npm is a helper tool to download JavaScript modules primarily used with Node.js.
As such it is a domain-specific package manager, which potentially involves nonfree code - and is outside the control of PureOS.
FSF guidelines for systems explicitly forbids to "steer users towards obtaining any nonfree information for practical use, or encourage them to do so [and should not] refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow."
The package should be blocked from getting included from Debian into PureOS.
The following packages reverse build-depnds on npm and should be blocked as well:
- npm2deb
- node-getpass
- node-http-signature
- node-sshpk
- node-npmrc
- ruby-license-finder
Possibly some of above can be forked to avoid problematic (build-)dependencies, but let's track such opportunities as separate issues.