[rtsao]

I hope this doesn't alter the current GitHub npm package registry policy where all packages must be published under a scope corresponding to name of the owning GitHub user/org. The resulting increased transparency and clarity of ownership will be great for the JS ecosystem.

The existing npm ownership model is markedly less clear and has led to several problems, including the transfer of package publishing rights to bad actors without anyone being aware. On the whole, npm accounts and orgs were always just an unnecessary abstraction that obscured the actual provenance of software, of which GitHub is the de facto source.

[toastal]

Does this mean using alternatives (GitLab, et. al) is not an option?

The worst option has been Elm's system where the whole package system requires you to not only use GitHub, but when GitHub in down (which isn't uncommon unfortunately) packages that weren't cached locally were inaccessible with no mirroring options.

[clarkbw]

Yes thank you! We believe namespaces are a good thing and will continue to promote it as best practice.

Hopefully we can integrate repository information to packages meta data such that you could be aware of a change of ownership even for a globally namespaced package.

[ocdtrekkie]

I think this is the big reason I'm excited about NPM joining GitHub. I don't trust NPM (I'm not fond of package repos in general), but tying packages closely to their GitHub source offers significantly more verification potential that a package is in fact comprised of the source code for it, and that it hasn't recently turned hostile.