Bookmarks (52) clear filters

npm Inc Plans to Support Open Source Maintainers More — Last week we linked to a recap of a recent funding experiment involving showing text ads during the installation of npm packages. npm Inc subsequently moved to ban such practices, and has now laid out their intention to launch an open source funding platform by the end of the year.

A Security Expert's POV on Node Dependency Management — Nearly all of the packages in the npm repository are safe to use, but.. you can never be too careful. This post takes “an application security expert’s point of view” over what practices you should be adopting on your own projects.

npm 6.11.0 Released, and It's Better for Your Filesystem — “As of this release, npm should never ever create root-owned files anywhere other than in root-owned folders.” npm ci also now gets access to all of npm’s config values.

The Summer 2019 npm CLI Roadmap — The status of the npm CLI app has been a bit up and down recently, but things appear to now be fully back on track with ‘accelerating’ progress and a roadmap for npm 7 and what it will contain. “Play nicer with Yarn” is a nice feature to see.

npm 6.10.3 Released — “adds better support for GitLab shorthands via an update to hosted-git-info, and better error handling and reporting when users encounter EACCES on their cache folder.”

Monorepos and npm — A ‘monorepo’ is when you store the code for numerous projects or modules in a single repository, rather than keeping them separate. Lerna is a popular tool for working with monorepos with npm, but npm 7 will introduce first-class monorepo support.

Isaac Z. Schlueter Runs Into An Old Bug — An interesting example of what happens when a bug becomes “normal” behavior leading to workarounds that break when you fix the original bug(!)

npm Enterprise Turns Security Up to 11 — npm Inc. has unveiled the first major update to their enterprise-level package hosting offering which includes being able to filter out packages that don’t meet security requirements, vulnerability reports, and improved SSO.

Protecting Package Publishers with npm Token Security — In collaboration with GitHub’s token scanning program, npm has set up a system where when you commit or push a change to GitHub in a public repo, any npm authentication tokens found will be checked and revoked, in an effort to keep you safe.

npm Pride 2019 Shirts — All proceeds of the “npm install pride” shirts go to a LGBTQ counseling service.

How the npm Security Team Foiled a Criminal Plot — Several months ago, the event-stream package was compromised in an attempt to attack people’s cryptocurrency wallets and the potential loot proved too tempting to the latest set of crooks who have been thwarted by the npm, Inc. security team.

▶  Private Package Development with npm Orgs — A look at a (paid) feature npm Inc. offer for collaborating on packages within a team.

Easy Automatic npm Publishes — npm and Node powerhouse Isaac Z. Schlueter says he hasn’t “manually typed npm publish in a while” and explains how he’s semi-automated his npm publishing process.

npm Inc. Launches 'npm Enterprise', and Here's Why — npm Enterprise is an ‘enterprise grade’ npm package repository that npm Inc. privately hosts and manages for you.

The Security Risks of Changing Package Owners — “We’ve had a few situations recently which illustrate that people are a layer beneath the code and the actions of maintainers have a direct impact on the security of the ecosystem. Specifically event-stream and koa-router.”