Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages.
In 2018 when Microsoft acquired Github, many in the developer community had a cautious, even emotional response. Given today’s announcement that GitHub is acquiring npm -- the same concerns are likely to surface again since JavaScript is one of the world’s most popular programming languages and since the commons of the global JavaScript community reside within the fabric of npm.
On one hand, such concern is understandable. After all, open source projects are created by the community and they exist to serve the community. I can imagine the argument going like this, “npm as the central repository of JavaScript can only provide value if the community at large trusts those who are responsible for running it.” But, what is “trust”? And how do public repositories like npm, Maven Central, or even Microsoft’s NuGet gallery go about earning the trust of a global developer community?At Sonatype we’ve been the stewards of the Central Repository (Central), the world’s largest component repository of Java and other JVM related components since 2007. Based on this experience, I’ve learned first hand how challenging it can be to serve as the steward for a public repository. I know how hard it is to gain and keep the trust of millions of open source software developers. In my humble opinion, earning trust starts with “picking up a shovel” and solving a problem on behalf of a community to help it grow and flourish. Community trust is further amplified when you can muster enough resources to solve the same problem in a reliable and scalable manner over a period of many years.
But, here’s the thing; operating a public repository in support of millions of developers isn’t easy or free. It requires dedicated and experienced engineers and it costs money. And you have to be very careful not to screw things up -- because if you do -- all the trust that you’ve worked so hard to earn can disappear in a second.
Through my years of supporting Maven Central, I have come to understand the critical role that public repositories play in supporting global developer communities. I’ve also come to understand how hard it is to do this job well 24x7x365. For this reason, I can fully understand why it made sense for Microsoft, GitHub, and npm to partner together.
Public repositories are critical public infrastructure because they greatly reduce the work required to distribute software to millions of developers. If you have something to share with the world, put it in Maven Central or npm, distribute the coordinates, and in minutes millions of developers have access to the library and the ability to accelerate innovation.
To understand the massive scale of these public repositories, consider the following. In 2019, Maven Central served more than 226 billion download requests to more than 12 million Java developers. Conversely, npm served more than 64 billion download requests in January alone to more than 11 million JavaScript developers.
The sheer size of these repositories and volume at which they serve components to developers speaks directly to why it can be so challenging (and expensive) to maintain them in a reliable and trustworthy way.
Separately, it is sobering to look at what's going on with application security today, and how bad actors are targeting supply chain attacks aimed public repositories with the likes of typosquatting, malicious injection of vulnerabilities and the non-immutability that we saw with LeftPad or more recently the Actix web application framework.
True stewardship and robust guardrails can be tricky to impose at scale - but it's an extremely important responsibility. Critical infrastructure needs to be in good hands. We’re proud of the work we do everyday in support of the global Java community. We know the folks at npm feel the same way about the great work they’ve done over the years in support of the JavaScript community. We wish them the best in their new partnership with GitHub and Microsoft.