Microsoft Corp.’s GitHub subsidiary today said that it has agreed to acquire npm Inc., a startup with a central role in the open-source software community and a user base of about 12 million developers.

The terms of the acquisition were not disclosed. Npm has raised at least $8 million in funding from investors including Bessemer Venture Partners.

Oakland, California-based npm maintains the free npm package registry, where developers host 1.3 million software packages written in JavaScript. JavaScript is the world’s most popular programming language and serves the foundation of practically every modern website. The packages on the npm registry, in turn, are downloaded about 75 billion times a month.

The deal will further strengthen GitHub’s position in the software ecosystem. The Microsoft unit, whose platform is already the largest open-source code repository in the world, is now taking stewardship of the world’s largest package registry.

“Our commitment to that community is to keep the npm registry free for open source development for the foreseeable future, and continue to improve the npm CLI,” npm Chief Executive Officer Isaac Schlueter wrote in a blog post. “At GitHub, npm will have the added support and backing of one of the world’s largest companies.”

GitHub CEO Nat Friedman reaffirmed the commitment to keep maintaining the npm registry in a blog post of his own. The executive also shared details about the technical roadmap going forward.

“Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it,” Friedman wrote. He added that GitHub will make the “investments necessary to ensure that npm is fast, reliable and scalable.”

On top of maintaining the free registry, npm provides commercial versions of the service that are used by companies to manage components of their internal JavaScript projects. GitHub plans to support users of the paid versions but will introduce the option to migrate to the competing GitHub Packages offering it debuted last year.

The launch of GitHub Packages apparently played a role in the acquisition. “When I saw the GitHub Packages beta announcement and demo at GitHub HQ in San Francisco, I remember turning to [GitHub Senior Vice President of Product] Shanku Niyogi and clumsily blurting out, ‘Why aren’t you trying to buy us?’” npm’s Schlueter wrote.

Npm is GitHub’s third acquisition in recent quarters. It previously bought Semmle Inc., the maker of a tool for finding security vulnerabilities in code, and earlier picked up Pull Panda Inc. for its development automation software. 

Image: GitHub