npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
17 Stories
All Topics

JavaScript github.com

Pika brings that nostalgic, 2014 simplicity to 2019 web development

Install npm dependencies that run natively in the browser… without a bundler! Pika’s mission is to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm. There’s a lot to digest here in terms of how it works (spoiler: Rollup), which packages you can use with it (spoiler: ESM required), and how it performs. On that topic: When served with HTTP/2, @pika/web installations perform better in production than single “vendor” JavaScript bundles and most custom dependency bundling strategies due to the comparable load performance + more efficient cache usage.

read more

Isaac Schlueter blog.npmjs.org

npm has a new CEO

npm has faced some interesting challenges with project creator and co-founder Isaac Schlueter playing the role of leading the company AND the product. I’m excited to see how this new leadership and focus for Isaac plays out for npm and the greater JavaScript community. In this post, Isaac shares some backstory and details about this transition: Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months. Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.

read more

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more

npm github.com

Find the cost of adding a new dependency to your project

Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool: Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.

read more

Spencer Brown mixmax.com

To yarn and back (to npm) again

Yarn and npm was discussed in-depth on JS Party #29. Spencer writes on the Mixmax blog: We tested that this flow with npm 6 would work for our needs and we suggest you do too. If you need the absolute fastest package manager, then you may still find Yarn to be best. But if you’re looking to simplify your setup, we’ve found that npm 6 recaptures a critical balance between speed and reliability. Spencer and team also shared deyarn a command-line tool for converting your projects from Yarn to npm.

read more

0:00 / 0:00