GitHub, which is owned by Microsoft, is purchasing npm. While this is “just” a package manager it’s clear that it will give MSFT a way to introspect packages, see what is popular, and find ways to monetize the various services around npm and Node.js. If Tidelift is already paying some npm maintainers, will this purchase create issues for Tidelift? MSFT is not known for their collaborative work per se.
We’re definitely keeping an eye on that, of course! Few things:
We’re of course paying npm-based developers (many of them!) This doesn’t change anything for them yet. (I assume they could cut off/break the npm fund command at some point, but so far they’ve played very nicely with other funding options in GitHub Sponsors.)
Microsoft of course has a long history of not playing nice, but GitHub under Nat is as good as it’s ever going to get. He’s of course an executive at a massive software company, so of course he’s got certain priorities and biases, but he also gets how this ecosystem works and knows that trust is central.
They already had most of the data (dependencies via source code analysis; popularity via repo analysis - not perfect but a decent proxy). So I’m not particularly worried that they have “more” data now.
The alternatives were not good; collapse/fragmentation of npm would have been a much worse disaster for the entire ecosystem.
We’ve aimed to be multi-language from the beginning, so even if everything goes terribly bad someone in npm-land, we’ll remain robust in Java, Python, etc. regardless.
Hope that helps answer!