You can see all the compiled code when you download the npm package https://www.npmjs.com/package/@shopify/app-bridge.
You are even given links to the github page and are reading the readme.
It also has contribution guidelines, but the repo itself is private.
I'd be curious what is being guarded by keeping this private? Is it just PR discussions and the like, or something else?
I can't speak for Shopify and the exact reasons why they're keeping AppBridge sources private for now, but if you follow some of their dev discussions on GH issues you'll find they're considering some changes around AppBridge which to me suggests it's still not ready for releasing sources. Likewise, there have been issues with AppBridge because it still doesn't have feature parity with former EASDK. It just doesn't feel complete so it wouldn't surprise me if that's one of the reasons they're still keeping the repo private until they're happy with it.
Same can be said of a few other packages such as @Klarna/sewing-kit. I believe they'll release sources eventually.
It's quite common for companies to develop that way because expectations of their user base is quite different to that of regular open source users. Even though they'd open source it, users would expect support.
"Hey Shopify, you made so and so and it isn't working, how do I use it? Please help! Hello, why no reply? Any examples? Please provide full solution! I like AppBridge but can you give me a PHP example (oooh, my favourite type)"
If the package isn't ready, they'd flood them with questions and complaints and that would have a number of unpleasant side effects that a company cannot brush off as easily as an independent OSS dev can "Feel free to make a PR and stop complaining, I don't work for you" ;-)
Just my 2c. Best wishes!
|an hour ago|