When developing software for Node.js, I use the n package manager to manage and switch between Node versions. Recently, I needed to update my installed Node version (9.2.1) to something more recent. I ran $ sudo n latest to install 13.1.0. But after the upgrade, npm installations stopped working. Any use of npm i would […]

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber. "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available

Use this link and code JAVAJAB to get 20% off your registration for FluentConf 2013! Panel Isaac Schlueter (twitter github blog) Joe Eames (twitter github blog) Merrick Christensen (twitter github) AJ O’Neal (twitter github blog) Jamison Dance (twitter github blog) Charles Max Wood (twitter github Teach Me To Code Rails Ramp Up) Discussion 01:33 - Isaac Schlueter Introduction NPM Node 02:33 - Node Backstory v8 SpiderMonkey Joyent 05:37 - Node and New Features Node.js v0.10.0 Manual & Documentation v8 13:30 - Language Accommodations TC39 Luvit libev libuv eventmachine @ GitHub Zedd Shaw 22:32 - C++ LibEVN - Node in C 25:19 - New Streams API 30:37 - Semantic Versioning Experimental versions 33:01 - NPM 39:30 - Issac’s Future 41:06 - Discovery Recommendation Engine Exposing Quality of Modules Code Quality 47:18 - Advice for Adopting Node Joyent The Node Firm StrongLoop Iris Couch Picks Wild at Heart Revised and Updated: Discovering the Secret of a Man’s Soul by John Eldredge (Joe) The Aquabats (Jamison) User Feedback: Isaac Schlueter (Jamison) Fluent 2013 (Merrick) Code: JAVAJAB So Good They Can’t Ignore You: Why Skills Trump Passion in the Quest for Work You Love by Cal Newport (Merrick) StarCraft II (Merrick) Moving to GruntJS: AJ ONeal (AJ) Intro to JSHint: Training Wheels for JavaScript: AJ ONeal (AJ) Gimp (AJ) And Another Thing... (The Hitchhiker’s Guide to the Galaxy) by Eoin Colfer Free Music Downloads on Last.fm (AJ) Blackbird Blackbird - Hawaii (AJ) Hazel (Chuck) Mac Power Users (Chuck) Nonviolent Communication: A Language of Life (Isaac) Next Week Software Team Dynamics Transcript CHUCK:  You all ready? JAMISON:  Super ready. AJ:  So ready.  JOE:  I was born ready. MERRICK:  I was molded by ready. [Laughter] CHUCK:  Alright. [Hosting and bandwidth provided by the Blue Box Group. Check them out at  Bluebox.net.] [This episode is sponsored by Component One, makers of Wijmo. If you need stunning UI elements or awesome graphs and charts, then go to Wijmo.com and check them out.] CHUCK:  Hey everybody and welcome to Episode 52 of the JavaScript Jabber Show. This week on our panel, we have Joe Eames. JOE:  Hey there. CHUCK:  We also have Merrick Christensen. MERRICK:  What up? CHUCK:  AJ O’Neal. AJ:  How do you decide the order each week? CHUCK:  I just make it up. AJ:  Okay. It’s only random. CHUCK:  And Jamison Dance. JAMISON:  Hey guys. CHUCK:  I’m Charles Max Wood from DevChat.tv and we have a special guess that’s Isaac. I know I’m going to destroy your last name. Let me see if I can say it… You say it. ISAAC:  Schlueter. CHUCK:  Schlueter! ISAAC:  Yeah. AJ:  That’s so much easier than I’d ever imagined. [Laughter] ISAAC:  I wanted to hear Chuck keep going on that. JOE:  Yeah, it’s pretty good. CHUCK:  It has extra constantans in it, it throws me off. And then extra vowels. MERRICK:  I heard him just crying, “Shu...shu…” [Laughs] ISSAC:  I have relatives that can’t say it right and it’s their name so… [Laughter] CHUCK:  Alright. Well, do you want to introduce yourself real quickly since you haven’t been on the show? ISAAC:  Sure. I am the author of NPM and I’ve been maintaining Node for the last -- Jesus! It’s been almost a year and a half now, a year or so. CHUCK:  So just a couple small projects that nobody’s heard of, right? [Laughter] ISAAC:  Yeah, a handful of little things on GitHub. CHUCK:  Is there anything else we have to know about you? ISAAC:  I enjoy changing my Twitter avatar to things that are funny or disturbing or preferably both. [Laughter] ISAAC:  And, I don’t know. CHUCK:  Alright. Well, we really appreciate you coming on the show. AJ:  That is pretty disturbing dude. You’ve got your face on a really overweight cat.

