npmx : The People‑Powered Package Index

Back to chats Brian Kardell and Ujjwal Sharma chat with Daniel Roe and Matias 'Patak' Capeletto of npmx about the project, the community and Open Source

0:00
  6. Metacast
  10. Podcast Addict
  12. path-1

Mentioned Links

Transcription

  • Brian Kardell: All right. So hi, I'm Brian Kardell. I'm a developer advocate at Igalia.
  • Ujjwal Sharma: I am Ujjwal Sharma and I'm also a developer advocate and a standards thinker at Igalia. And we're with two special guests today. So Daniel and Matias, would you like to introduce yourself?
  • Daniel Roe: Sure. So my name is Daniel Roe. It's a real pleasure to be here. Thank you for having us. I'm a full-time open source developer. I lead the team building Nuxt, which is a full stack framework for building web apps. And I have some other projects I'm also involved with, like Nitro and I guess NPMX.
  • Matias Capeletto: Yeah. Thanks a lot for the invite. I'm Matias, but people online know me as Patak. And I'm part of the Vite team, Vitest. We built Elk together with Daniel and other people when we tried to moved to Mastodon. And now we are building NPMX together with a very nice community.
  • Brian Kardell: My normal co-host here, Eric Meyer, is setting this one out just because we have an abundance of guests and different specializations. So expect him back next time. So actually, I'm going to say something that's maybe embarrassingly honest, which is that some of my colleagues brought NPMX to me and I literally did not know what it was. So I immediately thought that, oh, well, it's a new NPM repository, but it's not that, right?
  • Daniel Roe: No, it's not a replacement for NPM as a registry.
  • Brian Kardell: Well, and it's a package manager and it's like, no, it's not a package manager.
  • Daniel Roe: So no, exactly, because those are the things that NPM is. So NPM is three things. Matias and I were talking about this earlier today. NPM is the CLI, the package manager that installs packages. NPM is also the registry that keeps those packages and provides infrastructure to distribute them. And it's also the website for browsing the packages and seeing information about them. And we have different options at every stage of that. So there are different package managers you can use. You can use Bun, you can use Yarn, you can use PNPM or Vault. There are different registries. So JSR, for example, is an alternative registry to NPM. But what NPMX is, is an alternative to npmjs.com. It's a different way of browsing the registry, seeing information about packages. In fact, some information that isn't available to you on npmjs.com.
  • Brian Kardell: It is a very cool website that I want to talk about, but I did a little research here to learn about it. And the story of how it came about is very interesting. Can you maybe tell us?
  • Daniel Roe: Sure. So I couldn't sleep and I woke up in the middle of the night and I opened my company Slack, naturally, as everyone no doubt does. And I saw a message there. Someone was complaining about the state of npmjs.com. And I had been thinking about creating a website to show off some of the features that Nuxt has for creating fast websites. And I thought, 'Hah, this is it.' And so I couldn't really get back to sleep. I just kept on thinking about it. And the next day, I posted on Bluesky, 'What are people's pain points with npmjs.com?' And I got so many responses. They just kept coming in, and more and more and more and more. And it was very clear that this was something that was a pain point that all of us felt. It wasn't just a me thing. We all felt that we wanted a better, different NPM package process. And so I think I had an MVP app by the next day. I started messaging people one by one. And one of the first I messaged was Matias.
