npm package with 1.4M weekly downloads ditches npmjs.com for own CDN

In a surprising move, the popular open source project, SheetJS aka "xlsx," has dropped support for the npm registry.

Downloaded about 1.4 million times weekly on npm, SheetJS is relied upon by NodeJS developers looking to craft and parse Excel spreadsheets using nothing but JavaScript.

The project's maintainer suggests that the decision to pull out of the npm registry is based on the newly introduced two-factor requirements for top projects, GitHub's abrupt decision-making, and ongoing 'legal matters' between SheetJS and npm.

SheetJS moves away from npm registry

On April 14th, maintainer of SheetJS introduced a code change removing any npm dependencies used by the project.

Any URL references to npm's domains within the SheetJS source code were also updated to use SheetJS CDN, as seen by BleepingComputer.

Future versions of SheetJS are expected to be released on its CDN, cdn.sheetjs.com, rather than the npmjs registry.

SheetJS (aka xlsx) is among the "top 500 packages" based on the number of components that depend on this library.

Note, the 'sheetjs' npm package is a mere placeholder reserved by SheetJS, whereas the official SheetJS npm library lives at 'xlsx':

From 2FA requirement to pending 'legal matters'

This move by SheetJS has left developers utterly confused who opened up a discussion thread on the project's GitHub repository, questioning the motive.

The developer behind SheetJS cites a number of reasons behind shying away from npm, including the registry's decision to force maintainers of top open source projects into two-factor authentication.

GitHub's initiative for enforcing multi-factor authentication (MFA) arrived shortly after last year's hijacking incidents that hit famous npm packages like ua-parser-js, coa and rc.

These npm libraries, relied on by thousands of projects and companies, were tainted with malware in 2021 after attackers compromised the npm accounts of their maintainers.

As such GitHub-owned npm registry announced earlier this year that developers of the top 100 npm packages will be required to set up two-factor authentication to step up the security of their projects, with similar rules introduced for projects meeting other criteria. And apparently, SheetJS falls within that criteria and must set up MFA—leaving the maintainer unpleased.

Another reason cited by SheetJS is its pending "legal matters" with npm. 

"Due to ongoing legal matters between SheetJS LLC and npm, Inc. (which will not be discussed here), it did not make sense to continue using the public npm registry for distribution," states the SheetJS developer.

Lastly, SheetJS vaguely states that GitHub's decision to shut down its git.io URL redirection service with just four days of notice had echoes of "the ephemerality of the Internet and the inherent risks of relying on platforms."

And all of these reasons have caused much confusion among developers who are now speculating, what the real reason behind ditching npm might be.

"Top 500 NPM package list, 1.26 million downloads a week, over 3000 dependent packages and not even a mention in the README regarding the fact ongoing development for this package won't exist any longer in the single largest JS library platform on the planet (after 8 years)," commented Clay Levering, director of product engineering at Blu Digital Group.

Some called SheetJS' reasons "bizarre," while others supported that open source maintainers were free to do whatever they wanted to with their creations, but there might be caveats.

"Maintainers of OSS projects don't owe people anything, of course, but all I can say is you shouldn't be surprised when people (including your paying customers) look at this whole thing and decide to either fork the project or switch to a competing library not maintained by someone who makes decisions like this," wrote developer Lynn Romich in the same thread.

"Because npm is statistically way more likely to exist 5 years from now than your personal CDN," continued Romich.

A Reddit user surmises that SheetJS' bold decision may have to do with nothing other than pending litigation between the two parties.

"My guess is that they don't want to invest a penny of their developer's time into helping a company (npm) that they have lawsuit going with," writes the user.

Redditors also became polarized on whether mandatory two-factor authentication imposes additional hurdles for developers and if, at the end of the day, the trade-off between security and convenience is justified.

BleepingComputer has reached out to GitHub (npm) and SheetJS to better understand what the legal matters entail. At this time, we have not come across any public litigation documents. This post will be updated once we have more information.