Honestly, don't depend on central repositories for daily availability. Especially if you are doing CI that redownloads everything from scratch. Use something like artifactory to cache the repository you are using: https://www.jfrog.com/confluence/display/RTF/npm+Registry
I think that's the issue of cost/reward. The cost is
- N developers can't work for X hours
- or the company can't release new versions due to CI dependency on the registry.
- or the registry removes a package you were using
- or the existing package contents changes to something malicious
BUT you pay this price very occasionally and if you're a small shop, the cost is often negligible.
On the other hand, maintaining your own mirror has very real costs even though they can be small. One time setup, hardware, sometimes license or hosted service fee, security upgrades. When there's a sponsor maintaining the central repository, having very good uptime and offering it for free, the marginal utility of a local mirror is quite small.
If you're using Yarn using the offline cache and checking that into source control is a great way to not only prevent the reliance on NPM always being online but to also make sure everyone is using the exact same versions of dependencies.
- N developers can't work for X hours
- or the company can't release new versions due to CI dependency on the registry.
- or the registry removes a package you were using
- or the existing package contents changes to something malicious
BUT you pay this price very occasionally and if you're a small shop, the cost is often negligible.
On the other hand, maintaining your own mirror has very real costs even though they can be small. One time setup, hardware, sometimes license or hosted service fee, security upgrades. When there's a sponsor maintaining the central repository, having very good uptime and offering it for free, the marginal utility of a local mirror is quite small.