The security of the JavaScript software ecosystem will get a significant boost with GitHub acquiring npm, which hosts and maintains the Node package manager and the package registry.
The acquisition will improve the security of the open source software supply chain, wrote Nat Friedman, CEO of GitHub, which was acquired by Microsoft back in 2018. Developers rely on npm to find and install third-party packages—JavaScript code components they can integrate into their code so that they don’t have to replicate functionality someone else already has created. Integrating npm into the GitHub code repository will make it possible to “trace a change from a GitHub pull request to the npm package version that fixed it,” Friedman wrote.
Of immediate concern for developers: “npm will always be available and always be free,” wrote Nat Friedman, CEO of GitHub. Paid npm features for Pro, Teams, and Enterprise customers for hosting private repositories, will continue to be supported.
In the world of JavaScript development, npm is massive: it serves over 1.3 million packages to roughly 12 million developers, and sees 75 billion downloads a month, according to numbers provided by Issac Schlueter, npm’s chief open technology officer. It can be a challenge for an entity to vet every single package to make sure they aren't malicious, and there have been multiple instances in recent months where malicious packages made it into npm. Malicious packages include one that intercepted credentials and another that exfiltrated sensitive information from UNIX systems.
Public code repositories are critical infrastructure, and maintaining code repositories in a reliable and trustworthy way can be challenging and expensive, said Brian Fox, co-founder and CTO of Sonatype. Sonatype maintains Maven Central, a repository for Java components. GitHub has the resources to invest in robust and stable infrastructure, thorough vetting of software packages, and integration into GitHub's other services.
“We’re thrilled for the open source community that this has happened—critical infrastructure must be kept in good hands, and this deal helps ensure that npm can continue to serve the JavaScript community well,” Fox said.
Once the acquisition is complete, GitHub plans to invest in the registry infrastructure and platform and make improvements to enhance the core experience, Friedman said. Many of the work will be a continuation of what the npm team had already started with npm v7 CLI, such as the new Workspaces feature and improvements to multi-factor authentication.
The JavaScript ecosystem “needs a rock-solid registry,” Friedman said, and the investments will ensure npm is “fast, reliable, and scalable.”
Another area of investment is to turn GitHub Packages into a multi-language packages registry fully integrated with GitHub. Once that is done, npm’s paying customers will be able to move their private npm packages to GitHub Packages, leaving npm to be a public registry for JavaScript packages. GitHub Packages is one of the “obvious” areas where npm will make a difference, according to Schlueter.
“If you’re going to do this thing, [a package manager], do it right,” Schlueter wrote, noting that the package manager needs to be integrated with the registry “in a very deep way.”
The combination of npm and GitHub is a logical one, as GitHub’s mission is to eliminate transaction costs in software development, and npm’s founding mission was to reduce friction in JavaScript software development, Schlueter said, who said he will be staying with the npm team post-acquisition.
The acquisition also cements Microsoft's role in the application security ecosystem. GitHub has been expanding its security offerings, such as built-in security advisories and automated dependency updates via Dependabot.
“This isn’t just a good option for the JavaScript community—it’s significantly better than what npm, Inc., can provide on its own,” said Schlueter. “This is the end of ‘npm, Inc.’, the Delaware C Corp. But it’s an exciting upgrade for npm.”