Open source is everywhere. On our phones, running the servers behind the world’s largest web services, and sometimes even in our cars and appliances.
But even though we hear a lot about big open source projects such as the Linux operating system or the Hadoop data-crunching platform, a bigger movement is afoot just beneath the surface of practically all of today’s software. Instead of building big, monolithic applications, programmers are increasingly stitching apps together using open source software packages. As the package paradigm has taken hold, app-making has become more efficient than ever.
You wouldn't believe how many modules you end up using. You might only have ten but each of those have ten modules that they depend on, so before you know it you're up to 100. Edmond Meinfelder, DocuSign
These smaller software packages are a lifesaver for many developers, rescuing them from writing common features from scratch, taking the busywork out of everything from password verification to complex mathematics. But packages can also create new forms of complexity, even as they make other jobs simple. Each one needs to be upgraded when new versions arrive, and many packages depend on other packages to work properly.
“You wouldn’t believe how many modules you end up using,” says Edmond Meinfelder, a software architect at DocuSign. “You might only have ten but each of those have ten modules that they depend on, so before you know it you’re up to 100.”
Developers often mitigate this complexity by using tools called “package managers” to automatically install and update these chunks of software. And if a package requires another package, the package manager will go out and fetch the required software from centralized servers.
Package management is so important, in fact, that one company is trying to make it a business. The company, npm, makes a package manager of the same name, just raised $8 million in venture capital to make that plan a reality.
From Walmart to Uber
Some package managers work at the operating system level, but many others are designed for specific programming languages. The Node Package Manager—known universally among developers as “npm”—is designed for the popular backend development platform Node.js.
Isaac Schlueter created npm in 2009 shortly after Node was first released to the public. He quickly found himself using many other people’s modules in his own Node applications and needed a way to manage them. But Schlueter did something different from most other package management systems. He designed npm so that anyone could add a package to his servers without him having to approve it first. This helped it grow quickly, and it soon became the standard way to install Node software.
Still, despite its widespread use, Schlueter’s package manager remained a side project for the next several years. In 2012, he took over managing the core Node project when creator Ryan Dahl stepped down. But by the next year, it was becoming clear that npm needed full-time support.
Since npm was released, its servers have experienced a few outages, making it impossible for developers to download packages, and at least one significant security issue was discovered. Schlueter knew that he had to devote more time and resources to keeping the servers up and running, and to making the product work well. “The best way to make good software is to hire people and pay them like grown-ups rather than expecting them to do it in their free time,” he says.
The issue, of course, is how to pay those engineers for that time. Fortunately, companies were not just willing but eager to pay for npm. So Schlueter quit his job and stepped down as the manager of the core Node project and to found npm the company.
Small Software Is Big
The company’s first product was npm Enterprise, which enables customers to run their own private npm system in their own servers. And starting today, npm will also allow customers to host private packages on the company’s servers but only share them with certain people, such as co-workers or partners, for $7 per person.
“The basic idea is that anything you publish into open source will be free forever,” Schlueter says. “But anything you need to keep secret, you need to pay for that.”
In addition to secrecy, customers can gain more control over the code they use, says DocuSign’s Meinfelder. “We want all the code that we use to undergo a rigorous security review process,” he says. By hosting their own mirrors of npm’s open source packages, companies can rest assured that they’re installing code that has already been reviewed and only switch to updated versions after proper vetting.
While the value of npm to Node developers is clear, the big question for npm is whether enough companies will adopt Node in the coming years to make its business viable. Given Node’s explosive growth recently, it’s certainly a possibility. Still, the most important thing about npm might not be the specific platform that it supports today, but what its popularity says about rise of packages as the new paradigm for constructing apps. Small software, it turns out, is a really big deal.