npm Icon

npm

npm is a package manager for JavaScript included with Node.js.
28 Stories
All Topics

GitHub Blog Icon GitHub Blog

GitHub is acquiring npm

This.. is a bit of a bombshell:

The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million packages with 75 billion downloads a month. Together, they’ve helped JavaScript become the largest developer ecosystem in the world. We at GitHub are honored to be part of the next chapter of npm’s story and to help npm continue to scale to meet the needs of the fast-growing JavaScript community.

Software is eating the world. Meanwhile, Microsoft is eating the software world… one acquisition at a time.

npm github.com

npm adds `fund` subcommand to help support maintainers

As of npm 6.13, maintainers can add a funding field to their package.json (which works very much like GitHub’s FUNDING.yml) and users can run npm fund to see how they can support their dependency authors.

Darcy Clarke had this to say about the feature on npm’s blog:

Post install you will now see output that describes the number of packages that have defined funding information. You can opt-out of this prompt by using the –no-fund flag if you so choose.

At the end of August, we made a promise to the community to invest time & effort to better support package maintainers. This work is just the first, small step toward creating a means/mechanism for a more sustainable open source development ecosystem.

Bryan Bogensberger blog.npmjs.org

npm announced plans to launch an open source funding platform

Bryan Bogensberger (CEO of npm) writes on npm blog:

Over the past couple of years, we’ve observed a number of models emerging that enable a path towards sustainability for Open Source maintainers. Most notably: OpenCollective & GitHub Sponsors. We at npm are in full support of both these initiatives, and intend to collaborate further with these organizations.

Now we are ready to invite the community’s most active contributors and the biggest enterprise consumers of public open source code to a working group to finalize the platform’s definition.

Send questions/comments to funding-contributors@npmjs.com, or discuss your thoughts right here.

The Changelog The Changelog #355

Federating JavaScript's language commons with Entropic

We’re joined by C J Silverio, aka ceejbot on Twitter, aka 2nd hire and former CTO at npm Inc. We talk with Ceej about her recent JS Conf EU talk titled “The Economies of Open Source” where she laid our her concerns with the JavaScript language commons being owned by venture capitalists. Currently the JavaScript language commons is controlled by the npm registery, and as you may know, npm is a VC backed for profit start up. Of course we also talk with Ceej about the bomb she dropped, Entropic, at the end of that talk — a federated package registry for JavaScript C J hopes will unseat npm and free the JavaScript language commons.

Thomas Claburn theregister.co.uk

npm, Inc settled its labor rights union-busting battle

With the settlement behind it, NPM Inc can now turn its attention toward repairing relationships with the JavaScript community and generating enough revenue to sustain itself.

I’d like to know what the current sentiment is towards npm after this settlement. Can they mend these community fences? Or, are you more hopeful of the “development of alternative technologies” as mentioned in this post?

npm blog.npmjs.org

npm token scanning extending to GitHub

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post:

Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

JavaScript github.com

Pika brings that nostalgic, 2014 simplicity to 2019 web development

Install npm dependencies that run natively in the browser… without a bundler!

Pika’s mission is to make modern JavaScript more accessible by making it easier to find, publish, install, and use modern packages on npm.

There’s a lot to digest here in terms of how it works (spoiler: Rollup), which packages you can use with it (spoiler: ESM required), and how it performs. On that topic:

When served with HTTP/2, @pika/web installations perform better in production than single “vendor” JavaScript bundles and most custom dependency bundling strategies due to the comparable load performance + more efficient cache usage.

Founders Talk Founders Talk #61

Isaac Schlueter on building npm and hiring a CEO

With JavaScript in every corner of software development and npm in every corner right along with it, the rise of npm can be drawn as a hockey stick up and to the right with Isaac Schlueter at the top grinning ear to ear. After reading their recent announcement to hire a CEO, I knew it was time to talk one-on-one with Isaac about building npm and the journey of hiring his successor.

Isaac Schlueter blog.npmjs.org

npm has a new CEO

npm has faced some interesting challenges with project creator and co-founder Isaac Schlueter playing the role of leading the company AND the product. I’m excited to see how this new leadership and focus for Isaac plays out for npm and the greater JavaScript community.

In this post, Isaac shares some backstory and details about this transition:

Today, I’m happy to introduce Bryan Bogensberger as npm, Inc.’s CEO. He brings a wealth of experience in Open Source and a ton of excitement and expertise to help grow npm to the next level and beyond. Commercializing something like this without ruining it is no small task, and building the team to deliver on npm’s promise is a major undertaking. We’ve sketched out a business plan and strategy for the next year, and will be announcing some other key additions to the team in the coming months.

Meanwhile, I’ve taken on the title of Chief Product Officer and I will be spending my time focused on the part of the problem that I love.

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples.

Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, …

It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.

They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

0:00 / 0:00