The JS package commons is in the hands of a for-profit entity. We trust npm with our shared code, but we have no way to hold npm accountable for its behavior. A trust-based system cannot function without accountability, but somebody still has to pay for the servers. How did we get here, and what should JavaScript do now?
In 2013 the JS community made a critical decision via inaction: we let our package registry be owned by a for-profit entity. Scale is expensive & requires reliable funding. A VC-funded registry has let us share code at a rate unimagined by most language communities. However, we don't have control of our commons. Is this a good tradeoff? Until now our collective answer has been yes, but we have rarely considered the implications of our decision & how we could choose differently.