The Economics of Package Management

by Osmose on 6/2/2019, 5:34 PM with 6 comments
  • by bmalehorn on 6/3/2019, 12:59 AM

    This is a nice article, with a comprehensive if long history of npm and node.

    I agree with the author that there will one day be a reckoning with npm, inc - they'll shut down abruptly, or do something people are really unhappy with.

    However, I'm afraid the package manager proposed at the end will have a lot of trouble gaining traction. It sounds like package maintainers will have to port their packages to the new package manager. Worse, developers won't be able to build, say, React until all 1000 of its indirect dependencies have been ported.

    This will take a gargantuan effort to port over, all to avoid a vague future threat. I know it's "the right thing" to use this more decentralized system, but I can't see us getting to there from here with all the pain in between.

    I think this is a more likely outcome:

    1. npm, inc does a bad thing that makes people angry 2. A community-governed, charity-hosted registry appears. This registry includes everything in registry.npmjs.org, plus exclusive packages 3. users and authors switch to new community registry

    In fact, we may already be poised for this coup. Did you know that 1/3 of all package installations go through registry.yarnpkg.com?

  • by tannhaeuser on 6/3/2019, 1:06 PM

    Yeah, the economic situation of npm, Inc. is worrisome (not acutely to the best of my knowledge, but structurally so). What they do is try to sell npm enterprise with private, company-internal repos, but why don't they attempt a business model where they mediate F/OSS (or similar licensed code) to commercial users, handing out most of the money to the developers, and keep something for themselves? If they can't do it, github (MS) might be (right now, though, there's only github marketplace for github.com, and GH sponsors), or github might actually buy them. If they don't attempt to go into other markets, npm, Inc. is suspectible to turn to the dark side by eg. limiting access to the registry, inject ads (like SourceForge were doing), flood the registry with dubious packages and sell security screening to enterprises, or whatever. Not saying they will! But, pessimistically, these are the incentives another group of investors might have when making the current owners an offer for npm, Inc.'s assets.

    Couple notes regarding TFA:

    - Author rightly points out to look at a company's incentive; what are their incentives to release a new package manager?

    - "Javascript commons" is a bad term; node.js' API is based on CommonJS [1], and these two are too close; besides, "JavaScript" is trademarked

    [1]: http://wiki.commonjs.org/wiki/CommonJS

  • by jpochtar on 6/3/2019, 6:27 AM

    I think I'm out of the loop... can someone fill me in on relevant NPM drama? Are they monetizing successfully? Unsuccessfully? Unethically?