Alternative Package Repositories for JavaScript: Goodbye npm?

When you use JavaScript as a programming language, you have to use the npm package manager to install libraries and modules. In the last few years we have seen an alternative to npm show up, the yarn package manager. But yarn still uses packages installed from npm’s package repository.

What’s wrong with that? Well, npm’s package repository has gone down in the past in various ways (incidents in May 2019, April 2019, February 2018). They have had other issues with deleting or renaming packages (see “How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript”) and with ensuring that packages are not deceptively named (imagine downloading a spyware module because of a typo!). There have also been incidents with publishing packages too preventing package maintainers from pushing out the latest version of their code to the npm repository.

Update in March 2020: Another reason to consider an alternative Node.js package repository is that Microsoft (through Github) has bought NPM Inc. If you have a fear of Microsoft adopting their old embrace, extend and extinguish strategy, you should consider the alternatives.

Now, we have alternatives to that situation: Open-Registry and GitHub Package Registry. Open-Registry has launched a JavaScript package repository that is fully open source and fully transparent. GitHub has launched a beta package repository for JavaScript called GitHub Package Registry. Update: there is a third choice, Verdaccio which is a private JavaScript registry.

Open-Registry, an Alternative to NPM JavaScript Package Repository

Open-Registry is an npm registry and JavaScript package repository alternative. It is open-source, and their goal is to be funded by users of Open-Registry and to be transparent about their finances and their decision-making. Their current goals are to provide a full mirror of the npm package repository and to become a stable and transparently governed package repository.

Open-Registry’s transparency means that volunteers or salaried developers can join in to work on expanding and improving Open-Registry. The financial transparency also demonstrates how long until funding runs out and acts as an incentive to support Open-Registry financially. This seems like a better business model as Open-Registry can act as the JavaScript package repository for many companies who can pool resources (whether financial or developer hours) to work on fixing bugs and improving Open-Registry. It’s infrastructure that benefits everyone. Whereas with npm, we have had to rely on NPM Inc. raising funds and managing their developers’ time wisely.

Open-Registry is in alpha phase, meaning it is not yet ready for production but for smaller projects and more adventurous cutting-edge companies who want to reduce their reliance on npm package repository can check out Open-Registry.

You can donate to Open-Registry on Liberapay.

Verdaccio: a private NPM registry

Verdaccio is an NPM registry alternative that will be useful to those working in corporate environments or environments where a private package manager is required (for compliance or other reasons). Verdaccio lets you create a private NPM registry where you can publish internal JavaScript packages.

It can also act as a proxy to other registries such as the main public NPM registry (it does this by default). It caches packages so others on your internal network can download from the Verdaccio repository rather than relying directly on NPM.

A great use case that is mentioned on their site is for CI (Continuous Integration). NPM packages may need to be downloaded many times on different server instances for tests to be run. Caching through the npm package manager doesn’t help if the instance has been replaced with a brand new instance. You can rely on Verdaccio to cache the packages and point each server instance’s NPM registry to it so that you save time and bandwidth costs.

How-To: Set “npm registry” to Use an Alternative JavaScript Package Repository

You can use the following steps to set up npm to use an alternative registry on the command-line:

  1. View the current registry URL:
    npm config get registry
  2. Update the NPM registry URL to point to another registry such as Open-Registry or GitHub Package Registry:
    npm config set registry

You can do the same thing if you are using yarn instead of npm:

  1. View the current registry URL:
    yarn config get registry
  2. Update the Yarn registry URL:
    yarn config set

And here is how you can revert to the default NPM repository:
npm config set

The existence of Open-Registry and GitHub Package Registry show that it is possible to set up alternative JavaScript package repositories. This also means, for businesses and organizations that wish to keep their code proprietary, that it’s possible to set up a private npm registry. I would definitely recommend exploring hosting open source JavaScript packages on Open-Registry.

GitHub Launches Beta Package Repository

GitHub provides source code hosting and issue tracking and releases. Now they are expanding with a beta program called GitHub Package Registry to host packages and dependencies for JavaScript, Java, Ruby and .NET. There’s also support for Docker images.

While I prefer Gitlab and open source hosting solutions for source code, GitHub is a good product (though proprietary). So if you already use GitHub, then it becomes a simple matter to register for the beta program and to switch your NPM/Yarn package manager to use GitHub’s JavaScript package repository.

GitHub Package Registry is an alternative npm registry, source:

Just like npm’s package repository, GitHub Package Registry will display download statistics and shows what is contained in the packages.

The main advantage is that if you already use GitHub for storing your code, or managing your projects, you now have a way to package up dependencies and publish them in one place, using the same username and password rather than signing up for a new system. For instance, I have signed up for DockerHub and NPM to be able to manage and publish my own Docker images and JavaScript packages.


The other advantage is that GitHub is tackling multiple package repositories and handles a lot of code repositories already. The stakes are incredibly high and that means they have many developers and devops engineers watching over what’s going on. In other words, they have the resourcing to ensure that the GitHub Package Repository beta goes smoothly and that it turns into a fully-featured product.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.