How npm became the most popular package manager in the world

Ashley Williams (Ashley Williams, she @ag_dubs ), the manager of the developer and content community in npm, made an opening speech at the Node.js Interactive conference. She spoke about the current state of affairs in the company and told how the company earns money. In fact, npm is a commercial company that makes a profit from corporate services . This income is enough to support the activity as a normal company, pay salaries to staff (there are 23 employees in the company now), and there is still support for the free repository of npm packages.

Some statistics. Over the past 28 days, npm users have installed 18 billion packages. To install these packages, they needed to download 6 billion packages from the repository. Approximately two-thirds of the installations did not download the packages, but were executed from the cache. Here is the graph of the number of downloads for 28 days, from 2013.


')
The rapid growth of npm is also indicated by the number of packages published in the repository per week. On the chart - statistics for the last two years. If at the beginning of 2015, less than 12,500 packages a week were published in the repository, the latest statistics in January 2017 is 39,692 packages.



Nearly 40,000 packages in just one week.

Next - statistics on new packages (also weekly) for two years. Updates from old packages are excluded from it.



The graph draws four stunning peaks in the first half of 2016 and one failure in December 2015. Ashley Williams found it difficult to explain what explains these anomalies: “Probably many developers were agitated at the time,” she suggested with a smile.

In just one last week, 4685 new packages were uploaded to the repository.

In addition to statistics on packages, it is interesting to look at how the open source community is growing through the prism of the npm repository. Each week, about 160 people publish their first package in npm - without taking into account new versions of packages, namely their first package. The open source community is increasing so much, because with high probability this is their first packages in life.

In total, the npm repository currently has 102,460 active “publishers” (the authors of the packages). This is also a considerable amount.

Below are statistics on the number of new user registrations.



To date, 314,582 users have been registered in npm. As is clear from the previous figures, approximately every third registered user is the active publisher and author of a package or several packages.

Employee npm did not ignore the scandalous story with the left-pad package - 11 lines of code " that broke the Internet ."

Recall that in March 2016, Web developer Azer Kochulu (Azer Koçulu), the author of more than 250 modules for Node.js, got into an unpleasant situation. He received a letter from Kik’s lawyer (messenger) demanding to withdraw the module with the same name kik from npm. The programmer refused, then the lawyer turned directly to the company npm, and she changed the owner of kik without the permission of the author. The developer with anger decided to withdraw all his modules - more than 250 pieces. Unfortunately, among them was left-pad , a small module of 11 lines of JavaScript code. Despite the simplicity of the module, in thousands of applications the npm manager now could not establish dependencies between packages.

Ashley Williams said that the company realized the seriousness of the problem and offered its deepest apologies, and just a week after that story prepared new rules for removing packages from the repository. Under the new rules , you are entitled to remove the package only within 24 hours. After this time, revocation is allowed only with the permission of the administration. The support service will check if this module breaks any dependencies in other packages. If breaks, then the review is prohibited. In this case, control will either be given to another developer, or they will try to contact the author of the package where there is an extra dependency.

The new npm policy and the story with the left-pad caused a lively response from the community - thousands of authors noted their comments on Github in the comments. Many authors wanted to remove their packages.

In response, the company introduced a new policy of rejection of package rights (dissociate and deprecate), so that the authors could leave the package by simply removing their name from the registry for a package that they no longer wish to maintain.

Thus, the problem of breaking dependencies between thousands of packages in the entire npm ecosystem in the case of the removal of a single module was solved. "Now the registry is invulnerable," summed up Ashley Williams. A disaster following the example of a left-pad will not happen again. The company also emphasizes the high percentage of uptime of the registry (real-time statistics are shown on ping.npmjs.com ) and high performance npm, which is several times higher than performance, for example, git.



If the npm cache is empty, it is about 75% faster than git.

The popularity of JavaScript explains the rapid growth of the npm registry and the fact that, by now, npm has become the most popular package manager in the world in 2014. Now, by the number of packages, it is more than twice as large as the nearest Maven Central (Java) package manager.



Despite being the largest package manager in the world, npm still sees prospects for growth. In the end, there are about 18 million programmers in the world, and 85% of them write in JavaScript (in some sense at least partially). This means that there are approximately 15 million JavaScript developers in the world. Now no more than 50% of them use npm (about 5.7 million users), so there are prospects for growth.

The study showed that 80% of npm users develop fronted, 60% develop backends. The study also showed that people use npm for absolutely incredible things for which it was not designed and which did not occur to the creators of the service.