npm weekly #218: Everything you need to know about npm security, npm 6.12.0, and more!
npm 6.12.0 is here!
npm ci runs prepare scripts for git dependencies, and respects the
--no-optional argument. Warnings for
engine mismatches are printed again.
Get it: `npm i -g npm@latest`
Read the full release notes here.
The complete package: Everything you need to know about npm security
npm’s VP of Security, Adam Baldwin, shared his thoughts with web security digest, The Daily Swig, regarding improving security for the world’s biggest repository of open source software packages (npm!). Check out the full article + watch this space for updates on future npm security solutions.
We’ve got some exciting things on the horizon that will help with supply chain security and tooling built in this space.
The wombats have been busy this month! Here are our latest releases:
v6.0:a Node.js library that wraps
node-fetch-npmwith additional features
node-fetchdoesn't intend to include, including HTTP Cache support, request pooling, proxies, retries and more!
v5.0:a Node.js library that implements a
fetch-like API for accessing npm registry APIs consistently.
v10:a Node.js library for downloading npm-compatible packages. It supports all package specifier syntax that
npm installand its ilk support, and transparently caches anything needed to reduce excess operations, using
We enthusiastically welcome contributions and project participation! The corresponding contributor guides have all the info you need for everything from reporting bugs to contributing new features: make-fetch-happen | npm-registry-fetch | pacote.
New Security Insights API: Sneak Peek
One of the most important things for supply chain security is to have the right information available to make decisions about risk. Existing security tools currently report known vulnerabilities at the tail end of a long disclosure process. npm’s security team is looking to improve the status quo by providing visibility into more of the supply chain, not just its end products.
Adam Baldwin provides all the details on our blog. Keep an eye for future blog posts from him that will dig into deep package integrity, malware indicators of compromise, and behavioral analysis at runtime.
The results are in — it’s choice 3
Recommended project: bron
- Open RFC meeting: Wednesday, October 16, 10–11am PT. A new meeting thread providing details and an initial agenda will be created here soon.
- FinJS, New York: October 22. Don’t miss npm CTO Ahmad Nassri’s presentation, “Modern Patterns in Modular Software Architectures.”
- NodeDay: October 25 in NYC. Ahmad will be presenting here as well — stop by and say hello!
- Did you miss our tech talk earlier this week regarding the pros and cons of working with a polygot artifact manager? You can check out the recording here (along with the recordings of all our past webinars).
Need private packages and team management tools?
Try out npm Orgs:
- Publish and download private packages
- Manage permissions with teams
- Workflow integration and token management
Looking for a solution to identify visitors, or track page views, custom events and more? Check out Analytics, by Alex Sexton and David Wells. Designed to work with any third-party analytics tool and plugins, this package eliminates the complexity, maintenance and extra code normally required when adding or removing analytic services to/from a site or app, thus making it so you’re never locked into an analytics tool. Check it out!