blog.npmjs.org

npm CLI Roadmap - Summer 2019

Motion on the npm CLI project has been accelerating, and we’re now moving forward with a clear direction and vision. This document outlines what’s in store for the remainder of the npm v6 line, and what to expect in v7 and v8. Remaining npm v6 Releases npm v6 is officially in “bugfix and minor enhancement” mode as work on npm v7 is getting into full swing. That doesn’t mean that improvements won’t be made! But the architectural changes for v7 will require quite a bit of attention, and will be the priority moving forward. Expect...

blog.npmjs.org

An Old Bug

Recently, I happened across a weird line in read-package-tree while reading through the code to see where I might get started implementing Workspaces for the npm CLI. At the time, I was so deep in the flow of reading code and tracing flows through various parts of the system, it didn’t strike me how important it was. I just thought “oh, that’s obviously wrong” and fixed it without a second thought. When I tried to integrate my changes back to the mainline CLI with read-package-tree version 5.3.0, however, I realized what I’d...

blog.npmjs.org

The security risks of changing package owners

When I ask software developers what their biggest security concerns are, I typically hear something about malicious code in their npm packages. The average npm package has over 2000 dependencies, so the worry over malware makes a lot of sense.The npm security team certainly shares this concern, but our job is to also look beyond the malware itself and analyze the situation that enabled it to do malicious things. These situations are varied, from mistakes like accidentally publishing a token to someone failing to take advantage of security...