npm is the Beating Heart of the JavaScript Ecosystem

Comments (2)

Write your comment

This comment has received 4 appreciations.

The problem with npm Inc is not that they're creating a bad product -- they're not. Sure, allowing unpublishing this easily was a stupid mistake and install scripts can do bad things and prepublish is broken and the fact they're essentially storing graph data in CouchDB is extremely cringy, but npm-cli is a great open source project and the npm registry is sufficiently reliable.

The problem is that npm Inc has made it clear that they wish to act as a private company but also not give up their special status in the Node ecosystem. This is akin to the situation that caused the creation of the Node Foundation and the transfer of the Node project from Joyent (a private company) to the Foundation.

Isaac and other major representatives of npm Inc have a well-established political agenda (which is fine for a private organisation) and they want to use both npm and the Node project to further their political goals. This won't work for Node because the Node Foundation is sufficiently large and apolitical to prevent ideologies from derailing the project's open source nature but as npm is fully controlled by npm Inc there are no such guarantees for the npm project or registry.

The problem isn't npm Inc's political agenda (whether you personally find it agreeable or not), it's that Isaac has been talking about utilizing the npm registry for it. Specifically, a couple of months ago he made a series of tweets sincerely proposing the idea that the npm registry should issue IP bans to individuals who misbehave outside of the scope of npm or npm Inc itself (e.g. for saying something horrible on Twitter), even when the IP is actually that of their employer -- who if they didn't want their company to be banned should simply fire the miscreant. Those tweets were of course deleted after the exchange sparked a lot of outrage but to this day neither Isaac nor npm Inc has made any statement indicating that they won't pursue this idea further.

The view npm Inc holds of open source is that "everything is political" and therefore open source itself must take a political stance or else it supports wrongdoing by default. This runs contrary to the idea of Open Source itself and is on the opposite end of the spectrum as Free Software (which sees software itself as unownable and would consider any restriction -- even to persons you disagree with -- inherently immoral).

Even if we ignore the danger of politicization of the Node project via the npm project (which, to remind you, is distributed as part of the Node project by the Node Foundation) there is still the problem that npm Inc is not accountable to the Node project, especially not with regards to how the public registry is governed.

The kik fiasco showed that npm Inc is willing to take away overloaded package names from active maintainers and give them to trademark holders even when

  • no trademark complaint has been made towards npm Inc
  • no legal threat towards npm Inc exists
  • the maintainer disputes the trademark's relevance and is willing to risk getting sued
  • the trademark owner has no obligation to sue for trademark infringement
  • the trademark owner has tried to bully the maintainer
  • the project is actively being developed and published
  • the maintainer has built a reputation within the community
  • the trademark owner already uses an alternative package name
  • npm name spaces are a thing now and could have been used to signify authenticity if this was really about misleading users to begin with

Despite all these reasons (and more), npm Inc decided at their own discretion (and without legal consultation because there was no threat) in this specific case that kik interactive was the "more apropriate" package owner after a very short e-mail exchange. By siding with a corporation (that is acting as a bad open source citizen) over the community they have made it clear where their loyalties lie.

In fact, throughout the entire fiasco they have lied about what happened: (npm Inc co-founder) Laurie claimed their lawyers had advised them to comply with a legal request; subsequently various complaints were shot down with jokes about the people complaining not being legal experts (when in fact kik made no legal claim whatsoever and no lawyers were involved at any point). Eventually Ashley admitted that npm hadn't actually been sued and the decision was made internally (by Isaac, as the e-mails published by kik would seem to indicate) before taking a hiatus from Twitter in the middle of the PR catastrophe.

Oh, and if npm Inc's behaviour wasn't problematic enough: keep in mind they're a funded startup and acting like one (i.e. they're most likely not currently sustainable).

The public registry is a major cost center. I can't find any official numbers but considering what Nodejitsu (before npm Inc came along) posted during their fundraiser (which set out to raise $200k) and that the public registry has only been growing since while the underlying infrastructure seems to be still largely the same scalability-wise, I sincerely doubt npm Inc is currently cashflow positive.

Then you also need to add the expenses from running the company itself, running and sponsoring various events etc, and that currently private packages and their enteprise solution are their only means of income (which they somewhat desperately try to advertise at any chance they get these days) their financial situation seems dubious at best unless they can keep getting multi-million dollar investments at this rate. As npm Inc is rather secretive about the company they are running (even Isaac's LinkedIn profile is literally a joke) I can't speculate anything positive.

Again: none of this would be concerning if npm Inc was just a private company and just a startup. Bleeding money is just something investment-seeking startups do. Startups don't need to be sustainable. Startups can have crazy opinionated politics. But we're talking about core infrastructure of the JavaScript ecosystem the (decidedly non-private) Node Foundation is not just officially blessing but providing a monpoly status. Not to mention that npm Inc employees have been ridiculing and derailing various attempts to discuss the creation of alternatives within the Node Foundation.

At best, it's a conflict of interest. At worst, it's a disaster waiting to happen. Either way, npm (both the registry and the client) needs to be annexed or replaced.

Write a reply...

Beating heart, or house of cards? Though the article itself says it all:

Bottom line, npm is just as safe as any other package manager out there at this point

Which is to say, not safe at all -- far too often people are blindly sleazing together other people's code that they don't even understand, hoping and praying that it won't fall apart despite it doing so time and time and time again. WORSE is the false "bandwagon" assumption that "thousands of others can't be wrong"... millions of people are wrong every day, often about the same things.

I simply don't trust the idea, as any project that gets "big enough" to need this type of garbage, is probably overthought, overcomplicated, and doing something horribly and terrifyingly wrong... wrong like overusing scripttardery where JS has zero damned business, and giving a giant middle finger to speed, sustainability, and worst of all accessibility... that last one being an unforgivable sin in my book; sadly that describes most crapplets built with web technologies which on the whole tell users with accessibility needs to go jump off a cliff and * themselves -- the opposite of why HTML was even created in the first place.

But again, I'm the guy who usually uses 10k of code for what everyone else uses 200k or more... so YMMV.

The problem with npm compared to other package managers is that because npm is intentionally not a walled garden (nor should it be) there are no guarantees about the safety of a package (or even a new release of a package) at all. It's entirely based on trust but it's treated as if it were 100% reliable.

However the exploit wasn't just about unsafe packages. It was specifically about self-replicating packages by exploiting the lack of security in the npm publishing mechanism. The official response was "if you don't want to accidentally publish packages, just stay logged out" which is unacceptable. The registry should at least offer two factor auth for sensitive operations like publishing a new package or version.

Write a reply...

loading ...