The plan is to invest in the npm registry to make it reliable and scalable for developers, according to Friedman. He emphasized that the public npm registry will remain free.
"Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open-source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it," Friedman said.
npm Enterprise Versus GitHub Packages
One of the key capabilities of npm's commercial offering is the ability to host private packages. That ability is also something that GitHub announced during its GitHub Universe event in November 2019. GitHub has committed to supporting npm Enterprise customers, at least in the short term.
"In the future, GitHub will enable and encourage customers to move their private npm packages to GitHub Packages," the GitHub spokesperson said.
Isaac Schlueter, npm founder and CEO, is particularly enthusiastic about the GitHub acquisition.
Community Feedback Is Mixed
"Interesting move by Microsoft/GitHub on acquiring @npmjs," Chris Aniszczyk, vice president of developer relations at the Linux Foundation, wrote in a Twitter message. "Nice to have MS help sustain an important package registry but I truly believe package registries need to be community owned and not by just one vendor ... too risky."
"We know and trust the GitHub leaders who have the experience to build upon the important contributions by many, which made npm the leading open-source package management resource it is today," Ginn said.