Hacker News new | past | comments | ask | show | jobs | submit login
NPM staff fired after trying to unionize – complaints (theregister.co.uk)
206 points by adamnemecek on April 23, 2019 | hide | past | favorite | 53 comments

All of the drama around the npm firings has sparked an interesting discussion in the JS community: does it even make sense to trust a for-profit corporation with the world's supply of JS?

One of the creators of unpkg.com is considering a fork of the registry: https://twitter.com/mjackson/status/1119355707055165441

Meanwhile, yarn (a popular alternative to the npm client), uses a proxy to NPM so they can change the default registry of all yarn clients, if they choose to.

As it stands, npm is the centralized source of truth for all our JS packages, and historical versions. We have no guarantees about the future of npm. Aside from a relatively clean history, we have no reason to trust them. For every dollar of VC money that they have taken, we have a reason to believe the registry won't last in its current form. This is scary.

>does it even make sense to trust a for-profit corporation with the world's supply of JS?

No. Javascript, despite its flaws, was already one of the freest, easily accessible and deployable programming languages in existence. It flourished throughout the web without any gatekeepers or centralized authority, and it never needed the ecosystem of overwrought complexity and BS that it has.

Not only does it not make sense for NPM to have de facto control over that language through a single, proprietary registry and a single package manager, it further makes no sense that in the intervening years, with all of the issues NPM has had, no serious attempt at competition or re-decentralization of the JS community has even been attempted.

Unfortunately, I feel like the baby has long ago been thrown out with the bathwater, and NPM's ubiquity and network effect has made it "too big to fail," despite failing constantly. Maybe we can just start over once NPM has finally burned to the ground and taken the web with it.

I feel this is proved false by history, if npm wasn't needed because everything was fine, it wouldn't have flourished.

You seem to assume that all successful projects succeed on their own merit in a fair market, but that's not always the case. NPM's success is due in large part to enterprise investment and hype. Part of the reason for enterprise investment is controlling costs by not having to train or recruit developers for another language besides Javascript, which was already commonplace.

And even if NPM did solve a needed problem, better solutions cannot be considered due to those entrenched business interests and the extreme centralization of the javascript community, not because NPM is already the best possible solution to whatever problems it claims to solve.

JQuery was revolutionary in its own time, but you didn't see a JQuery Foundation serving all JQuery plugins from a closed repository through a buggy package manager that everyone was expected to use. It is possible to innovate and not monopolize, but what NPM has done, at best, is monopolize innovation and stop it dead in its tracks.

It flourished because it is installed by default and thus became the defacto standard.

There is a talk from Nodejs' creator where he mentions one of his biggest regrets about Node is that he made NPM the default.

„Apart from a clean history...“ is a pretty strong caveat.

Our times are seeing a breakdown of trust. News media, companies, and politicians are considered corrupt by default. Yet trust is the single most important ingredient to organize a complex society.

Those advocating to “trust no one” always have complex theories on how some organization’s incentives are corrupting them: “they only want to print the news that benefit their advertisers” etc. But such accusations are easy to make and essentially impossible to prove if you just discount the evidence that is historic behavior. Scientists are also just “in it for the money” even when they have tenure (global warming), charities “have their own motives to exaggerate”, and so on.

If NPM turns to the dark side, the impact on any individual user of their repository is likely to be minimal, and barriers to switching to some other repo are minimal. So at least from the users’ perspective, the downside of extending them a bit of trust seems to be limited.

I always star the main packages I use on GitHub but I realize I'm missing out on the required packages being used as well. It would be nice if an alternative sprung up that was p2p truly decentralized by developers and intertwined with where developers typically host their repositories.

What does starring on GitHub accomplish? Isn't it just like a bookmark?

It's sometimes used as a proxy to signal how "important" and "popular" something is.

> All of the drama around the npm firings has sparked an interesting discussion in the JS community: does it even make sense to trust a for-profit corporation with the world's supply of JS?

Don't we do the same with other companies such as RedHat?

How open is NPM's infrastructure? Can it be forked?

> Don't we do the same with other companies such as RedHat?

Not really. While most major Linux distributions are managed by for-profit companies, there's enough of them to provide legitimate competition and something you can call an open market.

