NPM

A runtime environment

Continue reading...

July 13, 2023

What is npm

npm stands for Node Package Manager. It’s a library and registry for JavaScript software packages. npm also has command-line tools to help you install the different packages and manage their dependencies. npm is free and relied on by over 11 million developers worldwide. You could say it’s kind of a big deal. They’re open-source and have become the center of Javascript code sharing. There are more than a million packages available on npm.

What is Node.js?

Node.js is a runtime environment that allows you to run JavaScript on the backend. A runtime environment is like a small operating system. It provides all the functionality needed for a program to run. Node came on the scene because JavaScript used to only work in the web browser. This is because browsers contain an engine to translate JavaScript into code the machine understands. Originally the backend (i.e. data layer of an application) doesn’t have this engine. That’s where Node.js comes in. It acts as a JavaScript engine that translates your code, allowing it to be run on a physical machine. If you’d like to learn more about it, check out my beginner’s guide to Node.js. Okay, but how does that relate to npm? Basically, npm keeps track of all the packages (shared code) you’re using.

In September 2022 over 2.1 million packages were reported being listed in the npm registry, making it the biggest single language code repository on Earth, and you can be sure there is a package for (almost!) everything.

july 13, 2023

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools.[30] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.[31] In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.[32] npm also provides version-bumping tools for developers to tag their packages with a particular version.[33] npm also provides the package-lock.json[34] file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.

july 13, 2023

  • In March 2016, npm attracted press attention[8] after a package called left-pad, which many popular JavaScript packages depended on, was unpublished as the result of a naming dispute between Azer Koçulu, a self-taught software engineer, and Kik.[9][10] Although the package was republished three hours later, it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.
  • In February 2018, an issue was discovered in version 5.7.0 in which running sudo npm on Linux systems would change the ownership of system files, permanently breaking the operating system.
  • In July 2018, the npm credentials of a maintainer of the popular eslint-scope package were compromised resulting in a malicious release of eslint-scope, version 3.7.2. The malicious code copied the npm credentials of the machine running eslint-scope and uploaded them to the attacker.
  • In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package.
  • In March 2022, developer Brandon Nozaki Miller released a version of the package node-ipc containing malicious code that would delete files from users with Belarusian and Russian IP addresses, in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package.[19][20] The affected dependency was also briefly present in version 3.1 of Unity Hub; a hotfix was released the same day to remove the issue, however.