The panelists discuss npm, Inc. with Isaac Schlueter, Laurie Voss, and Rod Boothby.

The panelists discuss changes in the npm package manager with Forrest Norvell, Rebecca Turner, Ben Coe, and Isaac Z. Schlueter.

Don’t miss out! Sign up for Angular Remote Conf!

02:28 - Forrest Norvell Introduction

• Twitter
• GitHub

02:37 - Rebecca Turner Introduction

• Twitter
• GitHub
• Blog

03:05 - Why npm 3 Exists and Changes in npm 2 => 3

• Debugging
• Life Cycle Ordering
• Deduplication

08:36 - Housekeeping

09:47 - Peer Dependency Changes

• The Singleton Pattern

15:38 - The Rewrite Process and How That Enabled Some of the Changes Coming Out

• CJ Silverio: Npm registry deep dive @ Oneshot Oslo

22:50 - shrinkwrapping

27:00 - Other Breaking Changes?

• Permissions

30:40 - Tiny Jewels

33:24 - Why Rewrite?

36:00 - npm’s Focus on the Front End

• Bower
• npm Roadmap

42:04 - Transitioning to npm 3

42:54 - Installing npm 3

44:11 - Packaging with io.js and Node.js

45:16 - Being in Beta

Picks

Slack List (Aimee)
Perceived Performance Fluent Conf Talks (Aimee)
Paul Irish: How Users Perceive the Speed of The Web Keynote @ Fluent 2015 (Aimee)
Subsistence Farming (AJ)
Developer On Fire Episode 017 - Charles Max Wood - Get Involved and Try New Things (Chuck)
Elevator Saga (Chuck)
BrazilJS (Forrest)
NodeConf Brazil (Forrest)
For quick testing: `npm init -y`, configure init (Forrest)
Where Can I Put Your Cheese? (Or What to Expect From npm@3) @ Boston Ember, May 2015 (Rebecca)
Open Source & Feelings Conference (Rebecca)
bugs [npm Documentation] (Rebecca)
docs [npm Documentation] (Rebecca)
repo [npm Documentation] (Rebecca)

On today’s episode of JavaScript Jabber, Charles Max Wood and panelist Joe Eames chat with Rebecca Turner, tech lead for NPM, a popular Javascript package manager with the worlds largest software registry. Learn about the newly released NPM 5 including a few of the updated features. Stay tuned!

[1:58] Was the release of node JS 8 tied to NPM5?

• Features in NPM5 have been in planning for 2 years now.
• Planned on getting it out earlier this year.
• Node 8 was coming out and got pushed out a month.
• Putting NPM5 into Node 8 became doable.
• Pushed really hard to get NPM5 into Node 8 so that users would get NPM5 and updates to NPM5.

[2:58] Why would it matter? NPM doesn’t care right?

• Right you can use NPM5 with any version of node.
• Most people don’t update NPM, but upgrade Node.
• So releasing them together allowed for when people updated Node they would get NPM 5.

[3:29] How does the upgrade process work if you’re using NVM or some node version manager?

• Depends. Different approaches for each
• NVM gets a fresh copy of Node with new globals. NVM5 and Node 8 are bundled.
• For some, If you manually upgrade NVM you’ll always have to manually. It will keep the one you manually upgraded to.

[4:16] Why NPM 5?

• It’s night and day faster.
• 3 to 5 times speed up is not uncommon.
• Most package managers are slow.
• NPM 5 is still growing. Will get even faster.

[5:18] How did you make it faster?

• The NPM’s cache is old. It’s very slow. Appalling slow.
• Rewrote cache
• Saw huge performance gains

[5:49] What is the function of the cache?

• Cache makes it so you don’t have to reinstall modules from the internet.
• It has registry information too.
• It will now obey http headers for timing out cache.