With NPM, there's yarn, but not really, since that's only the client. For all intents and purposes, distributing a Javascript library is only realistically possible through NPM right now.

Also, better comparisons are perl, python, ruby, etc. Many other languages have centralized package repositories, but they aren't controlled by a for-profit, venture-backed company.

I'm sympathetic to the idea that npm inc's model is a new way to develop and operate a language's repo sustainably. Python, for example, has struggled to get the resources to evolve theirs. I'm not sure npm's approach is working well in practice, though.

"Potential threat" trading in modern world is ridiculous. Why doesn't it smell ultra iatrogenic for anyone?

i·at·ro·gen·ic (ī-at'rō-jen'ik), Denoting response to medical or surgical treatment, usually denotes unfavorable responses.

NPM Inc. last raised a Series A round in April 2015. Now, 4 years later, they still have no business model, no revenue and no more funding. Even in their very limited space there are competitors that perform better (Yarn).

At this point it's clear that a union isn't going to save NPM. The company is really in no position to guarantee anyone anything.

I was shocked to see CJ was terminated. When I heard that, I knew NPM was over. She's brilliant, and the idea of them throwing her overboard is a sure indication that they're doomed. It's like the Angels firing Mike Trout, the Warriors laying off Steph Curry, or someone firing Tiger Woods. It's a total sign of NPM giving up.

It's noteworthy though that they were able to operate for 4 years with a small 8 million series A round.

Since NPM is so essential to the Javascript ecosystem, it's interesting to consider a hypothetical bankruptcy. I'm sure someone big would buy them, or they could pivot to a non profit with a crowd funding/donation based model.

The ideal scenario would be NPM existing as a foundation rather than a for-profit company. The more likely one is them folding and Facebook taking over as the source of truth for JS packages, which is bad for everyone.


Any kind of fork/split led by a company like Facebook would be highly controversial and come with lot's of drama.

This would inevitably spark a non-profit community driven alternative and cause chaos.

All outcomes would be very damaging to the JS ecosystem though.

(also, I don't see FB having any interest in running the Javascript package registry. Yarn and it's proxy are really just a result of limitations and slowness of the official implementations)

It would be darkly hilarious if NPM gets bought out by a state actor, although Facebook would be nearly as bad.

Doubly hilarious if that state actor wasn't the US or one of its close allies.

We already know that maintainers of widely-used NPM packages are being approached and offered money by people with dubious intentions. I may not agree with many of NPM's decisions, but NPM does fall over and a malicious party takes it over its functions, web development is looking at a security catastrophe.

If the financial incentive for malicious actors is already represents an issue today in that there are attempts to gain control of numerous packages, imagine what the combined financial incentive would be to take over the whole index.

web development is looking at a security catastrophe

Which in the long run should highlight the dangers of centralization with a single point of failure. We need to move back toward a decentralized web!

Couldn't hear you over my gig of Google Fonts downloading, one more time?

As evv brought up [1], it's rather concerning that the cornerstone of the JS ecosystem is a for-profit organization (especially one lacking in a source of aforementioned profit). I wonder if their bankruptcy might not be the worst thing for the community, in the long term - it would certainly discourage relying on a single fallible repository in the future.

[1] https://news.ycombinator.com/item?id=19725139

The only alternatives to a single source of truth repository are

A) multiple large, competing repositories

B) a distributed system like Go which relies on just a path to the source repository

Both of those suck. A) is messy and confusing, B) has a whole host of problems (no immutability, no reliability and assurance that the code will be here tomorrow, mandatory vendoring, ....).

Sure, a community driven non profit foundation in charge would be ideal, but a single source of truth, even if for profit, is much better than the alternatives.

I strongly prefer Go's "option B" over node_modules. Your concerns (immutability, reliability, and general code existence) are handled by vendoring. Vendoring has the added benefit of enabling project builds without additional HTTP dependencies; entirely avoiding the "left-pad" problem class. I wish my NPM projects were so easy.

There are other models. CPAN, for instance, has worked incredibly well for its audience for 25 years and counting.


But, unless I'm missing something, CPAN is a centralized registry, just like npm?

I was more getting at the governance model. You didn't say this, but the direction of the discussion seemed to be that centralized metadata == for-profit.

> The master CPAN site is hosted by Phyber in Los Angeles,

Agreed. Maybe he meant the mirrors and how you could use them interchangeably?