  • Matias Capeletto: Yeah. And we have been working together, as I said, in Elk. And I was also looking at that point to what was next to do. I wanted a challenge and this was just the perfect time. And we created a Discord to help the community chat. And it feels in a way like we have been working together with a group of people building Vite that like it took us five years, but it finally got more downloads than webpack and now Vite is the new standard. And we did the same with Vitest and now it's not far from overtaking Jest in downloads. And it is like we are building this group of people also, like this network of people that like to work together. And when there is a challenge, they all came, like we just need to say, 'Hey, there's this cool thing we are doing. Do you want to build with us?' And they will show up and start working. And we know each other. So it is like more saying to a friend, 'Let's go to play something,' and they just appear. So it really felt like that. And yeah, we started to work and everybody was really excited. I wanted to say something about like an anecdote from the last weekend. We were in Vacouver (ATmosphereConf 26). We presented NPMX there, a talk with Zeu, one of the core team members. And the thing that Daniel was saying about npmjs.com, it hasn't had a lot of development in the past 10 years. So there is a lot of things that could be improving, new features. And one of the thing is it doesn't respect user settings, it doesn't have a dark mode. So for a lot of people that you are using dark mode, you go there and your eyes like just explodes. And one of the things that happened is that we were doing the talk and I had a slide that has a bigger screenshot of npmjs.com. And when I went to that screenshot to talk about what were the problems, the whole room lighted up and it was like clear. It was like turning on a projector because my talk was in dark mode. Our talk was in dark mode. So just that. It was clear that a new website that takes into account user settings, that is more accessible, that surface more information that could be useful for people to choose the right packages was something a lot of us felt the need for.
  • Ujjwal Sharma: One thing that's quite special about what you mentioned and sort of connecting the dots about all of these alternatives and initiatives that people have been taking is that there's a ongoing trend in the JavaScript sort of ecosystem about people demanding better tools or just better alternatives where there aren't any, as you mentioned, like NPM has been one of these constants in many ways, is JavaScript as a space, as a people, as a community has evolved quite a bit. NPM has been this constant. And now finally, not only are maintainers like you all are responding to the community, but like there's this community energy. And to what do you attribute that? Is it just that people are tired of NPM or is there more ongoing and sort of synergy between these trends?
  • Daniel Roe: I think I really have to tip the hat here to Matias. I think probably if I had carried on with this project just on my own and I probably would have had 10 contributors and a handful of PRs and it would have been a fun project, but I don't think we would have got anywhere near we are now because the moment I invited him into that Discord server, I think even the Discord server, Matias said, 'Should we create a Discord server?' And we did and channels started popping up and people started joining. And I mean, it wasn't public. The GitHub repo was public because I ran out of my private GitHub actions, so I needed it to be public to run CI, but we weren't advertising it or telling anyone about it publicly, just word of mouth. But Matias, I feel there were a number of things. One, every single person who joined the Discord server, we welcomed one by one. I think there wasn't a policy decision or anything like that. It just happened. And it's now a thing, that is one of the things that we do that's about us. We look out for new people and we welcome them to the server. And I honestly think far more than the technical challenge or the user needs, obviously they had to be there. People had to be motivated as well, but I think the thing that makes something like this really take off in terms of people contributing and getting involved was absolutely the people side of things.
  • Brian Kardell: One of the things that I latched on, I actually clipped it out and put it in the notes doc. It said, 'Within 24 hours, 49 pull requests had been opened. Two weeks later, the community had contributed 1,000 issues and PRs. It's roughly one every 20 minutes around the clock with over 105 contributors and 1,500 stars in just 16 days, NPMX became one of the most active early open source projects we've seen.' That is really amazing. There are so many stories just in that one paragraph that we could think about and talk about. I think the social aspect of software is really important. Like you said, Daniel, you could have taken this exact same project, like the exact same starting point, the exact same, and just in a different universe, you had maybe 10 contributors. And I mean, who knows if maybe even they would have stuck around very long. I've had this experience myself. I know the best times in my career, I've always had somebody that I talked to almost every day that we're just excited about the same things and we're bouncing ideas off one another and we're pushing one another. 'Oh, okay, I'll do that.' And it's hard to artificially do that. I have just one thing that I thought as soon as this came about, which is like, is the NPMJS not an open source website?
  • Daniel Roe: It's crazy, isn't it? I mean, it feels today like we expect our infrastructure in the open source ecosystem to itself be open source, but it isn't.
