Microsoft has announced plans to acquire npm Inc, the company behind popular JavaScript package manager npm.
No details of the amount of money involved have been revealed, nor the timing of the acquisition, but Microsoft says that it plans to integrate npm into GitHub. Both companies feels that acquisition will help the open source community in general, but the JavaScript community in particular.
News of any acquisition brings with it concerns about changes, but Microsoft says it is looking to invest in and develop what exists rather than just swallowing it up. The company says it will make the necessary investments to ensure the npm is a fast, reliable and scalable registry. Microsoft also says that it will embrace the Workspaces functionality, as well as improvements to the publishing and multi-factor authentication experience.
Importantly — as Microsoft has been doing more and more recently – the company is listening. Microsoft says: “We will actively engage with the JavaScript community to get your ideas and help us define the future of npm”.
Isaac Schlueter, founder and CEO of npm, is upbeat about the future. He writes:
There are not many companies that can claim to have the kind of fanatical commitment to open source that GitHub does. In the track record of Nat and the team he’s assembled, there’s really something special here that I’m thrilled to be a part of.
I’ve said countless times before that I wouldn’t let the registry go someplace that won’t take care of it.
As GitHub has branched out into other aspects of the end-to-end developer community experience, it’s natural to see how the JavaScript package management process fits into that story. It’s not a loss leader or an experimental add-on or a way to quickly hire a team. Rather, the npm registry is a significant and concrete strategic asset serving GitHub’s mission of eliminating transaction costs in software development.
That’s important.
In a blog post about the acquisition, Microsoft’s Nat Friedman says:
Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it. Open source security is an important global issue, and with the recent launch of the GitHub Security Lab and GitHub’s built-in security advisories, we are well-positioned to make a difference. In addition, GitHub Sponsors has already paid out millions of dollars to open source contributors, and we’re excited to explore tasteful ways to extend it to the npm ecosystem.
He adds: “For paying customers who use npm Pro, Teams, and Enterprise to host private registries, we will continue to support you. We are also investing heavily in GitHub Packages as a great multi-language packages registry that’s fully integrated with GitHub. Later this year, we will enable npm’s paying customers to move their private npm packages to GitHub Packages — allowing npm to exclusively focus on being a great public registry for JavaScript”.