An attack on publisher freedom

and the power abuse by npm Inc.

Arnout Kazemier
6 min readFeb 26, 2014

When you are working with Node.js you are probably also working with npm, the package manager that is shipped in with the node distribution. The npm Registry is where we, as Open Source developers release all our modules for people to use freely. We enjoy sharing the fruits of our labour and like to give back to community. But releasing your code isn’t that easy. There are already more than 60.000 Open Source packages in The npm Registry so you’re lucky to find a module name that fits the use case of your module as a lot of good names are already taken.


I’ve have recently started working on a new Open Source module for The npm Registry. This module is an alternate and in my opinion a better API for The npm Registry. If you want to communicate with The npm Registry you could either use CouchDB directly or use the exposed API that is rewritten by CouchDB. The main reason for writing a competitor to the npm-registry-client module was that I wanted something more sane (for my tastes anyway) while working with the data that is available in The npm Registry. So I packed it with features that I needed to work with npm so it’s highly opinionated and exposes a completely different but in my opinion more readable API and it ensures a stable normalised data structure for all returned results.

Once I implemented the most core functionality I was ready to release it to The npm Registry so other developers could use the fruits of my labour to build amazing applications and modules on top of it. But it needed a name. I’ve always been fan of simplicity, I prefer one word names over multiple-words-to-describe-a-module. This makes it easier for people to remember the name and results in smaller and more human readable code. So after a search for various of keywords I found out that the module name npmjs was still available in the registry. In the four years that the registry existed nobody took the effort in registering it. This module was and is a perfect fit for my module as interacts with the registry that is accessible on So I released this module and all was well and started implementing the module into various of personal as well as work related projects.

Confusing confusion

On the 22th I received an email from Isaac, the CEO of npm Inc (which recently raised more than 2M in funding for his company) and creator of npm with a question:

Subject: “npmjs” package on npm registry

Can you please choose another name for this module? It’s extremely confusing.

Isaac states that the name npmjs is extremely confusing. I failed to understand how this simple module has became extremely confusing after releasing it.

The name, npmjs was unregistered, unused and unnoticed for the last four years. Not for a week, no, for a staggering four years. If there was confusing about installing npm vs npmjs for users it would have surely be noticed within these years. A quick search of the Github repository showed that nobody has ever reported this nor did I find any references or shout outs on twitter about so said extreme confusing that this module was causing because there simply isn’t any confusion.

I did not do any name squatting, it was legitimate module with an appropriate name. The README and package.json of my module all clearly stated this it was an alternate npm registry client. In addition to that there were already modules in The npm Registry that also used npm and npmjs in their names and description. So I replied to Isaac with this information, stating that I did not see a reason to change the name because the NEVER was any confusing about the name:

Hello Isaac,
I personally don’t see the problem here. The name was unregistered in the registry so I assumed that has been unused for the last four years that the npm registry has existed. If it was confusing before in these previous, I’m pretty sure someone would have registered that module before for the obvious reasons.

It’s an appropriate name for the module as well as it’s an alternative api client as clearly stated in the module’s description and it will be actively maintained and implemented as a base for various of npm related modules that I’m currently or will be writing in the near future. I think that this will boost the npm eco system in a good way as it will be easier to write modules that hit the various of npm endpoints.

So with this all in mind I won’t be changing the modules name because there simply isn’t any reason for it to do so.
Kind regards,

Infringing on what?

Within a couple of hours I received a reply from Isaac.

You’re using a name that is the intellectual property of someone else. Even if it wasn’t my mark you were using in a confusing manner, as an admin of the public npm registry, I’d call that bad behaviour at least.
I’m not requesting. This isn’t a negotiation. I’m informing you that the “npmjs” module will be deleted from the registry.
Please pick a new name that more clearly describes what this module is, and doesn’t imply affiliation between you and npm.
Thank you.

As far as I was aware the name npmjs was never protected. The registry is called The npm Registry. Not npmjs, not The npmjs Registry. The only thing that my module name had in common was the domain name and as far as I know, a domain name isn’t considered an intellectual property.

The most disrupting thing about this email is that Isaac states that me using npmjs in my module name is something that he sees as bad behaviour. How is it bad behaviour that I spend my own personal time writing a completely new module that interacts with your API for free and release it as Open Source to boost your ecosystem so it’s easier to other authors to work with your service. I would be flattered if someone took their time to write and release code that used my service.

It didn’t even matter what how right or wrong I was for using npmjs as a module name Isaac had clearly already decided to destroy the module as he stated there wasn’t any negotiation and that it would be deleted no matter what.

Coincidence?! I think not!

I wondered if he could just simply delete modules from The npm Registry at his own choosing. I couldn’t remember reading this the legal information of npm. The reason that I didn’t remember it is because Isaac changed the legal information to include:

Any data published to The npm Registry (including user account information) may be removed or modified at the sole discretion of the npm server administrators.

This change was added on the 17th, just a couple of days before he send me an email. Coincidence? I think not!

He said that I needed to choose a new name for this module that doesn’t imply any affiliation with npm. So this basically means I had to describe my in such a way that it doesn’t use npm or npmjs as they both clearly assume affiliation according to Isaac. And this is just something that I refuse to do.

Instantly deleted

The final blow for me was when I found out that during the weekend and just hours after our last contact it was deleted! There never was any notice of a date when I could have expected my module to be removed from The npm Registry. It was simply instantly removed.

Even if the module was to be removed without debate, doing so without notice caused all the modules that were using my module to break. This forced me to work during the weekend to fix the (now) broken code and their dependent deployments. This was time I would had spend with my family and kids instead. Time that I would have had if I had gotten even a little personal consideration or empathy from Isaac.

The message that Isaac and npm Inc. sends with this is clear to me. We do not give a fuck about our module authors and the modules they release in our registry. And we will delete your module without giving you time to update your code as we simply do not care.



Arnout Kazemier

Founder of, Lead Software Engineer at Nodejitsu and passioned open source developer.