Hacker News new | past | comments | ask | show | jobs | submit login
NPM CEO Bryan Bogensberger Resigned (prnewswire.com)
137 points by fharper 54 days ago | hide | past | web | favorite | 100 comments

I’m fascinated by the fact that while node has become a new standard in the industry , and the project is receiving lots of supports from all sorts of companies ( IBM , Microsoft etc...) absolutely no discussion has been opened about how much at risk the JavaScript ecosystem actually is with « npm » and it’s weekly dramas

Not a month pass without something going wrong inside of inc, millions of developers are dependant on it but nothing seem to worry people...

There has been. CJ Silverio gave a talk on that topic at JSConf this year: https://www.youtube.com/watch?v=MO8hZlgK5zc

See also Entropic as a possible alternative to NPM: https://github.com/entropic-dev/entropic

For context: Entropic was started by several former npm Inc core developers including CJ who left the company after the CEO change was announced internally. CJ herself is the former CTO of npm Inc.

Basically most of the top developers have left the company, others were laid off. It seems to be only a matter of time until none of the people working on npm a year ago remain.

i doubt entropic will become sth significant. it already lost the momentum it seems.

Yes. The Node ecosystem is a huge liability just waiting to happen. Any organization that depends on NPM is making a huge gamble. You can do a lot to mitigate this (private NPM repo, locks) but the reality is that the dependency chains are dangerous. Is someone in an organization going to audit all of those dependencies? Especially under the circumstances where they've been declared without an explicit version (>, >=, <, <=, ~, ^, 1.2.x, *).

As someone who has no insight into the Node/NPM/JS world, how is this different from Python's PyPi, which I would think suffers the same issue?

Mechanically, I believe the main difference is that NPM corresponds to PyPi + pip; it's both registry and repository. PyPi is Python's official package repository and pip's default source, but it's not pip's only possible source. If someone pulls code off PyPi, pip can still link to it elsewhere.

When the left-pad debacle [1] broke major packages, the triggering event was that NPM-the-registry took a module name away from a developer and gave it to a company (which held it as a trademark). He got mad and took all his code off NPM-the-repository, including left-pad. To settle the chaos, NPM had to restore the deleted code against the developer's wishes - even though his code was still available on GitHub.

Realistically, though, that would still cause some chaos and it doesn't seem to be the key difference. The more important differences are legal and practical.

npm, inc. is a private company, while PyPi (via Warehouse) and pip are both open-source and donation funded. Even if npm doesn't get up to anything malicious, they depend on keeping their registry and repository unified, and they're more likely to attract and buckle under trademark suits than PyPi.

Even more importantly, npm modules are tiny. PyPi packages and Ruby gems may be single-purpose, but they usually do something which isn't completely trivial, and common functions like math libraries are built into larger packages. npm left-pad was 17 lines of string-padding code that almost anyone could write. Other modules are even sillier; isArray has millions of weekly downloads for what is effectively a single line of code. Blank npm templates have tens of thousands of files loaded even before you start coding.[2] So fundamentally, a big part of the issue is just that node projects tend to pull in 10x or 100x more dependencies than most other projects.

[1] https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

[2] https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how...

I think the problem is that NodeJS has a weird culture where a separate package is created for every little thing, then tons of other packages start depending on it.

I don't live in NodeJS world but even I heard about package Left-Pad, that all it does is padding string from the left side. The author decided to pull it out from the repo rendering tons of other packages nonoperational[1].

[1] https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

It wouldn’t surprise me to learn that this is ultimately due to how little the JS standard library actually does.

It is.

Though ES2017 added a number of string operations, including String.prototype.padStart.

The number of packages you need to audit for what would otherwise seem to be a trivial feature is exponentially larger in JS world than in Python. A good example of that is the left-pad debacle, wherein a package that left-pads a string was taken down, causing other packages - notably React - to fail to be installed because of either direct or transitive dependencies.

In the Python world, it is indeed likely that unpublishing requests will cause issues, but the number of dependencies you'd need to audit/vendor is _much_ smaller for a typical python app than it is for a typical nodejs app, so your "attack surface" is also comparatively much smaller.

Python has a standard library that is not horribly anemic, and, as far as I know, there isn't anywhere near the same propensity to atomize packages. NPM is infamous for having stupidly small packages like isEven or leftPad, and monstrous transitive dependency trees.

