At JSConf EU 2019, CJ Silverio – former CTO at NPM Inc – gave this talk on why a VC-funded private package registry (read: the one ran by NPM Inc) holds many dangers.
The JS package commons is in the hands of a for-profit entity. We trust NPM Inc with our shared code, but we have no way to hold NPM Inc accountable for its behavior. A trust-based system cannot function without accountability, but somebody still has to pay for the servers. How did we get here, and what should JavaScript do now?
At the end of the talk she announced Entropic, a federated package registry for anything; but mostly JavaScript.
Entropic assumes many registries co-existing and interoperating as a part of your normal workflow. All Entropic packages are namespaced, and a full Entropic package spec also includes the hostname of its registry.