JSR arguably does what npm should. It is innovative and compelling, but it raises a lot of questions you should consider.
JSR is a package registry competing with npm. It appears to be out of beta and open for everyone. It has some distinguishing features:
- Auto generates .d.ts files
- Auto generates ESM bundle
- Shows runtime and browser compatibility
Innovative for sure, but here are some reasons you might want to stay away.
- The uptime is unproven. Will JSR become another point of failure for your deploys?
- The security is unproven. Is JSR another supply-chain weakness? I don’t see a security information page or any indication of SOC2 certification. And will the security community participate? For example, will Snyk maintain a list of vulnerabilities?
- JSR may die or become irrelevant. What happens when npm matches all of JSR’s features? Would it be hard? Probably not.