Now Ponder Mistakes: NPM's heavy-handed management prompts JS code registry challenger

Contender hopes to one day become the preferred Node.js Package Manager

Pair programming is really grate

The recent management change and layoffs at JavaScript accessory outfit NPM Inc prompted several former employees to speculate that the company's alleged union-busting push toward profitability may well spur the creation of competition.

The Register was also told to pay attention to JSConf EU in June as a possible launchpad for an NPM Inc rival.

There's no need to wait that long. On Wednesday this week, Victor Bjelkholm, a Swedish developer based in Barcelona, introduced the Open-Registry, an "NPM registry replacement with a proper community governance."

It's the first of what we're told are several ventures born of blowback from NPM Inc's attempted transition from investment crematorium to cash cow.

NPM Inc provides a vital function for developers who use JavaScript, Node.js, and related technologies: it maintains a registry for many of the modules a developer might want to import into a project to avoid the tedium of reinventing existing code. While it's certainly possible to scour the internet for importable code modules, it's much easier to simply run the command npm install <module name>. Hence, NPM Inc serves up billions of downloads a month, and has become an important part of the JavaScript community.

NPM, the company, provides npm, client software to access the NPM Public Registry. There are other package management clients like Facebook's Yarn that also access the NPM Public Registry. The Open-Registry aims to provide an alternative backend, though initially it will merely mirror the NPM Public Registry.

For Bjelkholm, the contentious layoffs last month are not really his primary motivation for creating the Open-Registry, though NPM Inc's missteps played a part in the decision.

"It's something that has been brewing in my mind since about three-to-four years ago, when the whole left-pad thing happened (and also since NPM made the code for the registry closed-source)," he explained in an email to The Register. "My initial attempt was a project called everythingstays.com which is no longer under development or maintained. Then I moved on to other things. But the recent layoffs certainly gave me additional motivation and validation that Open-Registry is needed."

bullhorn

NPM is Not Particularly Magnanimous? Staff fired after trying to unionize – complaints

READ MORE

Bjelkholm said he's observed a trend "where companies embrace open source until they need to turn a profit and then turn their back on their users/community to be able to 'extract more value' from the users."

For this reason, he believes open source infrastructure that developers depend on should remain open source and must be as transparent as possible. The Open-Registry, he said, represents an attempt to solve this problem by relying on the community for governance from the outset. His hope is that as long as the project fulfills a positive role in the community, donations will make the project sustainable.

Bjelkholm acknowledges that the JavaScript community may not immediately embrace the Open-Registry, but he's in no hurry. He anticipates there will be other attempts to create JavaScript package registries, and he's OK with that.

"One part of the plan is to enable federation and decentralized hosting of the packages," he said. "So from Open-Registry, you'll see software that enables people to really easily start their own registries, either for themselves, for their community or their company."

Right now, the Open-Registry proxies the NPM registry, but at some point, the hope is enough developers will participate to allow independence.

"Serving content as a proxy from NPM is just a migration step to allow developers to move to Open-Registry today without sacrificing anything," said Bjelkholm. "We plan to build a registry that focuses on security and transparency for it's users, with things such as public metrics of all sorts (including finance), cryptographically signed packages and possibly a build server to have reproducible builds from source to built package."

The Register invited Oakland-based NPM Inc to comment but we've not heard back. ®




Biting the hand that feeds IT © 1998–2019