npm allows specifying the registry you want to use when resolving packages. This can be programmatically setup via an
.npmrc dot file, or via the npm command line directly.
This is neat as it allows large-sized companies to run their own internal registry, as can ‘little people’ like us.
Verdaccio is a very neat piece of software. It even has experimental support for access tokens to access the registry using automated tools or in non-interactive processes. In its v5 release, this will come out of experimental stage.
For packages it does not find on its own index, it redirects those requests to npm’s public registry. This means even with no packages uploaded on your own registry instance, it is a drop-in replacement for most users!
Unfortunately, npm only allows specifying a registry for all packages in a given repository. This makes the current design a misfit for decentralization. Could they do it in the future if they wanted? Probably.
Verdaccio cannot solve this problem, at least not in any elegant manner. It works as long as some of your dependencies come from a single author who has hosted a Verdaccio instance for their packages — and then you fall back on npmjs.com for the remainder of your dependencies. You cannot have packages being consumed from two, or three (and so on) Verdaccio instances.
Some core contributors to the npm project, including a former CTO, did begin work on Entropic, but the last meaningful commits were in July 2019, and the progress since then has slowed to a crawl — prompting the commonplace “Is this project dead?” issue.
It doesn’t help there aren’t many backers on their OpenCollective. I wish I could help or contribute financially, but here we are.
Technical possibilities/imagination aside… when people and companies rely on node packages for their software, security is of particular interest. If PHP’s git servers were not immune to this… is decentralization of packages a viable idea at all at large?
What are your thoughts on a decentralized package registry?