A large Python package might have fewer than 10 dependencies, while a typical JS package easily has hundreds if not thousands of dependencies. Its much easier to manage your dependencies when you can count them on your fingers.

Difference in approach to libraries and the standard library.

NPM/Node is very much a "we only provide the bare minimum for a language, everything else must be implemented on your own." The JavaScript stdlib is very small (not that weird when you consider it's originally a language to do stuff with in your browser).

The result is that a lot of "simple" functionality that most languages would put in the stdlib (left-pad is the most infamous example) has to be reimplemented by library developers. Now because programmers are for the most part not interested in copying the same code over and over, this means that these simple functionalities end up on the npm, which are then used in somewhat bigger libraries, right up until you essentially create a massive dependency chain for each major library, since the dependencies for that library rely on other dependencies and so on so forth.

This sounds interesting in theory, but in reality this almost always means that if one thing in this chain breaks (for example a "simple" library introduces a breaking change but doesn't properly adhere semantic, since nobody enforces semantic on the npm although it's recommended), essentially the entire chain is broken and the top level library stops functioning as well.

And then you end up with packages such as left-pad, which provide simple functionality that is almost universally needed for almost all major libraries. Now the last thing you want to have happen here is that the maintainer either removes or breaks the package, since this essentially results into a dependency hell cascade as suddenly several millions of packages are broken.

Python on the other hand has probably one of the biggest standard libraries I've seen in a programming language, and the difference is outstanding. Most PyPi libraries are moreso focused on adding specialized features or simplifying otherwise lower level libraries into more higher level ones (ie. requests is really nothing other than a really good wrapper around urllib). There's very few "simple functionality" libraries for PyPi, since most of this functionality is already in the standard library. Usually if a library that is "simple functionality" isn't in the standard library, it's because it changes too often (standard library is mainly for unchanging code. eg, requests) or is still somewhat specialized (ie. sqlalchemy or a couple of validator packages I use).

There's pro's to Nodes approach (ie. you're generally not locked down to a single approach), but generally Pythons approach on library management is better in my opinion.

The people that would care the most are mostly immune to npm issues.

Privately hosted npm repos, checked-in to version control systems, etc.

There are plenty of solutions if you don't like npm. However, they carry the traditional costs of managing dependencies; if you want super super super easy above all else, that's what npm does.

I don't think that's accurate. Most devs and thus companies treat NPM as a utility. Maybe very large companies would not feel it, but if NPM went down tomorrow there would be utter chaos on the internet.

There would be chaos, just not for FAANG.

Someone upthread asked "why is NPM different from PyPi/pip in this?"

There are lots of practical answers - PyPi is open source, Python packages aren't so fragmented, and so on. But honestly, a huge part of the difference is that PyPi has sponsors like PyPi and AWS using its baseline implementation. NPM's private repository system means the public system just doesn't have that kind of pressure on it.

I would be deeply surprised if AWS teams use public pypi. Much more reasonable would be to mirror public packages they use internally.

What if a minor version change contains a relicensing of the library, for instance?

Good point. Presumably they're fixing versions, even companies on public registries should do that to avoid re-licensing issues, but it'd be an unreasonable legal & security risk.

I guess my broader thought was that PyPi is a more reliable free offering than NPM because it's not focused on a 'premium' version for the biggest users. But that's different than AWS - presumably they're sponsoring it in a broader "making development accessible is good for AWS" sense.

It's funny because reflecting on this thread later, I got what you were getting in that: the mere fact that NPM offers a private registry means that they are having to split focus on the two offerings. I completely agree in that sense!

Honest question, is it that much better in other communities? In particular, it's there anything inherent to npm that's problematic or is it just that a huge community with a Unix mindset (small packages that does one thing well) is problematic?

Lack of a large enough standard library is a big differenciating factor, as it makes you very dependent on third party libraries.

Even if you avoid it by creating your own utils, chances are that the creators of the large packages you use (like a database manager or a rest framework) will depend directly or indirectly of those third party tools.

No other package manager is run by a VC backed startup. That's inherently problematic and means the registry is in the hands of a company that could be killed off or sold at any moment because it needs to make massive profits (without having any way to truly make a profit in the first place) to continue to exist.

