Microsoft’s GitHub is snapping up node packpage manager (npm), with plans for integration between the platforms. In a blog post, GitHub CEO Nat Friedman announced the news, but did not share a purchase price.
“npm is a critical part of the JavaScript world. The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million packages with 75 billion downloads a month,” he said. “Together, they’ve helped JavaScript become the largest developer ecosystem in the world. We at GitHub are honored to be part of the next chapter of npm’s story and to help npm continue to scale to meet the needs of the fast-growing JavaScript community.”
Despite the acquisition, Friedman reassured users that it will not be shuttering npm and that it will always remain free. The focus instead is a three pronged approach: improve the core experience, engage with the community, and improve the registry infrastructure and platform.
“We will work to improve the everyday experience of developers and maintainers, and support the great work already started on the npm v7 CLI, which will remain free and open source,” Friedman said. “Some bigger features that we’re excited about are Workspaces and improvements to the publishing and multi-factor authentication experience. “
This announcement could also shed some light on Microsoft’s activity in recent times. In January, it pointed out an npm package that has been stealing the data of UNIX users. GitHub also previously introduced the ability to publish npm packages. It makes sense that it would look closely at a platform it’s planning to acquire, but users will want to know what GitHub is planning to do to improve safety going forward.
From 2019-2020, npm had 595 security advisories, for a total of 1,285. Previously, malicious packages have been used to steal cryptocurrency, developer credentials, and more.
Freidman admits that security will be a focus in the future. This will come partially from the GitHub integration, which will let you trace a change from a GitHub pull request to the resolution. It will also be looking at measures it recently launched on its own platform, such as the GitHub Security Lab and built-in security advisories.
Essentially, this purchase could lead to significant improvements in the open-source community, and Microsoft has a good track record with Typescript. Still, while GitHub remains a separate entity from its parent company, there will always be those who view it as another step away from decentralization.
