Sep 06, 2019

Officially blocked: npm bans packages from showing ads in your terminal

Last week, the popular JavaScript library Standard began showing ads in the terminal from sponsors such as Linode and LogRocket. Other open source packages occasionally display donation requests after installation, but Standard was the first JavaScript package to display ads from third-parties directly inside the terminal. Standard used another npm package, Funding, that provided a platform for open source packages to integrate ads to fund their projects.

The backlash from developers against Standard was swift and unfavorable. Both sponsors, Linode and LogRocket, backed out of the program after negative responses from the development community. Standard promptly removed the ads from its library and ceased development of Funding, its terminal advertising platform. Now, npm, Inc, the team behind the npm ecosystem and registry, is moving to officially ban the practice in the future.

npm, Inc updated its official policies about commercial content to restrict ads in packages. Packages can no longer display ads at runtime, installation, or any other part of the software development process. Furthermore, while packages with code that can be used to display ads are acceptable, those packages cannot display ads to the developers using them.

As the registry has grown in size and popularity, its role in the development world and its importance in the software supply chain has come under increasing scrutiny. To allay concerns, npm, Inc is actively working to standardize the packages that are hosted on its public registry. Following the most recent advertising debacle, the npm team is in the process of standardizing CLI post-install scripts, which should formalize rules about donation requests, advertisements, and any other terminal messaging. The npm team has also strengthened its policies around security and package ownership, working to prevent package hijacking and protect libraries that are exceptionally critical to the development ecosystem.

The npm ecosystem has largely been reactive to new and unforeseen threats and changes. As software continues to fragment across reusable libraries and modules, npm will likely be a trailblazer in answering complex ethical quandaries. For now, comprehensive rules around terminal advertising are a positive step.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.