But that would be strange too, considering it's just as easy to create your own npm mirror as well

C) Content addressing, Torrent/IPFS style.

JS devs keep downloading and redownloading the same stuff all over again, all the time; maybe it's time they gave some bandwidth back.

A union might not save NPM, but mistreating their employees is a surefire way to guarantee failure.

That's something you want to believe, but it's not true. Lots of companies that have abusive practices are trucking along just fine.

Selectively firing people may actually improve morale for the obedient types. Think about it, you follow all the written and unwritten rules, you always step back, you don't cause dissent - what do you get in return? Well, you don't get fired. But if nobody ever gets fired for these reasons, you're going to feel like a sucker.

In the US there's still this myth of the "disruptive innovator" who naturally breaks all the rules and yet redeems himself as a worker unit, despite all the issues they're causing. In Japan or Korea by contrast, none of this would fly. Obedience is a must. There's no space for disruption. Would you deny the success of Korean or Japanese businesses?

> That's something you want to believe, but it's not true. Lots of companies that have abusive practices are trucking along just fine.

Indeed. And it's much worse outside our industry. Hearing stories from friends and family who work regular jobs (i.e. not specialized, well-paid, in high demand) is what makes me convinced unions are a must.

I thought their business model was supposed to be private repository hosting.

That said, with the existence of Verdaccio allowing companies to run private repositories within the firewall and at no cost beyond infrastructure, who is paying for private npm?

It (npm's) was really quite expensive last we looked, at least for our devs.

If my company's slack is anything to go by, the user administration processes leaves a lot to be desired as well.

Two things: It's npm Inc and yarn isn't a competitor to npm Inc. It's at best an alternative to the npm cli client.

I was doing some research recently on various private NPM registry implementations. My company wanted a way to share internal libraries and frontend apps in their local network. I was surprised to find out how poor most of the options were. I ended up settling on Azure DevOps (self-hosted) but an open-source fork of NPM wouldn't be the worst thing in the world. If the infrastructure went down tomorrow I'm sure most people could switch to Yarn without too much trouble.

>If the infrastructure went down tomorrow I'm sure most people could switch to Yarn without too much trouble.

Generally true, except in the case of private scoped NPM packages. AFAIK if you want to switch to the yarn registry then you need to add exceptions that map your scoped package names to repositories that you host elsewhere.

There's no such thing as a yarn registry. The uri is just a CNAME to npm Inc.

If npm is down, so is yarn. Yarn's registry url is just a CNAME to npm Inc's registry.

smart-private-npm is nearly API-compatible, I've been using it for years.

Wow, the Nodejitsu vs NPM, Inc drama[0] was nothing compared to this. Why isn't the Node.js foundation managing the registry?


I think Microsoft will step in and buy NPM Inc.

It’s such an obvious ecosystem complement to Github and the Atom+VSCode editors they already own.

They’re probably just waiting for a better price when the VCs on NPM’s board get impatient.

i know running a registry isn't easy. i was wondering can github handle this kind of thing as backbone of a registry?

I think CocoaPods used GitHub as their backbone.

2016: https://news.ycombinator.com/item?id=11245652

It's pretty shoddy journalism for the title of the article to assert this as fact even though it's just an allegation that hasn't even been investigated yet.

Could you please stop posting unsubstantive and/or uncivil comments so we don't have to ban you again?

But they did investigate. They interviewed sources who confirmed that unionizing was planned before people were fired, which is the title. And they read the lawsuit and talked to the lawyers, who obviously said the same thing.

The title allows the reader to infer a causation that hasn't been proven or investigated. Given that the people making the allegation are bitter ex-employees who have a financial incentive for it to be true, it's an allegation that should be met with a healthy dose of skepticism.

You probably don't see the bias in the article because you support unionization. If the article was instead titled "Sexual harassment complaints double after NPM staff unionize," you'd probably be complaining about bias the same as I am.

> You probably don't see the bias in the article because you support unionization.

Erm, yeah, I'm not sure where to begin with this other than a "people in glass houses" style comment.

I don't support unionization, for at least a couple of reasons[1], yet I still can't see where you're coming from with these assertions.

[1] I don't think either is relevant to this discussion.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact