DEV Community

Discussion on: I'm the former tech lead for the NPM CLI, and I've been doing FOSS for 10+ years, Ask Me Anything!

realtoughcandy profile image

Thanks for the opportunity to pick your brain! :) What do you think the future of JS package managers will look like in 5, 10 years?

zkat profile image
Kat Marchán Ask Me Anything • Edited

My dream is to have package management built into the runtime itself. I'm continuing my Tink work now independent of NPM INC, so all the stuff Tink was supposed to do is something you should expect for ds, the package manager for Entropic. As part of this, I also hope the primary javascript registry stops being owned by a for-profit private corporation and is instead something owned by a Foundation, probably the JavaScript Foundation.

Basically, if things go well, we'll have transparent package management, ethically owned and managed by people who aren't union busters.

I guess I can expand on this a bit, because this isn't all that would happen in 5 years. 10 years is a lot harder, though.

So, aside from the built-into-runtime thing, and Entropic...

I think we'll reach a security/scale breaking point where we'll start re-evaluating the open-publishing policy where people push whatever code up, and there will start to be a push for better quality control on packages, now that the ecosystem is so large. I also imagine a market will open up for for-pay packages that people can download and use for a fee, at least for proprietary use. I believe this will come as part of a movement away from permissive licensing. I think a lot of this will be driven by major security events that will happen in that time that will make the events of the past few years look like a joke, and force everyone to take a long, hard look at the way we're doing things.

I also believe NPM INC will stop existing altogether in the next couple of years, and the NPM registry will go down with it (as opposed to being bought out by a major company). I think a bunch of competitors will pop up out of thin air and start vying for the position of being "the next main registry". Things will be in chaos for a while, but we'll finally settle on another monopoly, because that's the nature of the problem. Most likely, though, there will be smaller side-registries that see actual use.

I don't know exactly how, yet, but I think the rise of WASM, and eventually, WASI will have a profound impact on what it means to have a "JavaScript Package Manager", and we'll also need to adapt our tooling for all the various languages people are writing JavaScript-consumable WASM modules in. Lots of tool adaptation.

As far as 10 years from now -- I think it might be safe to assume JavaScript will be on its last legs as a primary development language and will be all but replaced by other languages compiling down to WASM, and using that to run on browsers.

realtoughcandy profile image

Lots to think about here. Thanks Kat.