[6:50] Other things that made it faster?

• Had a log file for a long time. It was called shrinkwrap.
• NPM 5 makes it default.
• Renamed it to packagelog.json
• Exactly like shrinkwrap package file seen before
• In combo with cache, it makes it really fast.
• Stores information about what the tree should look like and it’s general structure.
• It doesn’t have to go back and learn versions of packages.

[7:50] Can you turn the default Packagelog.json off?

• Yes. Just:
• Set packagelog=false in the npmrc

[8:01] Why make it default? Why wasn’t it default before?

• It Didn’t have it before. Shrinkwrap was added as a separate project enfolded in NPM and wasn’t core to the design of NPM.
• Most people would now benefit from it. Not many scenarios where you wouldn’t want one.
• Teams not using the same tools causes headaches and issues.

[9:38] Where does not having a lock show up as a problem?

• It records the versions of the packages installed and where NPM put them so that when you clone a project down you will have exactly the same versions across machines.
• Collaborators have the exact same version.
• Protects from issues after people introduce changes and patch releases.
• NPM being faster is just a bonus.
• Store the sha512 of the package that was installed in the glock file so that we can verify it when you install. It’s Bit for bit what you had previously.

[11:12] Could you solve that by setting the package version as the same version as the .Json file?

• No. That will lock down the versions of the modules that you install personally, not the dependancies, or transitive dependancies.
• Package log allows you to look into the head of the installer. This is what the install looks like.

[12:16] Defaulting the log file speed things up? How?

• It doesn’t have to figure out dependences or the tree which makes it faster.
• Shrinkwrap command is still there, it renames it to shrinkwrap but shrinkwrap cannot be published.
• For application level things or big libraries, using shrinkwrap to lock down versions is popular.

[13:42] You’ve Adopted specifications in a ROC process. When did you guys do that?

• Did it in January
• Have been using them internally for years. Inviting people into the process.
• Specifications
• Written in the form of “Here is the problem and here are the solutions.”
• Spec folder in NPM docs, things being added to that as they specify how things work.
• Spec tests have been great.

[14:59] The update adds new tools. Will there be new things in registry as well?

• Yes.
• Information about a package from registry, it returns document that has info about every version and package json data and full readme for every version.
• It gets very large.
• New API to request smaller version of that document.
• Reduces bandwidth, lower download size, makes it substantially faster.
• Used to be hashed with sha1, With this update it will be hashed with sha512 as well as sha1 for older clients.

[16:20] Will you be stopping support for older versions?

• LTS version of NPM was a thing for a while. They stopped doing that.
• Two models, people either use whatever version came with Node or they update to the latest.
• The NPM team is really small. Hard to maintain old NPM branches.
• Supports current versions and that’s pretty much it.
• If there are big problems they will fix old versions. Patches , etc.

[17:36] Will there ever be problems with that?

• Older versions should continue to work. Shouldn’t break any of that.
• Can’t upgrade from 0.8.
• It does break with different Node version
• Does not support Node versions 0.10 or 0.12.

[18:47] How do you upgrade to NPM?

• sudo npm install -gmpm
• Yes, you may not need sudo. depend on what you’re on.

[19:07] How long has it been since version 4?

• Last October is when it came out.

[19:24] Do you already have plans for version 6?

• Yes!
• More releases than before coming up.
• Finally deprecating old features that are only used in a few packages out of the whole registry.
• Running tests on getting rid of things.

[20:50] Self healing cache. What is it and why do we want it?

• Users are sometimes showing up where installs are broken and tarbols are corrupted.
• This happens sometimes with complicated containerization setups makes it more likely. It’s unclear where the problem actually is.
• CaCache - content addressable cache. Take the hash of your package and use it to look up address to look it up in the cache.
• Compares the Tarbol using an address to look it up in the cache.
• Compares to see if it’s old. Trashes old and downloads updated one.
• Came out with the cache. Free side effect of the new cache.

[23:14] New information output as part of the update?

• NPM has always gave back you the tree from what you just installed.
• Now, trees can be larger and displaying that much information is not useful.
• User patch - gives you specifically what you asked for.
• Information it shows will be something like: “I installed 50 items, updated 7, deleted 2.”