It was a problem in otherwise very successful perl's CPAN. I don't recall any "dramas", but because of a huge number of dependencies installing Catalyst had a low change of going right the first time. But! Because of the test everything culture and CPAN testers effort broken modules were very rare. So after you managed to set up your system and had a long walk while tests would run it was guaranteed to work. More or less.

Any community dependent on a particular repo is at risk. I'd argue that RubyGems is just as risky as NPM, for example.

The problem is that there's no good fix or alternative, it's hard to avoid a single point of failure.

There is actually a lot of discussion about this. There is also a lot of work going into different approaches to solve this.

For example Frea. It's a conservative approach for incrementally federating the package registry and you can start using it today. It's ready for all your traffic.

website: https://freajs.com

how it works: https://docs.google.com/presentation/d/16pxrYfpxxKRzhpMM0zZV...

Why was this downvoted?

People care. Developers have limited registry options due to lock-in. Creating effective security processes across a massive ecosystem of open source developers is a difficult problem. Registries can't easily create security practices that fit into a heterogenous pool of oss governance and development models. Especially when implementing more rigorous security has the potential to diminish their network effects and developer productivity. Curious to see how npm, GitHub Package Manager, and others address these issues.

Under Bryan Bogensberger's leadership, npm lost:

- its CTO

- its COO co-founder

- some fantastic people in the JavaScript community

- a federal labor dispute

- its culture

- its reputation

- its business model to Github

"But other than that, how was the play, Mrs. Lincoln?"

And he has only been CEO for eight months (January 2019).


To be fair, people started leaving last year when the leadership change was first announced internally.

Don't know if they lost anything at all to GitHub (yet).

But let's see how Entropic and GH package registries turn out.

They had a business model?

They sell “organizations” for $7/month which gives you private packages, and also https://www.npmjs.com/products/enterprise

I always assumed their business model was "Stay afloat till $BIG_CORP acquires us".

I think that is still the business model. The $7 /mo for enterprise is the "Stay Afloat until..." part of that business model

It's obvious to me that Microsoft will end up buying NPM Inc.

Why? They already own Github which is about to reduce NPM to “feature, not product” status

Why did Facebook buy WhatsApp, or Oracle buy Peoplesoft?

Typically: to enhance their offerings, remove a competitor, or shut it down.

best comment!

I wish companies would do away with the "leaving to pursue other opportunities" nonsense and just give no reasons if they don't want to discuss it.

No C-level exec resigns "effective immediately" without either a transition plan in place or something concrete lined up. I get wanting to allow him to say he resigned instead of he was fired, but the silly language of the press release just makes it worse.

> I wish companies

Because it's not a soap opera and you're not owed anything about the personal business of other people. As an individual, I have every right to control the narrative for why I've left a company (assuming nothing illegal).

That's my whole point. I fully understand not wanting to air everyone's laundry. I'm just suggesting that nobody is buying their silly lies, so if they think they are "controlling the narrative" they are sorely mistaken.

Everyone knowing he's lying is probably a better PR situation than everyone knowing the truth.

It's sad that we tolerate such blatant lies as normal.

You're not tolerating anything, you weren't entitled to know in the first place.

Can't agree more!

Sure but at a certain point it just harms your credibility if instead of owning up to the incredibly bad mistakes you still pretend you're only leaving because the grass is greener elsewhere.

I know it's standard business procedure to outright lie about these things but it becomes farcical when you basically sink an entire company and then get to "resign" and pretend it's not because you did a terrible job.

I agree with someone else comment in this news about the fact that his reputation will be intact that way for people who didn't know about the situation at npm. As much as I don't like this at all and I hope I would never lie in a situation like that, it's unfortunately a good PR move to do it like this...

> Sure but at a certain point it just harms your credibility

Only if it's a recurring issue. People can be a horrible contributor at Company A and a rockstar at Company B - should my entire future be anchored because of a single event? No thanks.

> I know it's standard business procedure to outright lie about these things

This is just silly. It's no different than how anyone reacts in any non-professional setting. Do you tell everyone in your life about every fuck up you make? So why expect that from our professional peers?

Maybe “he wants to spend more time with family”?

