The deal was announced March 16. With the integration, GitHub wants to improve the security of the open source software supply chain and enable users to trace a change from a GitHub pull request to the NPM package version that fixed it. The public NPM registry shall remain free.
The NPM registry has been home to more than 1.3 million packages with 75 billion downloads per month. For paying customers who use NPM Pro, NPM Teams, and NPM Enterprise to host private registries, GitHub will continue to support them. GitHub also is investing in GitHub Packages as a multi-vendor packages registry integrated with GitHub. Later this year, NPM customers will be able to move private NPM packages to GitHub Packages.
GitHub’s plans for the GitHub-NPM integration include:
- Investing in the registry infrastructure and platform to ensure that NPM is “fast, reliable, and scalable.”
- Improving the core, everyday experience with improvements such as command-line interface access to NPM Workspaces, which are used for managing multiple packages from within a single, top-level root package. Improvements to package publishing and multi-factor authentication also are planned.
- Increasing community engagement to gather ideas to define the future of NPM.