In January 2010 Isaac Schlueter released a small program for fetching JavaScript packages, bundled with a young runtime called Node.js, and the thing it fetched them from was a registry that anyone could write to. That openness was the entire idea. You published and the world installed, with nobody at the door. Four years later the registry had a company around it, npm, Inc., incorporated in Oakland by Schlueter and Laurie Voss, and the openness that had made the tool useful was now the ground a business had to be built upon. A registry that anyone can add to is, from a certain angle, an inventory that grows for free. The problem npm, Inc. had to solve was how to earn a living next to something it gave away, and the shape of that answer is most of the reason the trust model looks the way it does today.
This is the sixth of eighteen Wednesdays and the first of five on npm. The diagnosis is behind us: four things broke at once, and three carriers hold the whole arrangement up. npm is the first carrier, and the honest place to start with it is the ledger that made publishing free. The code that gets published comes later, and it comes next week.
The Free Thing and the Till
The public registry costs real money to run and earns nothing on its own. It is bandwidth and storage handed out for nothing, and the moderation of abuse is not free either. The revenue lived elsewhere, to one side of a quiet line: private packages for individuals and organisations, and an on-premises product for firms that wanted the registry behind their own firewall. npm Enterprise arrived in 2014. In the spring of 2015 the company raised eight million dollars and launched its first mass paid tier, Private Modules, at seven dollars per developer each month, a year after a seed round of two and a half million led by True Ventures. Everything you could pay for sat on one side; the public registry, the part nearly everyone actually touched, stayed on the other, free.
This is the ordinary shape of freemium, and there is nothing disreputable about it in itself. The free thing draws the crowd, the paid thing pays the wages, and the free thing therefore has to be as large and as easy to enter as it can possibly be made, because its size is what makes the paid thing plausible to a buyer. The asset is the crowd. In npm's case the crowd is measured in packages, and a company measured by how much it holds has little reason to hold less.
Where the Money Meets the Boundary
Recall the boundary the third Wednesday went looking for and could not find. The responsibility line, the place where you can say where a component's accountability ends, is simply absent from node_modules. In June that read as an oversight of the architecture. It reads at least as well as a property of the economics.
Consider what an actual boundary would cost: gatekeeping at publish time, review by someone accountable, namespaces that mean something because a person has vouched for them, and a slower path from “I have written a thing” to “the world may install it”. Every one of those is friction at the entrance, and friction at the entrance shaves the growth of the count. A boundary is, among its other duties, a mechanism for keeping things out, which is an awkward device to fit to an inventory you are valued by the size of. The registry that grows quickest is the one that asks least on the way in.
So the absent line was never quite an accident. It was consistent, at every point, with the number the business existed to grow. The count as a choice, from the second Wednesday, turns out to have had a balance sheet standing behind it the whole time. And the small hazards that follow from an open door followed too. The install script that runs arbitrary code on your machine, the latest tag that can be moved over a release people already depend on, the ordinary permission for one maintainer's package to reach into another, the transitive dependency you never chose and could not name: these are the terms of an open till. Closing any of them would cost throughput at the entrance, which is the one thing a growth business will not spend.
None of that is a hazard in the abstract. A package's install script runs as you, with your shell, your environment variables, your SSH keys and your cloud tokens, in the moment the install finishes and before you have run a line yourself, and your code shares one set of permissions and one blast radius with every stranger it pulled in. So a single compromised maintainer reaches a very long way, and the register of it has the regularity of something structural: a stolen publish key, a maintainer's recovery domain left to lapse and re-registered for the cost of a renewal, a backdoored release shipping under the latest tag for the better part of a fortnight, a typosquat under a fresh alias within the hour. The mechanisms differ and the shape beneath them does not, because there was no line to cross. It is among the more consequential security problems in modern software, and it is the dividend of a model paid to ask nothing at the door.
What Changed Hands, and What Did Not
In June 2018 Microsoft agreed to buy GitHub for seven and a half billion dollars in stock, a sum that raised a good many eyebrows at the time and, with hindsight, looks unremarkable. Not quite two years later, in March 2020, GitHub, by then a Microsoft subsidiary, bought npm, Inc. The registry it acquired held over 1.3 million packages and served on the order of seventy-five billion downloads a month, and Nat Friedman's announcement made the customary promise that the public registry would always be available and always be free. Microsoft paid for the size. The size was the point.
What arrived with the sale was new ownership and a considerable quantity of language about securing the software supply chain. A year before, GitHub had shipped Sponsors, a tidy way to send maintainers a little money, which was a decent thing to build and did not move a single permission. The releases spoke of an end-to-end secured supply chain; the install script stayed precisely where it had always been.
The trust model, then, outlived every change of owner, for the plain reason that it was never once the thing on sale. A start-up built it to grow a free registry as fast as possible. An acquirer bought that registry because it had grown. Neither party had an interest in the line whose absence made the growth cheap, and so, through a start-up, a Series A, an on-premises product and a purchase by one of the largest software companies on earth, the permission for a stranger's package to run code on your laptop went unrevised. Continuity, of a sort one does not often celebrate.
The Price of a Line
A registry with a responsibility line is not a fantasy. It is merely one that decided its size was not the only thing worth having. A distribution's package repository carries named maintainers, a review path, signing, and a base released as a single tested whole. libc reaches you that way, which is why the earlier Wednesdays kept returning to it: you do not read it, and you still know where it lives and who is accountable when it breaks. That accountability has a price. Someone is paid, or funding is found, so that a person can stand at the door and occasionally say no, and standing at the door saying no is exactly the expense a registry valued by its count would rather not carry.
There is a version of npm that drew the line early and stayed smaller for it, and it is not the version that got bought for the size of its inventory. This is the awkward part of the diagnosis, and worth stating plainly rather than as a grievance: the missing boundary was the business working as designed, and calling it a failure mistakes the machine for a bug in it. Reduction, as the fifth Wednesday put it, is the work nobody is funded to do, and drawing a boundary is reduction wearing a different coat. The market had every incentive to add packages and none to bound them, and it behaved accordingly, which is roughly what markets do.
The Point
npm did what its incentives asked. The public registry was free because free is what fills an inventory, the inventory was the asset, and a trust boundary would have cost the asset the one number it was built to grow. No owner since has found a reason to draw the line, because each of them bought the registry for the same size that the missing line made cheap to reach. The result is the ungoverned middle the third Wednesday named, holding steady through three sets of hands, priced into the thing from the start.
That is the registry. The next question is what it lets through, and here the record has names on it.
Next Wednesday: the code quality question, with names attached.