This is my favorite excuse in sports because they "retiree" almost always comes back out of retirement which leads me to believe they've had enough time with their family.

> they've had enough time with their family

As a parent of two very lively small boys, I can say that "enough time with family" is a thing.

Moreover, "enough time with" anything you don't normally get enough time with can lead a person to change their mind. We're human -- we can re-arrange our priorities but not our time, so we make decisions and are allowed to change our mind. I have no doubts there's more at play here, but a C-level exec leaving for no particular reason after years of grinding seems perfectly reasonable to me.

Nico Rosberg, springs to mind. Not racing again, but he does like to show his face at the races a lot.

He is working for Sky as a commentator at races. Doing the occasional TV commentary is a lot less time consuming, is a lot less stressful, and allows a lot more family time, than driving for the #1 F1 team, against arguably the best F1 driver off all time in Lewis Hamilton

I think there is something to it but I think being a driver, especially as Hamilton's teammate, is all-consuming and super stressful. I think now he can do what he wants when he wants without much pressure. He seems to enjoy the spotlight so that's what he does.

IIRC Rick Moranis basically quit acting to be with his family and Elton John has specifically stated he drastically scaled down to raise his children.

Urban Meyer


Retires from head football coach at University of Florida.

"I know it is time to put my focus on my family and life away from the field."


Becomes the head football coach at Ohio State.


I say this as a bitter Gators fan.

Probably the family had enough of them and kicked them out :-)

Only to get tired of them two weeks later and suddenly find himself with another CEO spot?

Maybe it is true.

"Man I hate this place because ____, and I'd rather spend time with my family."

That doesn't preclude wanting to do other things too.

What difference would that make?

Looks as if he was asked to leave. No surprise given the terrible optics they've been under for the past year. NPM is such a vital tool and I really enjoy using it. I hope their next CEO makes better decisions in regards to the humans who work there. Good luck to all the NPM staff! I'm rooting for you!

From the Register...

"According to people familiar with the matter, Bogensberger was asked to leave by the company's board of directors." [0]

For more context...from Jonathan Cowperthwait, NPM's former vice president of marketing...

"Many of us spent the last year watching our friends and colleagues' struggle through our fingers, but I'm still profoundly confident in the company's ability to turn this around. Sometimes bad executives happen to a good company." [1]

[0] https://www.theregister.co.uk/2019/09/20/npm_ceo_bryan_bogen...

[1] https://www.businessinsider.com/npm-ceo-bryan-bogensberger-r...

Why was he asked to leave? To which “terrible optics” do you refer? Your implied context is opaque.

Here is some background on some of the things that happened while he was CEO: https://twitter.com/fharper/status/1111694552262459393

I'm not sure what conclusions one can draw about the broader NPM culture by reading a single-sided Twitter thread from a disgruntled former employee tweeting about how he lost his job.

I only made it through the first ~10 tweets before clicking out, so maybe there's something I'm missing further in the thread. But to me, it just sounds like what you'd expect from someone being laid off.

It's a little weird that he didn't have a manager who would wish him well on his way out. But that's about it. The bit about a severance with a non-disparagement contract is absolutely standard, not out of the usual whatsoever (especially for a VC backed company like NPM).

His complaint seems to be, not that he was laid off, but that the way it was communicated to him was insensitive.

That's a very common thing, laying people off in an insensitive manner. Lot's of companies (even big massive successful companies) do that all the time.

That doesn't make it right, but, whatever the reasons their board had for letting go of their CEO, laying people off in an insensitive manner is unlikely to be among them.

Actually, it was also about the layoff itself, not just how it happened. At the beginning of the thread, I wasn't to shared details for legal reasons, but it became a NLRB case for union busting. See this article from The Register for more details https://www.theregister.co.uk/2019/04/22/npm_fired_staff_uni...

If you read a little more, you would have seen that it was a case of union busting (which is illegal) that was taken by NLRB. It is just part of what happened.

I don't see anything having to do with union busting, but I'm probably overlooking something.

Maybe I didn't read too far into the thread, but it sounds like they laid off a guy, provided some severance, and there weren't many managers that sent him a goodbye note? I don't see the connection here... what was the bad thing they did?

Yep, no goodbye note was really the highlight of everything that happened at npm in the last couple of months.

