Of immediate concern for developers: “npm will always be available and always be free,” wrote Nat Friedman, CEO of GitHub. Paid npm features for Pro, Teams, and Enterprise customers for hosting private repositories, will continue to be supported.
Public code repositories are critical infrastructure, and maintaining code repositories in a reliable and trustworthy way can be challenging and expensive, said Brian Fox, co-founder and CTO of Sonatype. Sonatype maintains Maven Central, a repository for Java components. GitHub has the resources to invest in robust and stable infrastructure, thorough vetting of software packages, and integration into GitHub's other services.
Once the acquisition is complete, GitHub plans to invest in the registry infrastructure and platform and make improvements to enhance the core experience, Friedman said. Many of the work will be a continuation of what the npm team had already started with npm v7 CLI, such as the new Workspaces feature and improvements to multi-factor authentication.
“If you’re going to do this thing, [a package manager], do it right,” Schlueter wrote, noting that the package manager needs to be integrated with the registry “in a very deep way.”
The acquisition also cements Microsoft's role in the application security ecosystem. GitHub has been expanding its security offerings, such as built-in security advisories and automated dependency updates via Dependabot.