Armin Sestic - Fotolia

GitHub's NPM acquisition sparks Microsoft-related worries

GitHub's acquisition of NPM will bring two prominent open source players together under the Microsoft umbrella. But moves like this tend to cause concern for some observers.

GitHub's acquisition this week of NPM Inc., a prominent player in the JavaScript ecosystem, has sparked both worry and welcome from users of the ubiquitous programming language.

The company hosts Node Package Manager, which is home to more than 1.3 million JavaScript packages and sees 75 billion downloads a month. Over the last 10 years, NPM and its ecosystem of hundreds of thousands of open source developers, contributors and maintainers have helped to make JavaScript the largest developer ecosystem in the world.

Because NPM hosts such a huge JavaScript package registry, some showed concern that the deal means GitHub's parent company, Microsoft, ultimately "owns" or controls the future of JavaScript. GitHub and NPM officials' initial remarks on the deal seemed to anticipate such worries.

"We at GitHub are honored to be part of the next chapter of npm's story and to help npm continue to scale to meet the needs of the fast-growing JavaScript community," said Nat Friedman, CEO of GitHub, in a blog post. Terms of the deal weren't disclosed.

GitHub plans to immediately invest in NPM's registry infrastructure and platform, improve the user experience and engage with the community, according to Friedman.

In addition, GitHub will further integrate GitHub and NPM to improve the security of the open source software (OSS) supply chain and enable developers to trace a change from a GitHub pull request to the NPM package version that fixed it.

Meanwhile, GitHub will continue to support NPM's paying customers who use NPM Pro, Teams and Enterprise to host private registries. However, later this year GitHub will enable these customers to move their private NPM packages to GitHub Packages, Friedman said.

In addition, Friedman and NPM founder Isaac Schlueter said the NPM public repository will remain free and available to all.

Microsoft comes calling

Still, there's something about Microsoft mixing its hands in the open source world that tends to prompt uncertainty and even outright skepticism in some -- despite Microsoft having been largely hands-off with GitHub since acquiring it in 2018.

Many in this camp, including German developer Jerome Dahdah, sounded off to this end on Twitter.

Dahdah did not respond to a request for an interview.

To back up his claim, Dahdah added bullet points noting that Microsoft hosts much of the open source ecosystem via GitHub, now hosts most of the JavaScript ecosystem via NPM, has a presence on a huge portion of developer machines via Visual Studio Code and is changing how JavaScript developers develop with JavaScript via TypeScript, a superset of JavaScript. The tweet garnered a slew of responses supporting Dahdah's position, but also some that cast the acquisition in a more positive light.

A foregone conclusion?

Others see the NPM acquisition as an inevitable, pragmatic move.

"From labor issues, to long-term business model questions, to staff departures, NPM has had questions swirling around it in recent quarters," said Stephen O'Grady, an analyst at RedMonk in Portland, Maine. "For a platform as strategic to many developers' workflows as NPM, that's not a good place to be. In GitHub, NPM will find a home that has shown a much-improved recent ability to innovate at velocity and an organization that is about the developer experience."

In a blog post, Schlueter said GitHub was the best place for NPM to land because the company could maintain its principles, while having more resources to serve the JavaScript community.

The deal makes sense for GitHub, too, according to Thomas Murphy, an analyst at Gartner.

"They [GitHub] have a strong investment into Node.js as a whole and have been investing into package management, and it fits to the secure code pipeline direction," Murphy said.

Microsoft does have a large play in JavaScript as a whole, but it is an open community.
Thomas MurphyAnalyst, Gartner

It would be an overstatement to say Microsoft now has an iron grip on JavaScript, a view that is rooted in fear among those who remember the time when Microsoft was openly hostile to open source, Murphy added.

"How you package for Node.js is hardly controlling the future of JavaScript," he said. "Microsoft does have a large play in JavaScript as a whole, but it is an open community."

Microsoft will likely make use of tooling for TypeScript to simplify package creation, Murphy added. But even here, the TypeScript influence is more of a coding issue, in that once the developer compiles their code, they are running JavaScript.

However, more cynical observers may worry that NPM may start to use a TypeScript front end and then only package things in TypeScript.

"That seems like a stretch and is unlikely," Murphy said. "If they did that, people would just use a different package manager."

The acquisition also ties into GitHub's effort to get its GitHub Packages service off the ground, said Jeffrey Hammond, an analyst at Forrester Research. Consolidating that work with NPM gives GitHub a good leg up on all the Node work that's going on with JavaScript developers. Node is one of the most popular runtimes for function as a service (FaaS) workloads as an example. Companies such as Netflix and Google have looked to Node.js for their FaaS efforts.

As far as control, "I certainly think it gives them a seat at the table, but Facebook also has a say given the rising popularity of React.js and Google has its say with Angular," Hammond said. React is a JavaScript library for building user interfaces that came out of Facebook, and Angular is a TypeScript-based app framework that came out of Google.

In addition, there's nothing to stop someone else from going out and creating an alternative to NPM -- other than the financial and awareness-building challenges involved with doing so.

"Control of anything open source is a somewhat tenuous reality these days," Hammond said. "Look at Google working to exert control over Knative over the past six months -- I think they are struggling to do so."

Dig Deeper on Front-end, back-end and middle-tier frameworks

App Architecture
Software Quality
Cloud Computing