Npm

Last updated

npm
Original author(s) Isaac Z. Schlueter
Developer(s) npm, Inc. (a subsidiary of GitHub, [1] a subsidiary of Microsoft)
Initial release12 January 2010;15 years ago (2010-01-12) [2]
Stable release
11.0.0 [3]   OOjs UI icon edit-ltr-progressive.svg / 16 December 2024
Repository
Written in JavaScript
Platform Cross-platform
Type Package manager
License Artistic License 2.0
Website www.npmjs.com

npm is a package manager for the JavaScript programming language maintained by npm, Inc., a subsidiary of GitHub. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer. [4]

Contents

It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.

Although "npm" is commonly understood to be an abbreviation of "Node Package Manager", it is officially a recursive backronymic abbreviation for "npm is not an acronym". [5]

History

npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl). [6] npm is a JavaScript replacement for pm, a shell script. [7]

The company npm, Inc. was founded in 2014 in Oakland, California, United States, with Laurie Voss as co-founder. Bryan Bogensberger joined the company as CEO in July 2018 and resigned in September 2019. [8] Before Bogensberger's resignation, Laurie Voss resigned in July 2019. [9]

In March 2020, npm was acquired by GitHub, which is a subsidiary of Microsoft.

Usage

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. [10] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file. [11] In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. [12] npm also provides version-bumping tools for developers to tag their packages with a particular version. [13] npm also provides the package-lock.json [14] file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.

Client

npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry. [15]

In February 2018, an issue was discovered in version 5.7.0 in which running sudo npm on Linux systems would change the ownership of system files, permanently breaking the operating system. [16]

In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages. [17] The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP. [18]

Registry

Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format. [19]

Over 3.1 million packages are available in the main npm registry. [20]

The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. [19] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious. [21] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. [22]

Internally npm relies on the NoSQL Couch DB to manage publicly available data. [23]

Security and disruption

left-pad

In March 2016, a package called left-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik. [24] [25] The package was immensely popular on the platform, being depended on by thousands of projects and reaching 15 million downloads prior to its removal. [24] [26] Several projects critical to the JavaScript ecosystem including Babel and Webpack depended on left-pad and were rendered unusable. [27] Although the package was republished three hours later, [28] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future. [29]

peacenotwar

In March 2022, developer Brandon Nozaki Miller, maintainer of the node-ipc package, added peacenotwar as a dependency to the package; peacenotwar recursively overwrites an affected machine's hard drive contents with the heart emoji if they have a Belarusian or Russian IP address. The package also leaves a text file on the machine containing a message in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package. [30] [31] The affected dependency was also briefly present in version 3.1 of Unity Hub; a hotfix was released the same day to remove the issue, however. [32]

Other notable incidents

In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. [33] The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. [34]

In May 2021, pac-resolver, an npm package that received over 3 million downloads per week, was discovered to have a remote code execution vulnerability. [35] The vulnerability resulted from how the package handled config files, and was fixed in versions 5 and greater. [36]

In January 2022, the maintainer of the popular package colors pushed changes printing garbage text in an infinite loop. [26] The maintainer also cleared the repository of another popular package, faker, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?" [37]

In May 2023, several npm packages including bignum were found to be exploited, stealing user credentials and information from affected machines. Researchers discovered that these packages had been compromised through an exploit involving Amazon S3 buckets and the node-gyp command line tool. [38]

Alternatives

There are a number of open-source alternatives to npm for installing modular JavaScript, including pnpm, Yarn, [39] Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from npm Registry or any centralized repository [40] and its support of npm registry is still a subject of ongoing work in progress as of January 2024. [41] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client. [42]

See also

Related Research Articles

The Comprehensive Perl Archive Network (CPAN) is a software repository of over 250,000 software modules and accompanying documentation for 39,000 distributions, written in the Perl programming language by over 12,000 contributors. CPAN can denote either the archive network or the Perl program that acts as an interface to the network and as an automated software installer. Most software on CPAN is free and open source software.

<span class="mw-page-title-main">Package manager</span> Software tools for handling softwares packages

A package manager or package-management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer in a consistent manner.

<span class="mw-page-title-main">Svelte</span> JavaScript framework

Svelte is a free and open-source component-based front-end software framework, and language created by Rich Harris and maintained by the Svelte core team members.

<span class="mw-page-title-main">Google Closure Tools</span> JavaScript developer toolkit

Google Closure Tools was a set of tools built with the goal of helping developers optimize rich web applications with JavaScript. It was developed by Google for use in their web applications such as Gmail, Google Docs and Google Maps. As of Aug 1, 2024 the Closure Library has been sunset, for not "meeting the needs of modern JavaScript development".