  • Matias Capeletto: And it is also how it work in other ecosystems, Rust, Python, like the registry is in a foundation that runs the infra that has open source browser, like the CLI is also open source. So yeah, I wanted to talk a little bit more about what you say about artificially or intentional and it's completely like that. I think that the two things play along because you could have the right moment and you could miss it if you are not intentional about, for example, creating a welcoming space, it could really go wrong and people will not feel like inclined to contribute to something that if not with the right setup and the spaces are well organized. But also, even if you have the right intentions and you create a space as well, if it's not the right time with the right people, it just doesn't work. It happened to us in other project that we tried, but we have learned over the years, let's say, some ideas that we see working and that we are repeating the things that we learned and we are setting up things in a way that... learning on every time that also the people bring new things, the new people. But when we did Vitest, for example, the first two months with this, Anthony Fu started the project and also I joined it early together with other people from the Vite team and ecosystem, and it was a sponsorware the first two months. It was a private Discord and a private repo. And the idea is that we wanted to do that because it's also very good to work early with people that you trust a lot. And that is very intentional that they are there because they make a step. There is some friction there that allows every message is signaled. There is no noise at all. You don't have to do any moderation and you just can focus on working. And you can expect that every time that someone wants to do something, you can just take it. It's completely different to be working on a community of 20,000 people that is completely open and public and the noise is a lot higher. You have to really look for the signal there. And so when we open up Vitest, it was already a really polished product and it hit the public in a better way. This is how we work also. We hash out conversation in private with our colleagues, with our friends, with our family, and then we go to the public. It is the same idea. And when we did Elk, we also went private. We had friends in GitHub that gave us enterprise because we also were testing the limit of the private setup, but we open source Elk with around, I think 100 contributors after, again, like two months. And it was, again, really like all invite only. And in that case, it wasn't a sponsorware. Everybody that raised their hand and say, 'I want to contribute,' got an invite. But that friction of somebody rising the hand, instead of just clicking a link of Discord that is open and everybody's just click it by default, it is very important because we knew that everyone that came to the welcome channel, it was someone that really wanted to work with us, that care. And in this case, we did the same. For a while, we didn't mention the name NPMX, even if it was public in GitHub. And even in the readme, we had a link to the Discord, but everybody that joined it was because it discovered the project, give that a step. And we started to open up slowly. First, at one point we decided, okay, let's start talking about NPMX as a name. We didn't put any link for a while. And people were saying, 'Why are not sharing the link?' And it was intentional. It's this idea of growing the community organically. And now we are 700 people. We discuss it with 700 people, each of them. It's not we as in Daniel and me. It's like as soon as we started the community, it's just picked up and now other people are doing it. Sometimes we, sometime other people.
  • Ujjwal Sharma: This is so interesting, right? Because we started out at the simplest sort of factor, which is the pain point, like NPMJS as it is. And then I was thinking about what Daniel had mentioned, like this problem that nearly every maintainer runs into, like getting people to be energetic and sort of come in and find your project. And obviously it can make a huge impact like you being sort of people who are well known, well respected, sort of well connected in these spaces to be there and like welcoming somebody, a first time contributor, it means a lot to a lot of people. But I think what you're talking about now, it's like you have realized like a lot of these amazing, let's say, insights over the years as maintainers and have crafted essentially a handbook, a plan for how to efficiently organize, let's say, like energy around a project or how to mobilize the community really well. And this is so interesting to any maintainer. Have you ever considered putting this down or sort of...
  • Matias Capeletto: So we talked in podcasts about this or we did the talking at ATmosphereConf 26, Vancouver, some part of it was also about this and you can read also, we launched the alpha, which we were very lucky because Salma is a professional outreacher that's showing the project can help us. We launched it with a web ring of like 26 blog posts from companies, open source project and the community, our alpha launch. And everybody there were talking about different kind of angles about the project, why it worked for them as like maybe the first time contribution, maybe like... And also like Daniel, for example, that he tipped the hat to me and I had to give it back to him because the organization in the repo was really special also. The way Daniel managed to give our mission to merge quickly, but maintain at the same time vision in the sense of like, I am merging something already knowing that maybe in the future I will steer the boat in a direction that makes sense as a product. Because like the sign by committee is also not always goes to the right place. So the hand of Daniel there was incredibly important. I decided that I will not code, for example. So it's really like I was not helping in the maintenance of the repo part. So yeah, I don't know. Daniel also talked in his blog post about how it was more important to put the conversation in the idea of having a 10x team instead of like a 10x developer. Maybe it's nice, Daniel. I don't know if you want to talk a little bit about that.
