> "The actual concern I have is that the JavaScript package manager and language commons are in the hands of a VC-funded company<p>I'm not primarily a JS developer, but I guess I just assumed NPM was run by a non-profit foundation like the Python Software Foundation runs PyPi. So I started looking into the governance of other significant library repos. Homebrew actually sets a good example[0], with a clear governance structure. On the other hand I have no idea who owns RubyGems.org, perhaps a loose collection of GitHub users called the RubyGems Team [1]. Maven Central (Java) is owned+operated by Sonatype [2], Packagist (PHP) is owned+operated by Private Packagist[3], Nuget (C#) is unsurprisingly owned+operated by Microsoft, and CPAN seems to be governed by the Perl Foundation. According to modulecounts.com, NPM has more hosted packages than any of the others. It's also the only one where the registry source code does not seem to be publicly available, and there are very few full mirrors that don't just proxy upstream to npmjs.org. Yikes.<p>[0] <a href="https://docs.brew.sh/Homebrew-Governance" rel="nofollow">https://docs.brew.sh/Homebrew-Governance</a><p>[1] <a href="https://rubygems.org/pages/about" rel="nofollow">https://rubygems.org/pages/about</a><p>[2] <a href="https://central.sonatype.org/" rel="nofollow">https://central.sonatype.org/</a><p>[3] <a href="https://packagist.org/" rel="nofollow">https://packagist.org/</a><p>[4] <a href="http://www.modulecounts.com/" rel="nofollow">http://www.modulecounts.com/</a>