<span class="mw-page-title-main">Node.js</span> JavaScript runtime environment

Node.js is a cross-platform, open-source JavaScript runtime environment that can run on Windows, Linux, Unix, macOS, and more. Node.js runs on the V8 JavaScript engine, and executes JavaScript code outside a web browser.

<span class="mw-page-title-main">Amber Smalltalk</span>

Amber Smalltalk, formerly named Jtalk, is an implementation of the programming language Smalltalk-80, that runs on the JavaScript runtime of a web browser. It is designed to enable client-side development using Smalltalk. The programming environment in Amber is named Helios.

Mustache is a web template system. It is described as a logic-less system because it lacks any explicit control flow statements, like if and else conditionals or for loops; however, both looping and conditional evaluation can be achieved using section tags processing lists and anonymous functions (lambdas). It is named "Mustache" because of heavy use of braces, { }, that resemble a sideways moustache. Mustache is used mainly for mobile and web applications.

Pretty Diff is a language-aware data comparison utility implemented in TypeScript. The online utility is capable of source code prettification, minification, and comparison of two pieces of input text. It operates by removing code comments from supported languages and then performs a pretty-print operation prior to executing the diff algorithm. An abbreviated list of unit tests is provided. The documentation claims the JavaScript pretty-print operation conforms to the requirements of JSLint.

<span class="mw-page-title-main">Socket.IO</span> Library for realtime web applications

Socket.IO is an event-driven library for real-time web applications. It enables real-time, bi-directional communication between web clients and servers. It consists of two components: a client, and a server. Both components have a nearly identical API.

<span class="mw-page-title-main">Ember.js</span> JavaScript framework

Ember.js is an open-source JavaScript web framework that utilizes a component-service pattern. It is designed to allow developers to create scalable single-page web applications by incorporating common idioms, best practices, and patterns from other single-page-app ecosystem patterns into the framework.

<span class="mw-page-title-main">Composer (software)</span> Software; application level dependency manager for the PHP programming language

Composer is an application-level dependency manager for the PHP programming language that provides a standard format for managing dependencies of PHP software and required libraries. It was developed by Nils Adermann and Jordi Boggiano, who continue to manage the project. They began development in April 2011 and first released it on March 1, 2012. Composer is strongly inspired by Node.js's "npm" and Ruby's "bundler". The project's dependency solving algorithm started out as a PHP-based port of openSUSE's libzypp SAT solver.

<span class="mw-page-title-main">Browserify</span> Open-source JavaScript tool

Browserify is an open-source JavaScript bundler tool that allows developers to write and use Node.js-style modules that compile for use in the browser.

<span class="mw-page-title-main">Webpack</span> Open-source JavaScript module bundler

Webpack is a free and open-source module bundler for JavaScript. It is made primarily for JavaScript, but it can transform front-end assets such as HTML, CSS, and images if the corresponding loaders are included. Webpack takes modules with dependencies and generates static assets representing those modules.

gulp is an open-source JavaScript toolkit, used as a streaming build system in front-end web development.

Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. It uses a command-line interface to run custom tasks defined in a file. Grunt was created by Ben Alman and is written in Node.js. It is distributed via npm. As of October 2022, there were more than 6,000 plugins available in the Grunt ecosystem.

yarn (package manager) JavaScript package manager

Yarn is one of the main JavaScript package managers, initially started in 2016 by Sebastian McKenzie of Meta for the Node.js JavaScript runtime environment. An alternative to the npm package manager, Yarn was created as a collaboration of Facebook, Exponent, Google, and Tilde to solve consistency, security, and performance problems with large codebases.

<span class="mw-page-title-main">Deno (software)</span> Secure JavaScript and TypeScript runtime

Deno is a runtime for JavaScript, TypeScript, and WebAssembly that is based on the V8 JavaScript engine and the Rust programming language. Deno was co-created by Ryan Dahl, the creator of Node.js and Bert Belder.

peacenotwar is a piece of malware, which has been characterized as protestware, created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc, a common JavaScript dependency.

On March 22, 2016, software engineer Azer Koçulu took down the left-pad package that he had published to npm. Koçulu deleted the package after a dispute with Kik Messenger, in which the company forcibly took control of the package name kik. As a result, thousands of software projects that used left-pad as a dependency, including the Babel transcompiler and the React web framework, were unable to be built or installed. This caused widespread disruption, as technology corporations small and large, including Facebook, PayPal, Netflix and Spotify, used left-pad in their software products.

