Daniel Romero

Thoughts on the JavaScript-NPM Inc relationship (Updated 2020)

June 23, 2019

Some quick history recap of NPM Inc and a few thoughts on the JavaScript ecosystem being to dependant of it.

NPM is the default package manager and package repository for Node.js both for public and paid-for private packages. Which is probably one of the worse decisions of the JavaScript wold, let’s see why that is, with a quick recap of the history of NPM:

  • 2014: Founded.
  • 2015: Already had 2 funding rounds amounting to $10.6M.
  • 2016: Unpublished a package just because they could.
  • 2018: The CLI had a bug by which running sudo npm on Linux systems would change the ownership of system files, permanently breaking the system, WTF?
    Another bug got NPM credentials stolen through eslint-scope package.
    Another bug made a dependency of event-stream steal bitcoins from certain applications.
    Not sure about this one, but those bugs don’t appear in the incidents history of npm?
    Hired a new CEO, who’s job is to take the company from $3M in annual revenue to $30M-$60M…
  • 2019: Conducted a series of meetings with their employees asking for honest feedback, then fired everyone that gave honest feedback.
    Fired everyone that tried to unionize.
    Some of the ones that weren’t fired, left out of solidarity.
    Some of the ones that weren’t fired nor left, put their work on hold.
    The firings were conducted by third party contractors, no one inside knew this was comming.
    Tried to buy the silence of the ones fired with non-disparagement clauses.
    As a result of the firings, the npm cli has spent 3+ months without any commit.
    At the end of June 2019 the new CEO tells employees that it’s secured a deal that removes ‘the threat of running out of money’ until early 2020, GREAT! 6 more months…

You can check all of this for yourself: 1, 2, 3, 4, 5, 6, 7, 8, 9

I also found this recently, I think the history of the events is self-explanatory and its fair to say that the JavaScript ecosystem depends on the wrong company.
As a quick observation, the company is reported to have $3M in annual revenue by its own CEO, with somewhere around 70-80 employees, offices in Oakland, CA, USA, the cost of running servers at that scale… I’m pretty certain they have been losing money every single year and one can’t help but wonder how much longer is this going to last, even more so, given the recent news?

Update 2020

As of March of 2020, NPM has been acquired by GitHub, which is the same as to say NPM has been acquired by Microsoft, who owns GitHub, so yay! I guess NPM is not going to disappear anytime soon and hopefully has a bright and stable future under this new ownership.