"Everyone thought Microsoft would screw up NPM when GitHub acquired it, but I think this proves all the haters wrong." The opening line from GitHub's latest announcement regarding NPM is a bold statement, but accurate. I myself assumed the worst when GitHub took ownership of the service 6 years ago. But now, GitHub has done the unthinkable by adding a security layer so powerful, no security vulnerabilities can ever affect the NPM ecosystem. All they had to do was shut down the service.
In an interview with globalGlob(**/*), Jianna Morrow, someone we found at the GitHub offices, added more context to the update. "Some people will be unhappy about it, but we think it's a win for the ecosystem. This can be a forcing function to have more built-in functions in Javascript, for example to tell you if a number is even. Today you'd need the is-even package, which has a dependency on is-odd, which has a dependency on is-number. Any of those 3 packages could have a vulnerability and millions of people would be at the will of malicious actors. While the initial benefit of shutting down NPM is the immediate fix of every vulnerability, we think an added benefit is a future with a more useful Javascript ecosystem with helpful functions like isNumber(), and isOdd()."
We reached out to some users of NPM to find out what they think of the announcement, and all gave responses similar to, "Fuck. Oh no. Oh fuck. Why me?! What the fuck is going on here?"