References

  1. "Microsoft-owned GitHub to acquire JavaScript package manager Npm". GeekWire. 17 March 2020.
  2. "Earliest releases of npm". GitHub. Retrieved 5 January 2019.
  3. "Release 11.0.0". 16 December 2024. Retrieved 26 December 2024.
  4. Dierx, Peter (30 March 2016). "A Beginner's Guide to npm – the Node Package Manager". sitepoint. Retrieved 22 July 2016.
  5. "npm". npm. 15 May 2024. Archived from the original on 14 May 2024.
  6. Schlueter, Isaac Z. (25 March 2013). "Forget CommonJS. It's dead. **We are server side JavaScript.**". GitHub.
  7. "NPM/Cli". GitHub .
  8. Chan, Rosalie. "Bryan Bogensberger, CEO of JavaScript Package Startup NPM, Resigns". Business Insider . Business Insider. Retrieved 30 June 2021.
  9. Chan, Rosalie. "NPM Co-Founder and Chief Data Officer Laurie Voss Resigns". Business Insider . Business Insider. Retrieved 30 June 2021.
  10. Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016.
  11. "npm-install". docs.npmjs. Retrieved 22 October 2016.
  12. "semver". docs.npmjs. Archived from the original on 3 December 2016. Retrieved 22 October 2016.
  13. "npm-version". docs.npm. Retrieved 29 October 2016.
  14. Koirala, Shivprasad (21 August 2017). "What is the need of package-lock.json in Node?". codeproject.
  15. Ampersand.js. "Ampersand.js – Learn". ampersandjs.com. Retrieved 22 July 2016.
  16. "Critical Linux filesystem permissions are being changed by latest version". GitHub. Retrieved 25 February 2018.
  17. npm. "'npm audit': identify and fix insecure dependencies". The npm Blog. Retrieved 14 August 2018.
  18. npm. "The Node Security Platform service is shutting down 9/30". The npm Blog. Retrieved 14 August 2018.
  19. 1 2 Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". 2012 International Conference for Internet Technology and Secured Transactions. IEEE. ISBN   978-1-4673-5325-0 . Retrieved 22 July 2016.
  20. "npm | Home". npmjs.com. Retrieved 27 June 2024.
  21. "npm Code of Conduct: acceptable package content" . Retrieved 9 May 2017.
  22. Vorbach, Paul. "npm-stat: download statistics for NPM packages". npm-stat.com. Archived from the original on 11 August 2016. Retrieved 9 August 2016.
  23. "registry | npm Docs". docs.npmjs.com. Retrieved 10 May 2021.
  24. 1 2 Williams, Chris. "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript". The Register. Retrieved 17 April 2016.
  25. Collins, Keith (27 March 2016). "How one programmer broke the internet by deleting a tiny piece of code". Quartz. Retrieved 23 December 2020.
  26. 1 2 Sharma, Ax (27 July 2022). "Protestware on the rise: Why developers are sabotaging their own code". TechCrunch. Retrieved 11 May 2024.
  27. "How 17 Lines of Code Took Down Silicon Valley's Hottest Startups". HuffPost. 24 March 2016. Retrieved 11 May 2024.
  28. "kik, left-pad, and npm" . Retrieved 9 May 2017.
  29. "changes to unpublish policy". npm Blog (Archive). Retrieved 23 January 2022.
  30. "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. Retrieved 17 March 2022.
  31. Juha Saarinen (17 March 2022). "'Protestware' npm package dependency labelled supply-chain attack". IT News. nextmedia.
  32. Proven, Liam (18 March 2022). "JavaScript library updated to wipe files from Russian computers". The Register . Situation Publishing. Archived from the original on 18 March 2022. Retrieved 18 March 2022.
  33. Goodin, Dan (26 November 2018). "Widely used open source software contained bitcoin-stealing backdoor". Ars Technica. Retrieved 11 May 2024.
  34. Claburn, Thomas. "Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)". www.theregister.com. Retrieved 11 May 2024.
  35. Sharma, Ax (2 September 2021). "NPM package with 3 million weekly downloads had a severe vulnerability". Ars Technica. Retrieved 11 May 2024.
  36. Claburn, Thomas. "JavaScript library downloaded 3m times a week exposes apps to hijacking via evil proxy configs". www.theregister.com. Retrieved 11 May 2024.
  37. "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". Bleeping Computer. Retrieved 9 January 2022.
  38. Burt, Jeff. "Hijacked S3 buckets used in attacks on npm packages". www.theregister.com. Retrieved 11 May 2024.
  39. "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016.
  40. "Managing Dependencies". Deno Docs. Retrieved 6 January 2024.
  41. "Node and npm modules | Deno Docs". docs.deno.com. Retrieved 16 January 2024.
  42. Katz, Yehuda (11 October 2016). "Why I'm working on Yarn" . Retrieved 17 December 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.