| Maintainer of a few top-10 npm packages here. This makes complete sense. Somewhere along the way NPM stopped being cooperative with the community. It cemented itself with the Microsoft acquisition, but was obvious quite a bit before that. There were so many cracks with how npm functioned, they weren't cooperating well with the community / mainline Node team, their push to commercial viability was really off-putting and forced, and many of the team members had a somewhat rough reputation. Indeed I visited the offices in Oakland (if I recall correctly), and had an... interesting set of interactions there, not particularly positive, that I'll keep to myself. The unpublish hole was well known at the time. Everyone blamed left-pad for breaking the internet, as it were, but nobody seemed to come down on npm for the sheer mismanagement of it all. If memory serves they forcefully reinstated the package against the maintainer's wishes, which is a divorcement from the people they claimed to serve at best, and legally dubious at worst. Shortly after this they stopped caring much at all about abuse on their platform at all (core.js advertisement spam, anyone?) and haven't really worked with the community on standards, compatibility, etc. after that. The npm@5 release was a disaster. The introduction of package lock files couldn't have gone worse, and as I remember it it was a push to get it out alongside the next Node.js major release (I got the feeling the Node team didn't wait for npm to be ready, which I think is a good thing given npm is a for-profit, or at least acts like one). The community outreach during that time of what seemed like endless major, catastrophic bugs and the shaming of the community for putting pressure on them, the pious attitude, was only further proof that npm was no longer an agent of FOSS. I can't remember if left-pad came before or after that but in my head it was all one long drawn out declination of the ecosystem. The packages on npm are a meme now; small packages that do trivial tasks, and everyone likes to make fun of it. Maybe it wasn't the best thing, in hindsight. But context is crucial; npm was the first incredibly accessible package manager for an emergent popular technology, almost entirely community managed, with a good system for querying and tight integration with Github's "social coding" spirit. It existed very early in the Node lifetime, back before even ES5 was available (we still used `var` and `prototype`!), before JavaScript best practices really existed. Before Node.js was given to the community by Joyent. Before even the Io.js fork and the exit from the long stagnation that was Node 0.10/0.12. Nobody knew the best way to do things. I can completely understand the author. From a security perspective I'm really thankful left-pad happened, even if it wasn't the reasoning of the author; it made people acutely aware of what relying on corporate interests divested from the communities they claim to serve, bring to the table in terms of risk. It started many conversations about supply chain security, redundancy, etc. That's a hard thing to do, and it's made the industry a bit better in the long run. Good followup, neat to read this after so long. |
Npm (and JS in general) is a victim of fashion, primarily.