CJ Silverio, former CTO of npm Inc., gave a presentation at JSConf EU 2019 in Berlin earlier this month titled “The Economics of Open Source.” More specifically, she discussed the economics of package management as it applies to open source software, based on her unique perspective and experience gained in working for the company that runs the world’s largest JavaScript package registry.

Silverio tells the story of how npm gained official status and characterizes its success as a catastrophe for a centralized package registry and repository. Although centralization has some advantages for usability and reliability, success can be expensive when a centralized service becomes popular. She described the events leading up to npm’s incorporation in 2013. The registry was down more than it was up in October 2013 and npm needed money.

npm’s owner took seed funding from a VC firm and the Node project continued to give npm special privileges. Developers perpetuated this by continuing to use npm, as over time it had come to define developers’ expectations in serving JavaScript packages. Silverio discusses some of the consequences of npm coming under private control, how developers now have no input into registry policies or how disputes are resolved.

Presumably speaking from her intimate knowledge of the company’s inner workings, Silverio describes how VC-funding turned npm Inc. into a financial instrument.

“Financial instruments are contracts about money,” she said. “npm Inc, the company that owns our language ecosystem, is a thing that might as well be a collection of pork bellies, as far as its owners are concerned. They make contracts with each other and trade bits of it around. npm Inc. is a means for turning money into more money.”

Silverio contends that JavaScript’s package registry should not be privately controlled and that centralization is a burden that will inevitably lead to private control because the servers cost money.

Her sharp criticism of centralized package management leads into her announcement of a federated, decentralized package registry called Entropic that she created with former npm colleague Chris Dickinson and more than a dozen contributors. The project is Apache 2.0 licensed and its creators are working in cooperation with the OpenJS Foundation.

Warming my heart right now: how many former npm-ers are contributing to entropic <3 — Ceej Architect Tech Companies (@ceejbot) June 6, 2019

Entropic comes with its own CLI, and offers a new file-centric publication API. All packages published to the registry are public and developers are encouraged to use something like the GitHub Package Registry if they need to control access to packages. The project is just over a month old and is not ready for use.

“I think it’s right that the pendulum is swinging away from centralization and I want to lend my push to the swing,” Silverio said. The last decade has been about consolidation and monolithic services, but the coming decade is going to be federated. Federation spreads out costs. It spreads out control. It spreads out policy-making. It hands control of your slice of our language ecosystem to you. My hope is that by giving Entropic away, I’ll help us take our language commons back.”

Silverio’s Economics of Package Management essay is available on GitHub. Check out the video of the presentation from JSConf EU below. If decentralized package management gains momentum and becomes the standard for the industry, this video captures what may become a turning point in the JavaScript ecosystem and a defining moment for the future of the web.