npm weekly #224: Say hello to email@example.com, behavioral analysis of npm packages & more
Say hello to firstname.lastname@example.org
A new npm version was released earlier this week! This fixes some bugs and includes changes on the docs by the community.
Get it in the usual ways:
npm i -g npm@latest
Remember that doing `npm config set viewer=browser` will let you browse our new docs website when you do `npm help`!
Read the release notes here.
npm Security Insights API Preview Part 3: Behavioral Analysis
A lot of stuff happens when you install an npm package. npm downloads and extracts dependencies, but it also runs install hooks, which can bring forth a variety of negative side effects. Further, post-install scripts are the most popular malware infection method right now.
In an effort to understand this further and to make side effects (malicious or not) transparent, the npm security team has been hard at work building infrastructure to do behavioral analysis of npm packages at scale. Learn more about what they’ve been up to here.
Open RFC Call: Add your ideas to the agenda
Don’t miss next week’s Open RFC call on Wednesday, 11/27 at 11am PT/2pm ET! Add your thoughts to our biweekly Open RFC Call agenda, and then join in the conversation! A new meeting thread providing details and an initial agenda will be created here soon.
Previous meeting recordings and notes can be found here.
Recommended project: mish
Looking to try out a new gallery app? Check out mish, a single-page gallery app run in a standard web browser, locally installed or on a web server. Collaboration is fully appreciated!
Are you using npm to build something cool? Let us know and we’ll help get the word out!
Publish npm package with GitHub Actions
Our wombats are busy this fall! Don’t miss these exciting events:
- TODAY (November 21)! MyDevSecOps virtual session, Building Secure React Applications. Security Engineer Ron Perris will be talking about automations you can add to your react application builds/ci + common vulnerabilities and attack surfaces in third-party react component library code.
- Toronto JS Tech Talk: November 25. Engineering Manager Darcy Clarke will be sharing “Beyond npm install — Discover capabilities of npm & the npm Registry you never knew existed.”
- Open Source Montreal meetup: December 9. Join npm engineers, Ruy Adorno and Darcy Clarke and pick up some npm swag! Darcy will be giving a talk on our recent npm community efforts.
- js-Montreal Meetup: Join several of our wombats here on December 10.
- Node.js Foundation collaboration summit: December 13–14. Ruy and Darcy will be there, swag in tow!
Alright stop, collaborate and listen.
The same tools that empower developers to work together on Open Source projects can make teams more efficient when collaborating on mission-critical applications. Meet npm Orgs:
- Publish and download private packages
- Manage permissions with teams
- Workflow integration and token management
NodeSchool SF is looking for mentors to participate in their next event on Saturday, December 7, from 1–5pm. Get all the details here!