npm greed problem (2026)

By Xah Lee. Date: .

npm greed problem (ai answer)

seems to me, javascript npm was designed to max the company's popularity, number of packages, thus profit. are there similar criticisms? how should a code repo or store be designed? whats good example?

Yes, your observation about NPM's design priorities is a common criticism. NPM (and the npm registry) grew explosively by making publishing extremely easy—anyone can create an account and publish packages with minimal barriers. This led to millions of packages (many tiny or low-quality), massive adoption, and network effects that benefit npm Inc. (now under GitHub/Microsoft), but it also created well-documented downsides.

Common Criticisms of NPM

Similar issues exist elsewhere (e.g., PyPI has had dependency confusion and malware floods), but NPM's scale and "move fast" JavaScript culture amplify them. Other registries like Maven (Java) are often seen as stricter/more corporate, with better governance but slower innovation.

Alternatives like pnpm (content-addressable storage for deduplication/speed), Yarn (better determinism in early versions), and Bun address some pain points while staying compatible.

How Should a Code Repo/Store (Package Registry + Manager) Be Designed?

A well-designed system balances accessibility, security, reproducibility, maintainability, and performance. Key principles from package management literature and successful systems:

  1. Easy but gated publishing — Low friction for legitimate use, but with namespaces, ownership verification, two-factor auth, and review/hold for popular packages. Immutable once published (or strict deprecation policies).

  2. Strong dependency resolution & reproducibility — Use lockfiles by default (exact versions + hashes). Semantic versioning with clear total ordering. Support for ranges but encourage pinning in production.

  3. Efficiency — Deduplication (e.g., store once, link), fast installs, minimal disk usage. Content-addressable storage helps.

  4. Security-first — Package signing, audit trails, malware scanning, restricted install scripts, provenance (e.g., GitHub attestations). Rate limiting, maintainer account protections.

  5. Curation and quality signals — Encourage (or require) READMEs, tests, licenses, maintenance status. Support for private mirrors/registries. Metrics like download trends, but avoid gaming.

  6. Separation of concerns — Registry for distribution + client tool for local management. Support monorepos/workspaces, vendoring for offline/air-gapped use.

  7. Governance — Clear policies for disputes, removals, and funding. Avoid single points of failure (decentralized options or mirrors).

  8. Developer experience — Simple manifests (e.g., Cargo.toml, package.json), integrated tooling, offline-friendly, clear error messages.

Good Examples

In short: Prioritize sustainable growth over raw popularity. Make it easy to do the right thing (security, maintenance, reproducibility) and harder to do risky things. Rust's Cargo shows that a thoughtful design can support a thriving ecosystem without NPM's worst excesses. Many teams now use pnpm or strict policies (e.g., npm audit, lockfiles, private registries) to mitigate issues in the JS world.

npm