[24:23] Did you personally put that together?

• Yes, threw it together and then got feedback from users and went with it.
• Often unplanned features will get made and will be thrown out to get feedback.
• Another new things ls output now shows you modules that were deduped. Shows logical tree and it’s relationships and what was deduped.

[25:27] You came up to node 4 syntax. Why not go to node 8?

• To allow people with just node 4 be able to use NPM.
• Many projects still run Node 4. Once a project has been deployed, people generally don’t touch it.

[26:20] Other new features? What about the File Specifier?

• File specifier is new. File paths can be in package json, usually put inside pointing to something inside your package.
• It will copy from there to your node modules.
• Just a node module symlink.
• Much faster. Verifiable that what’s in your node modules matches the source. If it’s pointing at the right place it’s correct. If not, then it’s not.
• Earlier, sometimes it was hard to tell.

[27:38] Anything else as part of the NPM 5 release? Who do you think will be most affected by it?

• For the most part, people notice three things:
• 1st. no giant tree at the end
• 2nd. Much faster
• 3rd. Package lock.

[28:14] If it’s locked, how do you update it?

• Run npm installer and then npm update
• Used to be scary, but works well now.
• Updates to latest semver, matches semver to package json to all node modules.
• Updates package lock at the same time
• Summary in Git shows what’s changed.

[28:59] Did Yarn come into play with your decisions with this release?

• The plans have been in play for a long time for this update.
• Yarn’s inclusion of similar features and the feedback was an indicator that some of the features were valuable.

[29:53] Other plans to incorporate features similar to yarn?

• Features are already pretty close.
• There are other alternative package managers out there.
• PMPM interesting because when it installs it doesn’t copy all the files. It creates hard links.

[30:28] Does PMPM and Yarn use NPM registry?

• Yes! Other than CNPM. The NPM client used in China.
• CNPM Registry mirror behind firewall. Have their own client to their registry. Their registry is a copy of ours.

[31:15] What about RNPM?

• I wouldn’t be surprised.

[31:45] “Won’t you come and say something controversial about your competitor?”

• We all want it to be collaborative.
• When we were writing our new cache, we also helped Yarn with their cache and sped things up tremendously.

Picks

Charles

Rush Limbaugh’s children’s books
Tinker Crate
Kiwi Crate
NPM
Episodes on My JS Story.

Joe

Gravity Falls
Board Games

Rebecca

NPX

Funstream

Links to keep up with NPM and Rebecca

Twitter @rebeccaorg
NPMjS on Twitter
blog.npmjs.com

Sponsors

• Triplebyte offers a $1000 signing bonus
• Sentry use the code “devchat” for $100 credit
• Linode offers $20 credit
• CacheFly

Panel

• AJ O’Neal
• Chris Ferdinandi
• Aimee Knight
• Charles Max Wood

Joined by special guest: Mikeal Rogers

Episode Summary

This episode of JavaScript Jabber starts with Mikeal Rogers introducing himself and his work in brief. Charles clarifies that he wants to focus this show on some beginner content such as node.js basics, so Mikeal gives some historical background on the concept, elaborates on its modern usage and features and explains what “streams” are, for listeners who are starting to get into JavaScript. The panelists then discuss how languages like Go and Python compare to node.js in terms of growth and individual learning curves. Mikeal answers questions about alternate CLIs, package management, Pika, import maps and their effect on node.js, and on learning JavaScript in general. Chris, Charles and AJ also chip in with their experiences in teaching modern JS to new learners and its difficulty level in comparison to other frameworks. They wrap up the episode with picks.

Links

• Mikeal on Twitter
• Mikeal on GitHub

Follow JavaScript Jabber on Devchat.tv, Facebook and Twitter.

Picks

Chris Ferdinandi:

• Mozilla Firefox
• Artifact Conference

Aimee Knight:

• A Magician Explains Why We See What’s Not There
• Programming: doing it more vs doing it better

Mikeal Rogers:

• The Future of the Web – CascadiaJS 2018
• Brave Browser

Charles Max Wood:

• Podwrench

What’s typically involved in an npm version release? How can you determine the release process for an existing project? Can project maintainers do anything to make it easier for new contributors?