I'm going to tell you a story.
There are no villains in this story. Just smart people doing their best, and unfortunately working at cross-purposes through no fault of their own.
The names and places have been changed, but it is a true story. I've heard this story a lot over the years in my role at npm.
Once Upon A Time...
Way back in the late 1900s, the once-successful ACME Corporation was falling behind. Their development of proprietary widgets (on a proprietary software stack) was unable to keep up with the competition, who were leveraging Open Source platforms at a much lower cost.
Many within ACME Corp wanted to adopt the OSS approach, but they were bound by a multitude of contracts and agreements with customers and the regulatory rules of the various countries in which ACME Corp operated.
ACME Corp was in a pickle. Over a barrel. Pickled in a barrel of mixed metaphors, one could say.
Accepting Open Source Software
Luckily, ACME Corp hit on a solution. They joined some of the foundations springing up to provide governance structures for popular OSS projects, and instituted a policy where any employee could use any Open Source code that they liked, provided it was submitted for review by their compliance team.
This allowed them to avoid projects that were abandoned, insecure, or published with an incompatible license. Using a simple form was all it took, their developers could deliver value using the most up to date methods and tools.
Life was good.
Then Life Changed
Shortly after the turn of the 21st century, a series of well-intended solutions to valid problems ended up causing new problems for ACME Corp. All solutions, in solving a problem, reveal new ones.
First, GitHub made it far easier for developers of Open Source to collaborate with one another. This allowed projects to become quite popular without any corporate or nonprofit backing.
The last piece of this puzzle was an early Node.js contributor, who'd been working in the SSJS space for a while, and decided to write a package manager. He'd seen the importance of package management as a development tool before, and had spent quite a bit of time thinking about how reducing friction makes great things happen.
This reduction in friction enabled what came to be known as the "small modules" movement. A number of prolific Open Source enthusiasts began to conceive of a single file as the default unit of code sharing, instead of a branded platform backed by a foundation.
Meanwhile, back at ACME Corp...
With all this distributed sharing, instead of relying on 2 or 3 well-known OSS platforms with clear governance, web applications came to rely on an interconnected mesh of thousands of tiny modules, created by an unaffiliated horde of hundreds individual contributors.
At ACME Corp, the process has started to creak. Well, not "creak", exactly. More like "break". It's broken.
The compliance team insists on only using modules that pass review. Developers who do write hand-rolled scripts to catalog all of their dependencies for the requisition forms are laughed at.
"2305 modules? You've gotta be kidding me. Use less, or come back next year."
The best devs have moved on to companies with less stringent rules. New developers coming out of school don't even know how to create websites without npm and React and Babel and a zillion of these things.
Today, the battle lines are drawn within ACME Corp, forcing developers to rely on subterfuge. The cost of a security vulnerability or getting sued for violating a license can be in the millions. But failing to ship a website is an existential threat.
When compliance complains that the new continuous delivery system is circumventing their OSS rules, the CTO says "I know, I'm on it", and then quietly ignores it.
And they all lived happily ever after...?
I wish that this was pure fiction.
The approach to compliance in almost every industry has not kept up with the advances in Open Source Software practices. This is a pressing crisis facing some of the biggest software development teams in the world right now.
I believe this problem is solvable, but it is not adequately solved yet.
Most solutions ask an organization to choose between safety and efficiency; but inefficiency is never safe. The only valid approach is to reduce friction for development teams, while also helping compliance teams to do their job. This is the the only way to bring peace to the enterprise.
When I founded npm, Inc. back in 2014, one piece of advice I got as a founding CEO of a startup was: start planning your transition (lest it be planned for you). I took that advice to heart, and throughout the life of this company, I have tried to avoid holding any illusions about my own abilities. After spending 8 years running npm – first as an independent project leader, then as a founding CEO – I learned my share of lessons about where my skills lie and where I fall short.
I have a passion for developing products that streamline the experience of creating software applications and sharing libraries. npm’s place in the development ecosystem speaks to some considerable skill in that area. I don’t have as much of a passion for running go to market efforts, hammering out the details of partnerships, business and HR operations, or managing a large team of employees.
These are interesting challenges, to be sure, and I adore this group of humans who have joined the company and added so much to npm. But it became increasingly clear that npm, Inc. needed new leadership if the company was going to make good on the promise of providing financial support for this cultural movement. I found that any attention I spent on anything other than product meant that the company suffered, and so did my soul.
It turns out hiring a CEO is hard! We spent 6 months on our first search, and the outcome was that the company was just not ready. Several extremely smart and capable people came in and said, “Yeah, you’ve probably got something here, but it’s not far enough along to hire someone like me.” So, we regrouped, reevaluated our strategy for our enterprise product line, acquired a security company, and came up with a better vision for the company’s future. Our second search had a much better result, with one candidate standing out, being both a good fit for the company and also eager to take on the challenges ahead.
Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months.
Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.
Time is an illusion that helps things make sense So we are always living in the present tense It seems unforgiving when a good thing ends But you and I will always be back then You and I will always be back then You and I will always be back then You and I will always be back then Singing: Will happen, happening, happened Will happen, happening, happened And will happen again and again Cause you and I will always be back then You and I will always be back then Will happen, happening, happened Will happen, happening, happened And we'll happen again and again 'Cause you and I will always be back then If there was some amazing force outside of time to take us back to where we were And hang each moment up like pictures on the wall Inside a billion tiny frames so we can see it all, all, all It would look like, will happen, happening, happened Will happen, happening happened And there we are again and again 'Cause you and I will always be back then You and I will always be back then Will happen, happening, happened Will happen, happening, happened And there we are again and again 'Cause you and I will always be back then You and I will always be back then You and I will always be back then You and I will always be back then That's why You and I will always be best friends
I know rationally that Adventure Time is over. I saw it coming, and heard it rumored, and heard the wails of anguish over it from friends, and consumed by some unconscious fear of my own mourning, I slowed down watching the show, and gradually fell further and further behind.
The ending is waiting for me in the future, bittersweet and beautiful.
It will happen. Until then, Adventure Time is still happening.