Announcing npm@6

In coordination with today’s announcement of Node.js v10, we’re excited to announce npm@6. This major update to npm includes powerful new security features for every developer who works with open source code. Read on to understand why this matters.

We all rely on open source code — so we need to trust it

In this winter’s ecosystem survey, we learned that 97% of worldwide JavaScript developers rely on open source code in our projects. This is borne out by the metrics we’ve observed in the npm Registry, which served 5 billion package downloads last week: it’s indisputable that the model of finding, sharing, and reusing others’ modular code is the new normal in software development.

When we asked for your attitudes towards whether the code you use is secure, we learned two eye-opening facts. First: 77% of developers expressed concern with whether the open source code they use is secure. More interestingly, 87% expressed concern about the safety of their own code. Put another way, more developers trust the security of the open source code they use than trust themselves.

Old methods don’t work

In that same survey, we learned that more than half of you are dissatisfied with the current methods available to assess whether code is safe.

We believe the explanation is simple: complexity is the enemy of best practices. If a security process requires pausing development for manual reviews, paying for an external audit, or introducing a third-party tool into your workflow, you’re less likely to follow it.

With npm@6, security is built in

Earlier this month, we were excited to announce our acquisition of the Node Security Platform, the definitive source of known JavaScript package vulnerabilities. With npm@6, we’re proud to announce the first fruits of our collaboration.

Soon, every user of the npm Registry will begin receiving automatic warnings if you try to use code with a known security issue. npm will automatically review install requests against the NSP database and return a warning if the code contains a vulnerability.

In addition, a new command in npm@6, `npm audit`, will soon allow you to recursively analyze your dependency trees to identify specifically what’s insecure — so you can swap in a new version or find a safer alternate dependency.

These features are already available to users of npm’s beta registry, and in coming weeks they will automatically roll out to every member of the community. Both of these features are available free of charge to every npm user, with no purchase or registration required. (Customers of our paid services will receive additional pre-publication vulnerability disclosures, formerly the NSP’s premium tier.)

We’re giving away these resources to maximize community benefit. Every developer needs to know that the code they use is safe. By alerting the entire community to security vulnerabilities within a tool you already use, we can make JavaScript development safer for everyone.

There’s more

If you haven’t already, you should check out our recap of what we’ve added to npm in the last year, the notes for today’s release, and our roadmap of the year ahead. There’s a lot to celebrate. This includes:

  • Performance enhancements. npm@6 is up to 17x faster than the npm of one year ago.
  • Optimization for CI. `npm ci` makes using npm within your continuous integration/continuous deployment (CI/CD) workflow an additional 2x–3x faster.
  • Webhooks management. We first introduced webhooks — real-time notifications of Registry and package changes — almost two years ago, but now it’s possible to configure these from directly within the npm CLI. We can’t wait to see what powerful developer tools you build.
  • More visible integrity metadata. It’s becoming easier every day to verify that a package hasn’t been tampered with or corrupted.
  • Automatic resolution of lockfile conflicts. Teams can more easily share reproducible builds.

Get started

You can update to npm@6 by typing `npm i -g npm@latest`. And, as always, you can get in touch with your feedback, questions, and ideas. Just hit us up on Twitter or drop us a line.

We’re excited by today’s announcement, and hopeful that you are, too. It’s never been faster or safer to build amazing things.

Like what you read? Give npm, Inc. a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.