One of the creators of unpkg.com is considering a fork of the registry: https://twitter.com/mjackson/status/1119355707055165441
Meanwhile, yarn (a popular alternative to the npm client), uses a proxy to NPM so they can change the default registry of all yarn clients, if they choose to.
As it stands, npm is the centralized source of truth for all our JS packages, and historical versions. We have no guarantees about the future of npm. Aside from a relatively clean history, we have no reason to trust them. For every dollar of VC money that they have taken, we have a reason to believe the registry won't last in its current form. This is scary.
Not only does it not make sense for NPM to have de facto control over that language through a single, proprietary registry and a single package manager, it further makes no sense that in the intervening years, with all of the issues NPM has had, no serious attempt at competition or re-decentralization of the JS community has even been attempted.
Unfortunately, I feel like the baby has long ago been thrown out with the bathwater, and NPM's ubiquity and network effect has made it "too big to fail," despite failing constantly. Maybe we can just start over once NPM has finally burned to the ground and taken the web with it.
JQuery was revolutionary in its own time, but you didn't see a JQuery Foundation serving all JQuery plugins from a closed repository through a buggy package manager that everyone was expected to use. It is possible to innovate and not monopolize, but what NPM has done, at best, is monopolize innovation and stop it dead in its tracks.
There is a talk from Nodejs' creator where he mentions one of his biggest regrets about Node is that he made NPM the default.
Our times are seeing a breakdown of trust. News media, companies, and politicians are considered corrupt by default. Yet trust is the single most important ingredient to organize a complex society.
Those advocating to “trust no one” always have complex theories on how some organization’s incentives are corrupting them: “they only want to print the news that benefit their advertisers” etc. But such accusations are easy to make and essentially impossible to prove if you just discount the evidence that is historic behavior. Scientists are also just “in it for the money” even when they have tenure (global warming), charities “have their own motives to exaggerate”, and so on.
If NPM turns to the dark side, the impact on any individual user of their repository is likely to be minimal, and barriers to switching to some other repo are minimal. So at least from the users’ perspective, the downside of extending them a bit of trust seems to be limited.
Don't we do the same with other companies such as RedHat?
How open is NPM's infrastructure? Can it be forked?
Not really. While most major Linux distributions are managed by for-profit companies, there's enough of them to provide legitimate competition and something you can call an open market.
I'm sympathetic to the idea that npm inc's model is a new way to develop and operate a language's repo sustainably. Python, for example, has struggled to get the resources to evolve theirs. I'm not sure npm's approach is working well in practice, though.
At this point it's clear that a union isn't going to save NPM. The company is really in no position to guarantee anyone anything.
Any kind of fork/split led by a company like Facebook would be highly controversial and come with lot's of drama.
This would inevitably spark a non-profit community driven alternative and cause chaos.
All outcomes would be very damaging to the JS ecosystem though.
If the financial incentive for malicious actors is already represents an issue today in that there are attempts to gain control of numerous packages, imagine what the combined financial incentive would be to take over the whole index.
Which in the long run should highlight the dangers of centralization with a single point of failure. We need to move back toward a decentralized web!
A) multiple large, competing repositories
B) a distributed system like Go which relies on just a path to the source repository
Both of those suck. A) is messy and confusing, B) has a whole host of problems (no immutability, no reliability and assurance that the code will be here tomorrow, mandatory vendoring, ....).
Sure, a community driven non profit foundation in charge would be ideal, but a single source of truth, even if for profit, is much better than the alternatives.
Agreed. Maybe he meant the mirrors and how you could use them interchangeably?
But that would be strange too, considering it's just as easy to create your own npm mirror as well
JS devs keep downloading and redownloading the same stuff all over again, all the time; maybe it's time they gave some bandwidth back.
Selectively firing people may actually improve morale for the obedient types. Think about it, you follow all the written and unwritten rules, you always step back, you don't cause dissent - what do you get in return? Well, you don't get fired. But if nobody ever gets fired for these reasons, you're going to feel like a sucker.
In the US there's still this myth of the "disruptive innovator" who naturally breaks all the rules and yet redeems himself as a worker unit, despite all the issues they're causing. In Japan or Korea by contrast, none of this would fly. Obedience is a must. There's no space for disruption. Would you deny the success of Korean or Japanese businesses?
Indeed. And it's much worse outside our industry. Hearing stories from friends and family who work regular jobs (i.e. not specialized, well-paid, in high demand) is what makes me convinced unions are a must.
That said, with the existence of Verdaccio allowing companies to run private repositories within the firewall and at no cost beyond infrastructure, who is paying for private npm?
Generally true, except in the case of private scoped NPM packages. AFAIK if you want to switch to the yarn registry then you need to add exceptions that map your scoped package names to repositories that you host elsewhere.
It’s such an obvious ecosystem complement to Github and the Atom+VSCode editors they already own.
They’re probably just waiting for a better price when the VCs on NPM’s board get impatient.
You probably don't see the bias in the article because you support unionization. If the article was instead titled "Sexual harassment complaints double after NPM staff unionize," you'd probably be complaining about bias the same as I am.
Erm, yeah, I'm not sure where to begin with this other than a "people in glass houses" style comment.
I don't support unionization, for at least a couple of reasons, yet I still can't see where you're coming from with these assertions.
 I don't think either is relevant to this discussion.