▌ The Registry as Business Model
In January 2010 Isaac Schlueter released a small program for fetching JavaScript packages, and the thing it fetched them from was a registry that anyone could write to. That openness was the entire idea: you published and the world installed, with nobody at the door. Four years later there was a company around it, npm, Inc., and that openness was now the ground a business stood on.
Sixth of eighteen Wednesdays, the first on npm. The honest place to start is the ledger that made publishing free.
■ THE FREE THING AND THE TILL
The public registry costs real money to run and earns nothing directly. The revenue lived elsewhere: private packages, and an on-premises product. In spring 2015 the company raised eight million dollars and launched Private Modules at seven dollars per developer a month. That is freemium: the free thing draws the crowd, and its size makes the paid thing plausible. The asset is the crowd, measured in packages, and a company measured by how much it holds has little reason to hold less.
■ WHERE THE MONEY MEETS THE BOUNDARY
The responsibility line, the place where a component's accountability ends, is simply absent from node_modules. That read as an architectural oversight. It reads at least as well as economics. A real boundary would cost gatekeeping and review at publish time, and friction shaves the growth of the count. A boundary keeps things out, which is an awkward device to fit to an inventory you are valued by the size of. So the line was never drawn, and the install script runs as you, with your keys and tokens, before you run a line yourself; one compromised maintainer reaches everything, the dividend of a model paid to ask nothing at the door.
■ WHAT CHANGED HANDS, AND WHAT DID NOT
In 2018 Microsoft bought GitHub for seven and a half billion dollars, a sum that now looks unremarkable. In March 2020 GitHub, by then a Microsoft subsidiary, bought npm: over 1.3 million packages, seventy-five billion downloads a month. Microsoft paid for the size. The releases spoke of an end-to-end secured supply chain; the install script stayed where it had always been. The trust model outlived every owner, because it was never once the thing on sale.
■ THE PRICE OF A LINE
A responsibility line is not a fantasy. libc reaches you with named maintainers and a signed, tested base: you do not read it, yet you know where it lives and who answers when it breaks. Someone is paid to stand at the door and say no, the expense a registry valued by its count would rather not carry.
THE POINT
The missing boundary was the business working as designed. Drawing it would have cost the asset the one number it was built to grow, and no owner since has found a reason to. The ungoverned middle held steady through three sets of hands, priced in from the start.
Next Wednesday: the code quality question, with names attached.
#npm #javascript #nodejs #softwaresupplychain #packagemanager