  • Daniel Roe: It's something that we often want. We want to be a 10x developer, or we idolize people who seem like 10x developers, people who are phenomenally productive, who produce a lot of stuff. And I think at the moment, the current state of play is that it's very easy for developers to produce a lot. That is even more true with LLMs and tools like that, that people are using to create many, many, many lines of code. The mere fact of that should start giving us a little bit of pause. That 10x developer was never the thing to aim for. It was never about being productive, producing lots and lots of code, creating lots and lots of projects. For me, and I think for a lot of other people, the reason I'm in open source is for the people. The whole point is you say, 'Here's something I made. Come, use it. Look at it. What do you think? Do you want to help me make it better?' And it's this sort of sharing relationship, which I think is really what open source means for me. And I just feel like it's not about the 10x developer who can create that. It's about teams and people who work with each other and iterate because there is this, I don't know where it comes from, but there is this idea that the very intelligent person up in the tower creating the perfect thing, bringing it down to the watching world, 'Ha ha, here is the library that will beat all other libraries.' And I just don't think that's born out in research that actually when people iterate and make mistakes and fix them and go back and come up with new designs and keep working, it looks much less impressive at every stage because it's iterative. Every PR is not as impressive as that single immediate flash of insight when you bring down the tablets from the mountain, but they are overall better. What you produce is a better thing. You go further when you go with people. You produce something that is better at the end of the day and you have a lot more fun doing it.
  • Ujjwal Sharma: This is a tangent, but like we talked about the community aspect of all of these projects and you've led multiple other projects in different ways. And one aspect was this energy of the community, right? Another thing that we all probably think about is open source monetization and how that is sort of shaping up in this new tech landscape. What are your thoughts or positions on that? And perhaps if you want to say also about like the project itself, like if you have any plans.
  • Matias Capeletto: Yeah, it is bleak. We have to be completely honest and put it in the table and discuss it because if not, the whole thing that we have constructed in our shared comments is going to fail, and like we need to talk about this and fix it. I think that this podcast has especially touched on this subject several times. It is hard, but I think also we see some positive things moving in the background about how things are working. So first of all, like with all the layoffs and related to AI and everything, like companies have stopped funding a lot of our open source friends. The very small amount that we're given have stopped or like being reduced. And we saw yesterday also that Node can no longer maintain the bounties for like security. That is incredible that we are, like all the companies are gambling at this point because it is their security. Everybody uses Node. And we can talk about theory and say like, yeah, the strategy of the commons, but I think that the solution to these problems will came from the bottom up, will come from us working together to find a solution. I don't think companies will just wake up one day and create a consortium and start doing better. There are good initiatives. Sentry particularly has done amazing work in that regard. They have a team of open source developers thinking about how to do this. And the Open Source Pledge is a very interesting project. A lot of the companies that we are from or were before participated in this and it's interesting, but still it feels like not enough because it's really not enough. It should be that every company needs to put a lot of money for this to work. And I think that one of the first things that I mentioned to Daniel when we started talking was like, maybe we can help with funding with NPMX. And this is very interesting because funding is also about surfacing information, making it visible how bad things are so other peoples can see and actually take action. If they see that something is about to be on fire, somebody will put it up. At least I have the feeling that this is the case. And we are doing a very bad job as an industry in surfacing information. If you see, you go to GitHub sponsors and like the button to give money that is like the biggest one in my case, like if I'm an independent open source developer side, to get like this $500, it's below the fold. Who is going to see that? We know how to do websites that convert. Nobody will click that button. And if someone click a button, you go to another screen and you need to click another button. And then when you click that button, there is a dialogue that say, 'Are you sure you want to give this money?' There is a big cancel button there. We know how to do commerce. This doesn't work. There is so many step where you