Now Ponder Mistakes: NPM's heavy-handed management prompts JS code registry challenger
Contender hopes to one day become the preferred Node.js Package Manager
The Register was also told to pay attention to JSConf EU in June as a possible launchpad for an NPM Inc rival.
There's no need to wait that long. On Wednesday this week, Victor Bjelkholm, a Swedish developer based in Barcelona, introduced the Open-Registry, an "NPM registry replacement with a proper community governance."
It's the first of what we're told are several ventures born of blowback from NPM Inc's attempted transition from investment crematorium to cash cow.
NPM, the company, provides npm, client software to access the NPM Public Registry. There are other package management clients like Facebook's Yarn that also access the NPM Public Registry. The Open-Registry aims to provide an alternative backend, though initially it will merely mirror the NPM Public Registry.
For Bjelkholm, the contentious layoffs last month are not really his primary motivation for creating the Open-Registry, though NPM Inc's missteps played a part in the decision.
"It's something that has been brewing in my mind since about three-to-four years ago, when the whole left-pad thing happened (and also since NPM made the code for the registry closed-source)," he explained in an email to The Register. "My initial attempt was a project called everythingstays.com which is no longer under development or maintained. Then I moved on to other things. But the recent layoffs certainly gave me additional motivation and validation that Open-Registry is needed."
NPM is Not Particularly Magnanimous? Staff fired after trying to unionize – complaintsREAD MORE
Bjelkholm said he's observed a trend "where companies embrace open source until they need to turn a profit and then turn their back on their users/community to be able to 'extract more value' from the users."
For this reason, he believes open source infrastructure that developers depend on should remain open source and must be as transparent as possible. The Open-Registry, he said, represents an attempt to solve this problem by relying on the community for governance from the outset. His hope is that as long as the project fulfills a positive role in the community, donations will make the project sustainable.
"One part of the plan is to enable federation and decentralized hosting of the packages," he said. "So from Open-Registry, you'll see software that enables people to really easily start their own registries, either for themselves, for their community or their company."
Right now, the Open-Registry proxies the NPM registry, but at some point, the hope is enough developers will participate to allow independence.
"Serving content as a proxy from NPM is just a migration step to allow developers to move to Open-Registry today without sacrificing anything," said Bjelkholm. "We plan to build a registry that focuses on security and transparency for it's users, with things such as public metrics of all sorts (including finance), cryptographically signed packages and possibly a build server to have reproducible builds from source to built package."
The Register invited Oakland-based NPM Inc to comment but we've not heard back. ®