npm weekly #218: Everything you need to know about npm security, npm 6.12.0, and more!

npm 6.12.0 is here!

Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again.

Get it: `npm i -g npm@latest`
Read the full release notes here.

The complete package: Everything you need to know about npm security

npm’s VP of Security, Adam Baldwin, shared his thoughts with web security digest, The Daily Swig, regarding improving security for the world’s biggest repository of open source software packages (npm!). Check out the full article + watch this space for updates on future npm security solutions.

We’ve got some exciting things on the horizon that will help with supply chain security and tooling built in this space.

Releases

The wombats have been busy this month! Here are our latest releases:

• make-fetch-happen v6.0: a Node.js library that wraps node-fetch-npm with additional features node-fetch doesn't intend to include, including HTTP Cache support, request pooling, proxies, retries and more!
• npm-registry-fetch v5.0: a Node.js library that implements a fetch-like API for accessing npm registry APIs consistently.
• pacote v10: a Node.js library for downloading npm-compatible packages. It supports all package specifier syntax that npm install and its ilk support, and transparently caches anything needed to reduce excess operations, using cacache.

We enthusiastically welcome contributions and project participation! The corresponding contributor guides have all the info you need for everything from reporting bugs to contributing new features: make-fetch-happen | npm-registry-fetch | pacote.

New Security Insights API: Sneak Peek

One of the most important things for supply chain security is to have the right information available to make decisions about risk. Existing security tools currently report known vulnerabilities at the tail end of a long disclosure process. npm’s security team is looking to improve the status quo by providing visibility into more of the supply chain, not just its end products.

Adam Baldwin provides all the details on our blog. Keep an eye for future blog posts from him that will dig into deep package integrity, malware indicators of compromise, and behavioral analysis at runtime.

The results are in — it’s choice 3

Recommended project: bron

Looking for a simple test solution for a small project? Try out this super fast and tiny test runner for Node.js, bron, by freelance developer/architect Lars Kappert.

Upcoming events

• Open RFC meeting: Wednesday, October 16, 10–11am PT. A new meeting thread providing details and an initial agenda will be created here soon.
• FinJS, New York: October 22. Don’t miss npm CTO Ahmad Nassri’s presentation, “Modern Patterns in Modular Software Architectures.”
• NodeDay: October 25 in NYC. Ahmad will be presenting here as well — stop by and say hello!
• Did you miss our tech talk earlier this week regarding the pros and cons of working with a polygot artifact manager? You can check out the recording here (along with the recordings of all our past webinars).

Need private packages and team management tools?

Try out npm Orgs:

• Publish and download private packages
• Manage permissions with teams
• Workflow integration and token management

Learn how npm Orgs can help your team.

Analytics galore!

Looking for a solution to identify visitors, or track page views, custom events and more? Check out Analytics, by Alex Sexton and David Wells. Designed to work with any third-party analytics tool and plugins, this package eliminates the complexity, maintenance and extra code normally required when adding or removing analytic services to/from a site or app, thus making it so you’re never locked into an analytics tool. Check it out!