Armin Sestic - Fotolia
GitHub's NPM acquisition sparks Microsoft-related worries
GitHub's acquisition of NPM will bring two prominent open source players together under the Microsoft umbrella. But moves like this tend to cause concern for some observers.
GitHub plans to immediately invest in NPM's registry infrastructure and platform, improve the user experience and engage with the community, according to Friedman.
In addition, GitHub will further integrate GitHub and NPM to improve the security of the open source software (OSS) supply chain and enable developers to trace a change from a GitHub pull request to the NPM package version that fixed it.
Meanwhile, GitHub will continue to support NPM's paying customers who use NPM Pro, Teams and Enterprise to host private registries. However, later this year GitHub will enable these customers to move their private NPM packages to GitHub Packages, Friedman said.
In addition, Friedman and NPM founder Isaac Schlueter said the NPM public repository will remain free and available to all.
Microsoft comes calling
Still, there's something about Microsoft mixing its hands in the open source world that tends to prompt uncertainty and even outright skepticism in some -- despite Microsoft having been largely hands-off with GitHub since acquiring it in 2018.
Many in this camp, including German developer Jerome Dahdah, sounded off to this end on Twitter.
- hosts the entire open-source ecosystem via @GitHub— Jerome Dahdah @ (@parasight) March 16, 2020
- has a presence on a huge portion of developer machines via @code
Dahdah did not respond to a request for an interview.
Atleast it's not old Microsoft owning it all ♂️— Regan Lawton (@ReganLawton) March 16, 2020
A foregone conclusion?
Others see the NPM acquisition as an inevitable, pragmatic move.
"From labor issues, to long-term business model questions, to staff departures, NPM has had questions swirling around it in recent quarters," said Stephen O'Grady, an analyst at RedMonk in Portland, Maine. "For a platform as strategic to many developers' workflows as NPM, that's not a good place to be. In GitHub, NPM will find a home that has shown a much-improved recent ability to innovate at velocity and an organization that is about the developer experience."
The deal makes sense for GitHub, too, according to Thomas Murphy, an analyst at Gartner.
"They [GitHub] have a strong investment into Node.js as a whole and have been investing into package management, and it fits to the secure code pipeline direction," Murphy said.
Thomas MurphyAnalyst, Gartner
However, more cynical observers may worry that NPM may start to use a TypeScript front end and then only package things in TypeScript.
"That seems like a stretch and is unlikely," Murphy said. "If they did that, people would just use a different package manager."
In addition, there's nothing to stop someone else from going out and creating an alternative to NPM -- other than the financial and awareness-building challenges involved with doing so.
"Control of anything open source is a somewhat tenuous reality these days," Hammond said. "Look at Google working to exert control over Knative over the past six months -- I think they are struggling to do so."