they monetizing successfully? Unsuccessfully? Unethically?

~~~
nstart
Catching up on this as well. More chatter going on on
[https://twitter.com/hashtag/npmlayoffs?src=hash](https://twitter.com/hashtag/npmlayoffs?src=hash)
. Interesting conversations around the future of Node and the incredibly close
tie in it has to npm. More interesting conversations around the treatment of
human beings who worked there.

