Q: is the npm registry still open source?
A: no. npm, inc is now intergalactic feudal empire
he who controls the spice controls the universe
Centralized services require vast resources and complicated architectures to scale and the more internal services are necessary to run a piece of infrastructure, the less value there is in keeping the code open because it becomes harder and harder for other people to run it themselves to make modifications, as that issue discusses. The difficulty of replication for this scaled up infrastructure, exclusive control over deeding of property rights for the namespace, and network effects conspire to create barriers to entry which are defensible by design.
These are the ingredients of a successful business and hopefully a long-lived service as a result (because we need npm right now to incubate dexentralized alternatives), but we can take this example as illustrative for how power dynamics are embedded in computer architectures. If we want a more egalitarian, communitarian internet, we'll need to bake those features in from the beginning in such a way that we don't end up back where we've started from. We should fail in new, interesting ways or else succeed in building a future that doesn't need us.
I say store modules as ssb blobs and then figure out how to clone them back up from scuttlebot in an effective way.
Right now I have an 'ipm' shell script in my site repos for front-end dependencies that clone from git-ssb. Next step, blob all node_modules.