Skip to content

Should I use JSR? The answer might be no.

Published: at 10:23 PM

JSR arguably does what npm should. It is innovative and compelling, but it raises a lot of questions you should consider.

JSR is a package registry competing with npm. It appears to be out of beta and open for everyone. It has some distinguishing features:

  1. Auto generates .d.ts files
  2. Auto generates ESM bundle
  3. Shows runtime and browser compatibility

JSR logo

Innovative for sure, but here are some reasons you might want to stay away.

  1. The uptime is unproven. Will JSR become another point of failure for your deploys?
  2. The security is unproven. Is JSR another supply-chain weakness? I don’t see a security information page or any indication of SOC2 certification. And will the security community participate? For example, will Snyk maintain a list of vulnerabilities?
  3. JSR may die or become irrelevant. What happens when npm matches all of JSR’s features? Would it be hard? Probably not.