can fall as a... So I think we can do better. We know how to do websites that convert, that are accessible. It could be like if there is someone sharing in social their GitHub sponsor, there should be a button right there that you click and you just give $5. And there is an undo toast on the bottom, like when you send an email that say undo. That is frictionless. Imagine how much money people that like someone that they say will give if one post goes semi-viral about wanting to sponsor. This is the kind of flow that I think that we can work on, but this is still obviously not enough. At one point, big companies need to put big money and there are like several things there. In particular with Daniel and other people in NPMX, we will like NPMX to end up in a foundation because we think that if a company takes over the project, it will be just another product. And that's the feeling. We will love, there are a lot of interesting ideas from NPMX that if you put it on a kind of like a SOC 2 wrapper, private teams, you can really monetize this thing. So maybe there are companies that will appear maybe from people around the project, if they want to do a cooperative like Igalia, or if they want to do something, I will hope they will do something interesting and not just like raise millions and do something exponential. Because also at the same time, I think that with NPMX, the main idea is let's do a website that we look back in 20 years and it's still there. And incrementally it has gotten better and bigger and like the community has continued to grow and we get a website that is there, it's sustainable. But we need money for that also because as it grows, it will be really good if we can pay part-time or full-time to some of the core people that work in there so they can spend proper time. As the project grows, there is like security needs to get better. And we are working towards all that, but everything takes time and everything take a lot of energy and people need to eat and maintain their families. And if they can avoid another job to be able to do this, it will help a lot for the project to grow. So as a foundation, we could start to get some money and I think there is an interesting story. For example, Europe has money to give for data sovereignty. There are like very interesting projects in that regard. And as part of this project, we are trying... We don't want to run infra ourselves. So if you see like we are a browser for the MPM registry and Microsoft is running the infra securely, we are not. And we want to connect to other developers tools. So maybe we can browse some GitHub information later, maybe like social information and we are not running the infra of like the repos. It's just browsing them, but we still need to generate some data for our users. And for doing that, the best technology we found is like using AT Proto that connects our domain identity to a PDS that we decide where it is. And for these to do frictionless, we are running our own PDS in Nuremberg, in Germany, in a Hetzner server, and we are already around 500 people in that PDS. We move from the PDS of US that like the Bluesky has there and we move it. It's very painless move, or everything keeps working. And there is a very interesting story I seen about data sovereign there. A lot of the people working in the project are European, so it makes sense for the PDS to be there. And we are in contact with other foundations that wants to, for example, push for AT Proto development, like faster development. And yeah, that could be a way to have maybe a good grant that will allow us to... Allow more people if they want to spend their time, but without thinking about how to put food in the table.
  • Brian Kardell: I'm really glad that you mentioned the AT Proto thing because I was just thinking that if you're listening to this and you don't really know about NPMX, what you know so far is like it's a website, a better NPMJS but with dark mode, and now AT Proto is involved. So I was hoping like, yeah, great, this is perfect way to segue into... I think it's not just what we just said, it's more than that. There are social features that are like interesting warnings and tips and things that pop up. I would like to hear you talk about maybe what are some of your... you think are the most interesting things or your favorite things, maybe even things that you were like, 'I really didn't see that coming and somebody brought it to the table and it's really cool and I like it.'
  • Daniel Roe: Yeah, sure. I think there are a lot of things that I like and it's not just the dark mode. Actually, initially it was only dark. There was no user choice. It was dark. That was the theme. And then someone added the support. So one of the things that I haven't mentioned is that you can admin your packages through it. You can even publish a new one if you want to claim a package name through the website, through some dark magic. We have a little connector CLI that you run on your computer that proxies commands from the website to your local NPM CLI. So you can actually register a package when you're browsing the website if you want to.
  • Brian Kardell: It's not a package manager. It's like assistant to the package manager.
