InfoQ Homepage NPM Content on InfoQ
-
Npm Bans Packages Which Display Ads via Its Command Line Interface
npm, Inc., the company behind the popular eponymous JavaScript package manager, will no longer allow packages which display ads. Developers will be able to silence terminal messages which push ads or call for donations, and which stem from the regular use of the npm command line interface.
-
Making 'npm install' Safe
At QCon New York 2019, Kate Sills, a software engineer at Agoric, discussed some of the security challenges in building composable smart contract components with JavaScript. Two emerging TC39 JavaScript proposals, realms and Secure ECMAScript (SES) were presented as solutions to security risks with the npm installation process.
-
NPM Adopted Rust to Remove Performance Bottlenecks
Npm exponential growth drove the npm engineering team to switch from Node.js to Rust to handle CPU-bound tasks that were going to become a performance bottleneck. A recent white paper overviews the experience of developing the new service in Rust and running it in production for more than one year.
-
JSUI, a UI Toolkit for Managing JavaScript Apps
JSUI introduces a visual tool for creating and managing JavaScript applications. The project provides utilities and features for both front-end and back-end applications, and most of its features are independent of underlying JavaScript frameworks.
-
Package Containing Malicious Backdoor Makes its Way into NPM
The NPM security team removed a package masquerading as a cookie parser that actually contained a malicious backdoor, along with three other packages depending on it. The backdoor allowed attackers to inject arbitrary code into a running server and execute it.
-
Node.js 10.0 and npm 6 Released with Emphasis on Security
On April 24 the Node.js project released version 10.0.0 of Node.js and npm, Inc released version 6.0 of npm. Both releases emphasized security improvements, with Node.js updating to OpenSSL version 1.1.0 and npm including new security-focused features such as the automatic alerting of insecure dependencies. The Node.js release also included a new native programming API and stable HTTP2 support.
-
Last Npm Incident Uncovers Security Vulnerability
Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string, to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.
-
Yarn 1.0 Adds Workspaces, Auto-Merge and Selective Version Resolution
Almost a year ago we published the news Facebook Open Sources Yarn, a JavaScript Package Manager, introducing Yarn and the motivation behind its creation. The community has moved the project forward, releasing the first major version with workspaces, automatic merging, selective version resolution and many other features and fixes.
-
Npm 5.0 Boosts Common Sense Performance
Npm 5.0 is a highly anticipated release that has been years in coming. The new version of the JavaScript package manager has a completely rewritten cache and has performance that is more in-line with its most direct competitor.
-
npm 4.0 Deprecates Prepublish Lifecycle Script
Npm has released version 4.0.0, its first semver major release since the release of npm 3 in 2015. The v4 release brings a bevy of breaking changes, including a rewritten npm search, as well as deprecated prepublish and changed behaviour for npm scripts.
-
Webpack Dashboard Improves UX over Console Output
A new tool, Webpack Dashboard, offers to improve the UX for those that use the popular Webpack module builder.
-
npm Releases Enterprise Add-ons for Security, Licensing
Npm has released Enterprise add-ons, allowing developers to directly integrate third-party tools for the first time
-
Node.js 6.0 Supports 93% of ES2015
Node.js 6.0 has been released, becoming the new current version. It comes with performance improvements, better test and documentation coverage, better security and wide support for ES2015.
-
Npm Updates Policy on Removing Packages
Npm has issued an updated policy on what happens when a user wants to remove one of their packages from the publishing system.
-
NPM Worm Vulnerability Disclosed
The NPM project has formally acknowledged a long-standing security vulnerability in which it is possible for malicious packages to run arbitrary code on developer's systems, leading to the first NPM created worm. With the recent problems with NPM, is it safe to use any more? InfoQ investigates.