I would like to start with saying this is categorically untrue. The source is 100% available on GitHub and – as per the SPDX license list and the Open-Source Initiative – their license is technically open-source compatible.
npm itself does not have open-governance which is an entirely different matter.
Addressing some of your other points:
JS Foundation
The JS Foundation will no longer exist after the merger into the OpenJS Foundation is finalized. The discussion has been about the OpenJS Foundation.
contingency plans should the company sell to a bad actor
This line of discussion is – in my opinion – sensationalist, intentionally meant to scare people. It's based on context that was derived from an understanding that only a few people have from some investigation they did ~3 years ago that doesn't hold up in today's state of the world. It's just as much a possibility as npm finding critical success with npmE and personal accounts and eventually IPOing.
Addressing your questions:
Was npm always a for-profit company or did it start open source and eventually incorporate?
npm was started as an open-source project, but as it turns out maintaining a registry of tens of thousands of modules can't be done for free. To keep the registry up it needed to be funded somehow.
How did Node.js decide to partner and ship with npm?
This was an early decision (~0.1? ~0.2?) and is honestly (IMO) the reason that Node.js, npm, and JavaScript are as successful and widespread as they are today.
I would like to start with saying this is categorically untrue. The source is 100% available on GitHub and – as per the SPDX license list and the Open-Source Initiative – their license is technically open-source compatible.
npm itself does not have open-governance which is an entirely different matter.
Addressing some of your other points:
The JS Foundation will no longer exist after the merger into the OpenJS Foundation is finalized. The discussion has been about the OpenJS Foundation.
This line of discussion is – in my opinion – sensationalist, intentionally meant to scare people. It's based on context that was derived from an understanding that only a few people have from some investigation they did ~3 years ago that doesn't hold up in today's state of the world. It's just as much a possibility as npm finding critical success with npmE and personal accounts and eventually IPOing.
Addressing your questions:
npm was started as an open-source project, but as it turns out maintaining a registry of tens of thousands of modules can't be done for free. To keep the registry up it needed to be funded somehow.
This was an early decision (~0.1? ~0.2?) and is honestly (IMO) the reason that Node.js, npm, and JavaScript are as successful and widespread as they are today.
The open source claim is only partially true--the cli is open source, but the actual registry is not.