npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
16 Stories
All Topics

JavaScript github.com

Pika brings that nostalgic, 2014 simplicity to 2019 web development

Install npm dependencies that run natively in the browser… without a bundler! Pika’s mission is to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm. There’s a lot to digest here in terms of how it works (spoiler: Rollup), which packages you can use with it (spoiler: ESM required), and how it performs. On that topic: When served with HTTP/2, @pika/web installations perform better in production than single “vendor” JavaScript bundles and most custom dependency bundling strategies due to the comparable load performance + more efficient cache usage.

read more

Founders Talk Founders Talk #61

Isaac Schlueter on building npm and hiring a CEO

With JavaScript in every corner of software development and npm in every corner right along with it, the rise of npm can be drawn as a hockey stick up and to the right with Isaac Schlueter at the top grinning ear to ear. After reading their recent announcement to hire a CEO, I knew it was time to talk one-on-one with Isaac about building npm and the journey of hiring his successor.

read more

Isaac Schlueter blog.npmjs.org

npm has a new CEO

npm has faced some interesting challenges with project creator and co-founder Isaac Schlueter playing the role of leading the company AND the product. I’m excited to see how this new leadership and focus for Isaac plays out for npm and the greater JavaScript community. In this post, Isaac shares some backstory and details about this transition: Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months. Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.

read more

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

read more

npm github.com

Find the cost of adding a new dependency to your project

Do you have packagephobia? Maybe you should… If you don’t, you just might after using this tool: Package Phobia reports the size of an npm package before you install it. This is useful for inspecting potential dependencies or devDependencies without using up precious disk space or waiting minutes for npm install. Ain’t nobody got time for dat.

read more

Spencer Brown mixmax.com

To yarn and back (to npm) again

Yarn and npm was discussed in-depth on JS Party #29. Spencer writes on the Mixmax blog: We tested that this flow with npm 6 would work for our needs and we suggest you do too. If you need the absolute fastest package manager, then you may still find Yarn to be best. But if you’re looking to simplify your setup, we’ve found that npm 6 recaptures a critical balance between speed and reliability. Spencer and team also shared deyarn a command-line tool for converting your projects from Yarn to npm.

read more

0:00 / 0:00