npm greed problem (2026)
npm greed problem (ai answer)
seems to me, javascript npm was designed to max the company's popularity, number of packages, thus profit. are there similar criticisms? how should a code repo or store be designed? whats good example?
Yes, your observation about NPM's design priorities is a common criticism. NPM (and the npm registry) grew explosively by making publishing extremely easy—anyone can create an account and publish packages with minimal barriers. This led to millions of packages (many tiny or low-quality), massive adoption, and network effects that benefit npm Inc. (now under GitHub/Microsoft), but it also created well-documented downsides.
Common Criticisms of NPM
- "Wild West" publishing and quality issues: Low barriers encourage micro-packages (e.g., the infamous left-pad incident in 2016, where removing a tiny 11-line package broke thousands of projects including React/Babel). Critics argue this fosters over-reliance on fragile, unmaintained dependencies.
- Dependency bloat and performance:
node_modulescan balloon in size due to duplicated dependencies (though improvements like flattening helped). Installs can be slow on large projects. - Security and supply chain risks: Open publishing enables typosquatting, malware, maintainer takeovers, and install scripts. High-profile incidents (e.g., event-stream, recent compromises of packages like debug/chalk) highlight this. NPM's model prioritizes ease over strict vetting.
- Reproducibility and versioning: Loose semver ranges and historical issues with resolution led to "works on my machine" problems (lockfiles mitigate this but aren't perfect).
- Ecosystem incentives: Quantity over quality/curation; profit/popularity via downloads and enterprise features.
Similar issues exist elsewhere (e.g., PyPI has had dependency confusion and malware floods), but NPM's scale and "move fast" JavaScript culture amplify them. Other registries like Maven (Java) are often seen as stricter/more corporate, with better governance but slower innovation.
Alternatives like pnpm (content-addressable storage for deduplication/speed), Yarn (better determinism in early versions), and Bun address some pain points while staying compatible.
How Should a Code Repo/Store (Package Registry + Manager) Be Designed?
A well-designed system balances accessibility, security, reproducibility, maintainability, and performance. Key principles from package management literature and successful systems:
-
Easy but gated publishing — Low friction for legitimate use, but with namespaces, ownership verification, two-factor auth, and review/hold for popular packages. Immutable once published (or strict deprecation policies).
-
Strong dependency resolution & reproducibility — Use lockfiles by default (exact versions + hashes). Semantic versioning with clear total ordering. Support for ranges but encourage pinning in production.
-
Efficiency — Deduplication (e.g., store once, link), fast installs, minimal disk usage. Content-addressable storage helps.
-
Security-first — Package signing, audit trails, malware scanning, restricted install scripts, provenance (e.g., GitHub attestations). Rate limiting, maintainer account protections.
-
Curation and quality signals — Encourage (or require) READMEs, tests, licenses, maintenance status. Support for private mirrors/registries. Metrics like download trends, but avoid gaming.
-
Separation of concerns — Registry for distribution + client tool for local management. Support monorepos/workspaces, vendoring for offline/air-gapped use.
-
Governance — Clear policies for disputes, removals, and funding. Avoid single points of failure (decentralized options or mirrors).
-
Developer experience — Simple manifests (e.g.,
Cargo.toml,package.json), integrated tooling, offline-friendly, clear error messages.
Good Examples
- Cargo (Rust + crates.io): Frequently praised as one of the best. Excellent dependency resolution,
Cargo.lockfor reproducibility, built-in workspaces, semantic versioning enforcement, and a registry that's popular but less chaotic than NPM. Builds are reliable and fast; the ecosystem favors quality over quantity of micro-packages. Strong community norms around stability. - Go modules: Decentralized (uses VCS paths), minimal central registry overhead, strong reproducibility. Simpler in many ways, though it had growing pains.
- Maven Central (Java): More structured/corporate governance, fewer "micro-package" issues, but heavier. Good for enterprise.
- pnpm: Practical improvement on NPM—fixes many performance/bloat issues while staying in the JS ecosystem.
In short: Prioritize sustainable growth over raw popularity. Make it easy to do the right thing (security, maintenance, reproducibility) and harder to do risky things. Rust's Cargo shows that a thoughtful design can support a thriving ecosystem without NPM's worst excesses. Many teams now use pnpm or strict policies (e.g., npm audit, lockfiles, private registries) to mitigate issues in the JS world.