This article about union busting https://www.nytimes.com/2019/07/08/technology/tech-companies...

and this one about working conditions at npm https://www.businessinsider.com/npm-employees-open-letter-20...

or The Register who covered mostly everything that happened since the first layoff mentioned in my Twitter thread https://www.theregister.co.uk/2019/04/22/npm_fired_staff_uni...

I don't know anything about NPM's board of directors. I don't know who is on it. So this should not be read as some sort of criticism of them.

But I know there are some boards of directors out there, who would view the ability to bust unions (and get away with it) as a reason to hire, not a reason to fire.

I don't know why they let go of their CEO. I wouldn't assume it was necessarily for any of the reasons you mentioned. It certainly could have been, but it also could very easily have been for completely unrelated reasons.

I completely agree with you on this!

I wasn't mentioning those were the reasons, but that those were part of what happened in the last months.

Try reading that Twitter thread and count the number of times he mentions. "I" or "me" in the same sentence about how it's all about other npm employees and the greater community.

This is a textbook example of if (when!) you get let go you should strongly consider an internet moratorium.

It wasn't just about other employees. I lost my job. I got fired in a shitty way. I lost my income source. I lost a job I love. I lost faith in a company I cared about. I was afraid for the future of the ecosystem and my friends still there (most of them resigned since). It was an emotional moment for me and others. Things can be about others AND you, it's not a zero sum game.

Count for this reply: 9

A friend of mine regularly self-moderates his communications, particularly emails. If there's an "I" (or other personal pronoun) in a sentence, he deletes the whole sentence.

Often his replies are just "Thanks" style... But you know with him it's a very considered reply despite the terseness.

I'd suggest that such copious tweets (& follow up comments here) may very well harm future prospects... As you sow you reap. You need to learn to let things go: particularly in tech.

It's great that you like your (former) fellow employees: make friends with them and network with them. Alternatively, if you wish to make political actions, then undoubtedly you need to be more impersonal: just like the people who were tasked with outing you.

Thanks for sharing your personal opinion, I appreciate.

The fact that I shared my story like I did and doing now was beneficial on all levels for me. I stayed true to my principles and values. I was approach by companies and managers who have the same values also. It helped me go back on my feet emotionally and professionally way more quickly.

My personal take is that whatever you do, no matter if it's about deciding to not care or not say anything, or being vocal, stay true to yourself, and be proud of what you share.

Well, stylistically the first 20 tweets of the Twitter thread read like an introduction to to the story, rather than an actual story (and the rest looks like followup), so that makes for one really confused reading. That's perfectly understandable considering your emotional state at the time, but now that you are a bit more calm, please don't misrepresent this as a brief summary, which is the point of the original question.

Interesting, maybe it was lost in translation as English isn't my first language, but "here is some background" doesn't mean "here is the brief summary" for me. It also doesn't mean here is the complete story and the only truth. Sorry if I wasn't clear. IMHO, I still think that if people take the time to read the thread and the articles written by media like New York Times, The Register and Business Insider, it should give a proper "brief summary" (of what can be said without bringing any legal issues) for the person who asked for it.

(The person you're replying to+ who submitted this article _is_ the person they laid off)

*one of the person who was laid off.

If the context is opaque to you then I would encourage you to read the articles and to read the other comments on this thread.

The comment to which I replied is top-level, and has no prior thread context.

As far as I can tell a bunch of people are upset because they got fired - so what? Companies fire people all the time.

Story is all about his “success” and desire to seek new opportunities- why not a few sentences about the ongoing labor related litigation.

I actually think that litigation is no longer ongoing; Kate Conger from the NY Times is reporting that the case was settled. [1]

Edit: linked article says the case was settled in June. [2]

[1] https://twitter.com/kateconger/status/1175097388253376512

[2] https://www.nytimes.com/2019/07/08/technology/tech-companies...

You are right, a settlement has been made.

It's a press release, not a news article. It only says what NPM Inc. wanted to say, in the way they desired.

Under Bryan's leadership, multiple namespaces (left-pad, etc.) including my own (file-saver) have been wrongly transferred to new owners without authorization from the previous owners.

npm can't handle security, and they have been sorely in need of new leadership for years.

If only there were other dependency management build tools they could use as good examples to emulate....


-1000, I'd guess


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact