Microsoft Acquires npm: A Healthy Move for Critical Public Infrastructure

Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages.

In 2018 when Microsoft acquired Github, many in the developer community had a cautious, even emotional response. Given today’s announcement that GitHub is acquiring npm — the same concerns are likely to surface again since JavaScript is one of the world’s most popular programming languages and since the commons of the global JavaScript community reside within the fabric of npm.

AppSec/API Security 2022

On one hand, such concern is understandable. After all, open source projects are created by the community and they exist to serve the community. I can imagine the argument going like this, “npm as the central repository of JavaScript can only provide value if the community at large trusts those who are responsible for running it.” But, what is “trust”? And how do public repositories like npm, Maven Central, or even Microsoft’s NuGet gallery go about earning the trust of a global developer community?

At Sonatype we’ve been the stewards of the Central Repository (Central), the world’s largest component repository of Java and other JVM related components since 2007. Based on this experience, I’ve learned first hand how challenging it can be to serve as the steward for a public repository. I know how hard it is to gain and keep the trust of millions of open source software developers. In my humble opinion, earning trust starts with “picking up a shovel” and solving a problem on behalf of a community to help it grow and flourish. Community trust is further amplified when you can muster enough resources to solve the same problem in a reliable and scalable manner over a period of many years.

But, here’s the thing; operating a public repository in support of millions (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: