Return of the JSedi: After being ousted from NPM Inc, former CTO is back with rival package registry Entropic

CJ Silverio floats open-source federated approach to save JavaScript community from corporate clutches

CJ Silverio at JSConf EU 19
CJ Silverio on stage at JSConf EU

After being ousted late last year as CTO of JavaScript package registry NPM Inc in a management shakeup, CJ Silverio on Saturday unveiled a self-hosted federated package registry called Entropic that she hopes will serve the JavaScript community better than her former employer's technology.

It is the third such effort to emerge since March, when clashes between NPM Inc's newly appointed management and employees led to layoffs and complaints by axed employees alleging union busting. The first was developer Victor Bjelkholm's Open-Registry. The second was Microsoft's GitHub Package Registry.

Entropic, developed with the help of colleague Chris Dickinson, follows from Silverio's concern that a for-profit company has control of a vital piece of JavaScript infrastructure: the npm package registry, which used by millions of developers and apps, and serves billions of package downloads a week.

The npm registry consists of: a registry, which is a database listing the 700,000 or so packages available to JavaScript developers, a repository that stores them, a command-line interface (CLI) for interacting with the registry and a set of APIs that define available commands. NPM Inc controls the centralized registry and repository while the CLI and the APIs are open source, which is why there are alternative npm clients like Yarn.

Former staff have another idea

In a presentation at JSConf EU in Berlin, Germany, provided to The Register over the weekend, Silverio delved into the history of Node.js, the popular JavaScript runtime, and how its creator came to regret integrating a centralized, privately-controlled module repository, specifically the node package manager or npm.

NPM Inc, she said, "controls all Javascript development, because all Javascript development proxies through it willingly."

npm

NPM clings to its cuddly image – as senior staff vote with their feet: Now longtime product boss quits JS package biz

READ MORE

Silverio described the JavaScript commons as both the language spec, governed by Ecma International Technical Committee 39, and the shared code for JavaScript and Node.js. That includes libraries and packages for adding useful functions to web apps, as well as larger projects like Babel, webpack, TypeScript and React.

"The registry that lists all of this shared code is also part of our commons," she said. "It’s how we share all that stuff with each other, how we find it. Another thing that’s part of our commons is the set of conventions we’ve evolved around that – the ways we agree to name and update the things we share. But all of that is wholly owned by a VC-funded private company. This is the thing we’ve given away."

In light of NPM Inc's need to return money to investors, Silverio said the company cannot be trusted to put the JavaScript community's interests ahead of its own.

"NPM does not love you," she said. "NPM cannot love you. NPM, Inc is a Delaware corporation founded as a financial instrument intended to turn money into more money for a handful of men."

Pointing to the recent layoffs that even NPM Inc has admitted it handled poorly, Silverio said the Oakland-headquartered biz cannot be trusted because the community has no way to hold it accountable for its actions.

Not just about the money

And she fears the company's actions will not be aligned with the interests of the JavaScript community because it has to focus first on profitability. So sought-after features like package signing aren't likely to be developed because they won't make money, she said. What's more, she doubts the company will show any interest in reducing client interactions with its backend because every network interaction generates potentially valuable data.

"Every time you run an audit, NPM gets a look at your package-lock file, chock-full of interesting data nuggets about what you’ve been up to," she said.

Entropic, available under an open source Apache 2.0 license, aims to provide an alternative, one that's trustworthy because everyone runs their own repository.

"Entropic is federated," Silverio explained. "You can depend on packages from any other Entropic instance, and your home instance will mirror all your dependencies for you so you remain self-sufficient."

She added that the software will mirror any packages installed by a legacy package manager, which is to say npm. As a result, the more developers use Entropic, the less they'll need NPM Inc's platform to provide a list of available packages.

At the moment, the project is suitable for those interested in improving the code. In time, she hopes it will become robust enough for the broader developer audience.

Silverio argues that coming decade will bring more federation, which distributes costs, after years of consolidation and monolithic services.

"We should not be owned by a single company, and we shouldn’t let that company control our destiny," she concluded. "We need to take back control. I’d like us all to rebuild the future together." ®

PS: NPM Inc has a new CTO: Ahmad Nassri.

Sponsored: How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019