  • Daniel Roe: Exactly. And so you can do things like... Because one of the things that most frustrated me within npmjs.com was actually not the package browsing, it was the admin interface. So I would, for example, in Nuxt, we have lots and lots of teams who all have access to the org. And the teams are, you are paginated, you browse through them, but they're not alphabetized. So you have no idea which page a team is on. So you're trying to find this team and there's no other thing to do other than click one, two, three, four, five, six, seven. It's so frustrating. So it does a lot of things on the admin and there's a lot more that we can do on that as well. Like batching. You can do things a lot faster than you can otherwise. And with the new release of the npm trust command, we can also hopefully soon ship support for managing trusted publishing for people, which is a particularly tricky thing to get set up right in the first place. That was the thing I thought I was going to be most excited about, but I think the thing that has turned out, one of the best things that's happened is the integration with e18e. So if you haven't come across e18e, listening, it's an ecosystem cleanup initiative aimed at surfacing information about packages that many of which are not needed anymore. So we've come a long way since the start of NPM. And there are a lot of packages still in the registry that were designed for a node 0.4 in a day when we just didn't have the language features that we have now. And they're weirdly, many of them are still in our dependency trees. So when you're browsing NPMX, you'll see a lot of the information. So we will tell you, this actually isn't coming from e18e, but we'll tell you the total install size of a package, not just its size, but the size of every package that it depends on and every package that they depend on. We'll surface things like vulnerability reports, not just in that package, but in its dependency tree. We'll surface things like, was there a recent change in this install size? Did it recently become much bigger? Will surface things like it used to be published using trusted publishing, but isn't anymore. That can, for example, be indicative of an attack. So if you had looked at the Axios package, recently was taken over, was published by a malicious actor. If you were to take a look at that, they didn't publish it with trusted publishing and you would have been warned by NPMX because of that. But there are also other things from the e18e dataset like this package might not be needed. This is built into Node now. If you're using a recent version of Node, you can just use that. And this has been, I think, one of my favorite features, even if it's also been a little bit controversial.
  • Ujjwal Sharma: This is such an interesting moment to talk about e18e. You mentioned it briefly. We had talked earlier about this ongoing trend as well as sort of energetic, let's say, community effort behind better tools. How does e18e ties into all of this that people can maybe observe or have some vague clue about, but they don't know what's actually going on behind the scenes?
  • Matias Capeletto: So I think that that is also a quite interesting story. James Garbutt, I think is the surname. The handle is like five random number he chooses that is very hard to type. So you will see it as this. So he was working on this for a long while of like this idea of having this model replacement that you have a library and then what is the thing that you have to replace it with? Or like, it's already Node, so it shows you what is the diff that you have to do. Or it's already in a web platform for a client library. And he was going to, he has a issue tracker where he will put a lot of different issues of like what we could do and focusing on the top libraries like Chokidar or like all these libraries that you could have a massive impact. If you modify this, this is used by Vite. This is used by all these projects that you have the size and then you will actually do the count. And it's amazing. The saved traffic is just like incredible. And so he was working alone and it happened, again, it was very community thing that he was trying and he was being social and trying to get people involved, but it was hard. And at the right time it happened that also we met with this group of people because he was also like in the Vite ecosystem. So with Anthony Fu, with John Lu and like other people, we created a Discord and we created this round table of people discussing about the same topic. And he's starting to lead that project and like so many people joined. We were lucky in the sense of like there was some controversy, very big controversy about like a library where a maintainer joined and started to adopt a lot of libraries. The dependency tree got huge just to support this like no 0.4 version. And like this was used by the Svelte ecosystem and the Svelte maintainers got very mad at this moment and tried to say like, 'Yeah, you cannot do that in a patch. It cannot be that a library that has zero dependencies now will have like 100 to 1.' And there was like a very long discussion and like because of all this, we made the public just that time and we already have been working a little bit in the background and we made it public and then a lot of people joined. And the community has exploded there. And it's a very different community from one that is building a product because it's all these people that really care about performance, but it's amazing. If you care about performance in the web really recommend joining this Discord. Even if you're not going to work, like just open it in the morning and see people showing the PRs that are showing how all the dependencies in your tree are getting half in size or are getting faster. And it's a beautiful way to start the day and it's incredible how they have worked. Now this issue tracker is like working very well. This model replacement is huge and it's a huge database that we can help with NPMX surface. James is a core team member of NPMX too, and he's also helped a lot. And this relationship between NPMX and e18e is helping both project.
