npm (software)

npm (originally short for Node Package Manager)[4] is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.

npm
Original author(s)Isaac Z. Schlueter, Rebecca Turner, Kat Marchán, others
Developer(s)npm, inc. (a subsidiary of GitHub[1], a subsidiary of Microsoft)
Initial release12 January 2010 (2010-01-12)[2]
Stable release
6.14.7 / 21 July 2020 (2020-07-21)[3]
Repository
Written inJavaScript
PlatformCross-platform
TypePackage manager
LicenseArtistic License 2.0
Websitewww.npmjs.com

History

npm is written entirely in JavaScript and was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl).[5]

Notable breakages

  • In March 2016, npm attracted press attention[6] after a package called left-pad, historically used as an example which ended up as a dependency of many popular JavaScript packages, was unpublished as the result of a naming dispute.[7] Although the package was republished 3 hours later,[8] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.[9]
  • In February 2018, an issue was discovered in version 5.7.0 in which running sudo npm on Linux systems would change the ownership of system files, permanently breaking the operating system.[10]
  • In July 2018, the npm credentials of a maintainer of the popular eslint-scope package were compromised resulting in a malicious release of eslint-scope, version 3.7.2. The malicious code copies the npm credentials of the machine running eslint-scope and uploads them to the attacker.[11]
  • In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that steals bitcoins from certain applications. npm administrators responded by removing the offending package.[12][13]

Description

npm is included as a recommended feature in Node.js installer.[14] npm consists of a command line client that interacts with a remote registry. It allows users to consume and distribute JavaScript modules that are available on the registry.[15] Packages on the registry are in CommonJS format and include a metadata file in JSON format.[16] Over 477,000 packages are available on the main npm registry.[17] The registry has no vetting process for submission, which means that packages found there can be low quality, insecure, or malicious.[16] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure or malicious.[18] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.[19]

In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages.[20] The source of security issues were taken from reports found on the Node Security Platform (NSP), and has been integrated with npm since npm's acquisition of NSP.[21]

Usage

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools.[22] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.[23] In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.[24] npm also provides version-bumping tools for developers to tag their packages with a particular version.[25] npm also provides the package-lock.json[26] file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.

Alternatives

There are a number of open-source alternatives to npm for installing modular JavaScript, including ied, pnpm, npmd, and yarn, the last of which was released by Facebook in October 2016.[27] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.[28]

At JSConf 2019 npm's former CTO announced a new federated package registry Entropic which is aimed at decentralisation of Javascript commons.[29]

The company

The company behind the npm software is npm, inc, based in Oakland, California. The CEO Bryan Bogensberger who joined the company in July 2018 resigned in September 2019. Before his resignation, npm co-founder Laurie Voss resigned in July 2019.[30]

GitHub announced in March 2020 it is acquiring npm, inc.[31]

gollark: I at least vaguely like him for being humorous and actually doing space things.
gollark: Well, it's uncool to (claim to) have beliefs which do not actually change your behavior or predictions at all.
gollark: Stuff like "we are in a simulated reality which is vulnerable to X exploit".
gollark: I think more actionable... subthings... of simulation theory are testable at least?
gollark: Okay, finally. I have no idea if this actually means much, but someone brought it up when discussing simulations or something ages ago. https://osmarks.net/stuff/0506019.pdf

See also

References

  1. https://www.geekwire.com/2020/microsoft-owned-github-acquire-javascript-package-manager-npm
  2. "Earliest releases of npm". GitHub. Retrieved 5 January 2019.
  3. "Release · npm/cli". GitHub. 21 July 2020.
  4. https://github.com/npm/cli/commit/4626dfa73b7847e9c42c1f799935f8242794d020#diff-04c6e90faac2675aa89e2176d2eec7d8R1
  5. Schlueter, Isaac Z. (25 March 2013). "Forget CommonJS. It's dead. **We are server side JavaScript.**". GitHub.
  6. Yegulalp, Serdar (23 March 2016). "How one yanked JavaScript package wreaked havoc". InfoWorld. Retrieved 22 July 2016.
  7. Williams, Chris. "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript". The Register. Retrieved 17 April 2016.
  8. "kik, left-pad, and npm". Retrieved 9 May 2017.
  9. "changes to unpublish policy". Retrieved 9 May 2017.
  10. "Critical Linux filesystem permissions are being changed by latest version". GitHub. Retrieved 25 February 2018.
  11. "Virus in eslint-scope".
  12. "Details about the event-stream incident". The npm Blog. Retrieved 28 November 2018.
  13. "Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2". Github. Retrieved 28 November 2018.
  14. Dierx, Peter (30 March 2016). "A Beginner's Guide to npm – the Node Package Manager". sitepoint. Retrieved 22 July 2016.
  15. Ampersand.js. "Ampersand.js – Learn". ampersandjs.com. Retrieved 22 July 2016.
  16. Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". 2012 International Conference for Internet Technology and Secured Transactions. IEEE. ISBN 978-1-4673-5325-0. Retrieved 22 July 2016.
  17. Kennedy, Hugh; DeVay, Paul. "Understanding npm". Nsight. Archived from the original on 8 July 2016. Retrieved 22 July 2016.
  18. "npm Code of Conduct: acceptable package content". Retrieved 9 May 2017.
  19. Vorbach, Paul. "npm-stat: download statistics for NPM packages". npm-stat.com.
  20. npm. "'npm audit': identify and fix insecure dependencies". The npm Blog. Retrieved 14 August 2018.
  21. npm. "The Node Security Platform service is shutting down 9/30". The npm Blog. Retrieved 14 August 2018.
  22. Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016.
  23. "npm-install". docs.npmjs. Retrieved 22 October 2016.
  24. "semver". docs.npmjs. Retrieved 22 October 2016.
  25. "npm-version". docs.npm. Retrieved 29 October 2016.
  26. Koirala, Shivprasad (21 August 2017). "What is the need of package-lock.json in Node?". codeproject.
  27. "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016.
  28. Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". Retrieved 17 December 2016.
  29. JSConf (3 June 2019), The economics of open source by C J Silverio | JSConf EU 2019, retrieved 3 June 2019
  30. npm, inc. "NPM CEO Bryan Bogensberger Resigns September 2019". Business Insider. Retrieved 17 February 2020.
  31. Friedman, Nat (16 March 2020). "npm is joining GitHub". The GitHub Blog.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.