npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
40 Stories
All Topics

Tobias Bieniek mainmatter.com

node_modules: How one character saved 50 GB of disk space

Tobias Bieniek:

Have you ever worked with JavaScript? Have you been annoyed by the three hundred copies of left-pad in all of the node_modules folders on your disk? Would you prefer if all of your projects shared their node_modules folders instead of each getting their own copy?

The single character that saved him all that space? The p in pnpm…

npm github.com

Wireit upgrades your npm scripts to make them smarter and more efficient

This is alpha software, but it seems pretty low risk to give it a try.

Wireit works with npm run, it doesn’t replace it. To configure an NPM script for Wireit, move the command into a new wireit section of your package.json, and replace the original script with the wireit command.

Now when you run npm run build, Wireit upgrades the script to be smarter and more efficient.

Changelog Interviews Changelog Interviews #482

Securing the open source supply chain

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

JS Party JS Party #210

What's in your package.json?

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Phoenix cloudless.studio

Wrapping your head around assets in Phoenix 1.6

The latest Phoenix release ditches webpack and npm for esbuild and… nothing?

Of course, these are just the defaults — docs for Elixir’s esbuild clearly state that NPM is still supported and you can always pass --no-assets and do things 100% your way. But it’s easy to underestimate the power of defaults, especially those that cover area outside of target audience’s expertise — which is the case of Phoenix devs and JS bundlers.

In this post, the author lays out how they stitched together an esbuild + npm setup that will likely scale alongside the frontend of your application. I will surely be trying this setup on our app over the next few weeks and might even video it if you’re interested in going along for the ride.

Dan Abramov overreacted.io

npm audit: broken by design

Dan Abramov cuts right to the chase:

Have you heard the story about the boy who cried wolf? Spoiler alert: the wolf eats the sheep. If we don’t want our sheep to be eaten, we need better tools.

As of today, npm audit is a stain on the entire npm ecosystem. The best time to fix it was before rolling it out as a default. The next best time to fix it is now.

He goes on to lay out how it works, why it’s broken, and what changes he’s hoping to see.

npm sambleckley.com

Worrying about the npm ecosystem

Sam Bleckley:

The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.

He then spends some time measuring the extent of the problem.

The GitHub Blog Icon The GitHub Blog

GitHub is acquiring npm

This.. is a bit of a bombshell:

The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million packages with 75 billion downloads a month. Together, they’ve helped JavaScript become the largest developer ecosystem in the world. We at GitHub are honored to be part of the next chapter of npm’s story and to help npm continue to scale to meet the needs of the fast-growing JavaScript community.

Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.

npm github.com

npm adds `fund` subcommand to help support maintainers

As of npm 6.13, maintainers can add a funding field to their package.json (which works very much like GitHub’s FUNDING.yml) and users can run npm fund to see how they can support their dependency authors.

Darcy Clarke had this to say about the feature on npm’s blog:

Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.

At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.

Bryan Bogensberger blog.npmjs.org

npm announced plans to launch an open source funding platform

Bryan Bogensberger (CEO of npm) writes on npm blog:

Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.

Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.

Send questions/comments to funding-contributors@npmjs.com, or discuss your thoughts right here.

Changelog Interviews Changelog Interviews #355

Federating JavaScript's language commons with Entropic

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

Thomas Claburn theregister.co.uk

npm, Inc settled its labor rights union-busting battle

With the settlement behind it, NPM Inc can now turn its attention toward repairing relationships with the JavaScript community and generating enough revenue to sustain itself.

I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?

npm blog.npmjs.org

npm token scanning extending to GitHub

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:

Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

Player art
  0:00 / 0:00