  • Brian Kardell: So you mentioned AT Proto, are you doing anything with like social integration?
  • Daniel Roe: So yes. So we wanted to add the ability for people to like packages so that this wouldn't just be a pure information site, but would have a human aspect to it. And so as we thought about how to implement that, we figured out we didn't want to re-implement a social network with accounts and following other people and all of that. But thankfully there is the AT Protocol or AT Proto and it is an open format for owning your own data and then connecting that data to other people's data, basically, a graph based protocol. So its most prominent user is called Bluesky, which is an alternative to Twitter, but originally started by Twitter with the task of figure out the protocol to build the next Twitter. That was the sort of task and this came out of it and now it's obviously a very separate company. And so Bluesky is just an example. So you could build anything with AT Proto. The things that I like most about it are that data lives for each individual in something that they own and control. So most people, we talked about a PDS earlier, a personal data server. Most people, if they start with Bluesky, they would have a personal data server that Bluesky hosts for them for free. If they start with NPMX, they'll have ours that we host for them for free, but they can also create their own or use private hosting. But the point is that everything I do on AT Proto lives there. So that's my social media posts and the people that I follow. It's also maybe my blog posts. It's also, I use something called teal.fm to track my music listens. Those also live in my own data server. It's like last.fm, but decentralized. And the great thing is if any of those services go away, that backend remains with me. It's a little bit like the pod-based approach that Tim Berners-Lee was proposing a few years ago where we don't have to implement storing the data of which packages they like. All we have to do is have permission to add a record to their data store. So we do. You write a little record saying, 'This person likes this package.' And it's really only the start. So we have some big plans for what we're going to be able to do with AT Proto in future, but right now it was pretty much a one-click add social network to the site, which made implementing the feature really a dream.
  • Brian Kardell: I want to tie a whole bunch of these things that we were talking to back together to ask you a question. People just go on NPM and they have a problem. They're like, 'Let me search. Well, this has a lot of stars. That's the proxy for trust. Or this is made by Facebook. So that's the proxy for trust,' right? Why do you trust the software that you put on your computer and all that kind of stuff? So in the W3C, one of the things that is core there is this idea of wide review. And so you want to know that something is accessible. You want to know that something has thought toward internationalization. Is it good for privacy? Is it good for security? There are different kind of areas that you want to think about these things. And a thing that I always have thought is that given the kind of communal nature of software, I want other proxies for trust, like people that I know who... I want to know if I find an NPM module that's like a custom element that... How do I know that this is thoughtfully designed with accessibility in mind, that it's thoughtfully designed? How do I know? And in a lot of industries, if you make something that's like electronic, there are certifications that you get on those things. And I wonder if the whole AT Proto social integration opens a new ability for us to think about the model of trust and how we bubble things up that might even be, I don't know, maybe even new revenue models for certain people because they are experts.
  • Daniel Roe: I've always thought that the best feature... well, one of the best features of GitHub is the social feed. So I, particularly as a new developer finding out what was going on, seeing people that I knew or following starring some new repo gave me the idea that I was following their journey. They were discovering something or exploring something. They were learning. They were coming across and I could see the stars come down or you could see releases. It told a story and it is social. It is absolutely social. And that's where the trust comes in too. And I would really, really like to see us surface more of that in NPMX because we're talking about moving beyond packages, if I'm allowed to say. Should I say that, Matias? So we're talking about moving beyond packages to group them in projects. So imagine the Svelte project or the Nuxt project. These are bigger organizations. They have multiple packages in them and they have things like releases and contributors and maintainers, which aren't just about the registry, they're about an ecosystem. And looking at that ecosystem and the activity in that ecosystem is I think one of the big ways we assess health. And I think we have an opportunity to surface some of that on NPMX, for example, and start connecting the dots. Because I think if NPMX is about anything, it's about connecting the dots. And yes, I think that kind of network web of trust is absolutely there. And I think it would be very interesting to start thinking about how the social graph of, 'I follow you on Bluesky and here are some packages that you're contributing to.' Right now, there's no way of knowing that, right? There's no obvious... That connection isn't there. The personal connection on the one hand, and then the NPM registry or Git sort of release history, those are totally separate worlds. Why not bring them together?
