Is GitHub Package Registry the npm killer?

Is GitHub Package Registry the npm killer?

GitHub has announced GitHub Package Registry. Does this spell the death for npm?

sampson crowley

All packages being scoped is 100000% a good thing. What is your alternative???

How often are you adding completely new packages that typing @octadev/ is actually any more difficult?

Also there are already a LOT of regular NPM packages that have the same caveat (@babel/preset-env, anyone?) so I think the point is moot

Eric Swanson

I too favor scoped packages. Plus, I almost always copy-paste the install command from a project’s readme.

sampson crowley

Seriously, plus it means you always know exactly who wrote it just by looking at your package.json

Guilherme Oderdenge

Scoped packages ftw

Russell Smyth

I logged into discus just to say the same thing! scoped packages is absolutely +1!

Russell Smyth

The npm login requirement isn’t really an ugly - most corporate npm repos/proxies will require the same. Hopefully proxying GitHub published repos is easily obtained for those use cases.

Liviu Ionescu

The npm login requirement for consuming packages is almost a show stopper for many/most regular users. Right now I maintain some CLI tools based on Node.js, and everybody can install them anonymously with npm, no questions asked. I simply cannot migrate them to the GitHub Package Registry, since this will break all scripts using these tools, not to mention all CI/CD environments. I disagree, the npm login requirement is really an ugly, a very bad one.


This page seems to indicate that you won’t need to login for access to public repositories – it’s just like that during the beta:…
“Anonymous access to public packages will be allowed. As of the beta, however, users will need to log in via GitHub, according to Rajuyn.”

Liviu Ionescu

If the author has some inner sources from inside GitHub, well, yes, it might happen, but currently I could not find any reference in GitHub documentation.

Dan Dascalescu

NPM has a mind-boggling, to me, security flaw: what you install from NPM is not necessarily the package you see on GitHub!

Someone can publish a totally clean database driver package on GitHub, then change a few lines in one file to phone home all connection strings, then publish that on NPM. The vast majority of people don’t audit, and those who look through the code on GitHub won’t see anything suspicious.

This has happened multiple times on NPM, and even though NPM isn’t the only package system vulnerable to these attacks, it’s the most popular and hence, most targeted.

If the GitHub registry guaranteed that a package is compiled from the source you see on GitHub, e.g. via a GitHub Action that’s also publicly auditable, then we solve this problem.

With npm being bought by GitHub, this will hopefully happen at some point.