  • Matias Capeletto: I think it's also very interesting about how we are missing a piece in the web that is identity, like having a proper identity that you can actually... The trust that you develop using something, some website, it leaks into all your other activities. And this is something that is extremely important when talking about a graph of... My social activity should be... I want to be the same that I'm chatting and I'm here talking to you and I'm collaborating with others in a repo or an issue or in the standards or all these things, it will help a lot if we could have that identity. And at least in our website, that thing is starting to happen because we are gluing different kind of services and letting you log into your services to do admin. And we can have this idea of AT Proto also of piggybacking into the DNS and our domain is our identity and we're websites is extremely interesting. We all have our personal one, or if not, you can use a service that will give you pseudonym on one of them. And it's a very powerful idea. And there is very good step that happened this last weekend about moving to Switzerland, the equivalent of DNS that Bluesky had internally. So it's getting more decentralized with a proper board. And I think it's extremely interesting. And this idea of surfacing information is extremely important for trust. And we are not... npmjs.com is not doing a good job in that in the sense of the most important part when you are choosing a dependency is knowing that you are not choosing code, you're not choosing a snapshot. Code is really cheap more now in these times. What you're choosing is what are the people, you're trusting people, their governance model, their processes, the history, the previous history that allowed you to trust the future. And this is what you are getting into, how they are going to manage breaking changes, are they respecting Sambar? And we can surface all that information. So there are interesting in things that we can start surfacing to better map the reality of doing open source. That is not about the source. It is about the people and the teams and the projects.
  • Brian Kardell: This is so interesting. I hope that nobody was too surprised or too offended that I hadn't heard of NPMX before somebody brought it, but I'm so glad they did because it is really, really cool. And I'm glad that you both were able to come on. I really have enjoyed our conversation. Before we get off here, where can people follow you, learn about you, give you money?
  • Daniel Roe: Well, probably the best place to find me is on Bluesky. I also have a website, so danielroe.dev is my Bluesky handle and roe.dev is my website. And I'm really happy if anyone wants to message me to do anything I can help.
  • Brian Kardell: That's R-O-E.
  • Daniel Roe: R-O-E. And if you want to chat with me, I have a page on roe.dev/chat where you can book a 10-minute meeting. If there's any way I can help, I'm happy to do that. It has been such a pleasure to be on. Honestly, thank you very much for inviting us.
  • Matias Capeletto: Yeah. And also the best place is Bluesky and patak.cat, Patak with a K. I just moved it to the .cat and broke all the links. This is why we need a better identity online. Everything GitHub is broken now. And also because I move it to cat, there is people helping me to translate my blog post to Catalan. It will be English Catalan, my blog post from now on. It's very cool. Also I wanted to say, if you want to build with us, the best place is to go to build.npmx.dev and say hi there in the welcome channel, we are going to say hi to you. Just answer us. And yeah, there is a lot... The thing that we talked here is so open-ended. There's so much to do, so many possibilities. It touches so many other projects. If you don't want to build the project with us, but want to collaborate at the level of like there is another open source project, for sure there will be things. Just one thing to end, we took a one-week vacation. We closed Discord for a week and we are going to try to work with others to take a one-week vacation between many open source projects in July, because this is another thing that we should focus on, health of open source developers. There's a lot of people that are burned out. Funding is a bigger story is there too. And if you want to give money, go to our open collective in NPMX and yeah, that is good. If you resonate and you have the money and want to see this happen, that is also a good way. And thanks a lot also. As I say, big fan of the show. It's amazing to be able to be here with you.
  • Brian Kardell: Thanks so much.