Software:npm
Original author(s) | Isaac Z. Schlueter |
---|---|
Developer(s) | npm, Inc. (a subsidiary of GitHub,[1] a subsidiary of Microsoft) |
Initial release | 12 January 2010[2] |
Written in | JavaScript |
Platform | Cross-platform |
Type | Package manager |
License | Artistic License 2.0 |
Website | www |
npm is a package manager for the JavaScript programming language maintained by npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer.[3]
It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
History
npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl).[4] npm is a JavaScript replacement for pm, a shell script.[5] While "npm" is commonly understood to be an abbreviation for "Node Package Manager", it officially stands for "npm is not an acronym".[6]
On March 2020 it was announced that npm is to be acquired by GitHub.[1]
Usage
npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools.[7] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json
file.[8] In the package.json
file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.[9] npm also provides version-bumping tools for developers to tag their packages with a particular version.[10] npm also provides the package-lock.json
[11] file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json
.
Client
npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry.[12]
In February 2018, an issue was discovered in version 5.7.0 in which running sudo npm
on Linux systems would change the ownership of system files, permanently breaking the operating system.[13]
In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.[14] The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.[15]
Registry
Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format.[16]
Over 1.3 million packages are available in the main npm registry.[17]
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.[16] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.[18] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.[19]
Internally npm relies on the NoSQL Couch DB to manage publicly available data.[20]
Security and disruption
Dependency chain issues
In March 2016, npm attracted press attention[21] after a package called left-pad
, which many popular JavaScript packages depended on, was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik.[22][23] Although the package was republished three hours later,[24] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.[25]
In April 2020, a small package called is-promise
resulted in outage in serverless applications and deployments worldwide by virtue of being a dependency of many big and important applications.[26][non-primary source needed]
Compromised and disruptively-edited packages
In July 2018, the npm credentials of a maintainer of the popular eslint-scope
package were compromised resulting in a malicious release of eslint-scope
, version 3.7.2. The malicious code copied the npm credentials of the machine running eslint-scope
and uploaded them to the attacker.[27]
In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream
. The malicious package, called flatmap-stream
, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package.[28][29]
In January 2022, the maintainer of the popular package colors
pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package, faker
, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?"[30]
In March 2022, developer Brandon Nozaki Miller released a version of the package node-ipc
containing malicious code that would delete files from users with Belarusian and Russian IP addresses, in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc
as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package.[31][32] The affected dependency was also briefly present in version 3.1 of Unity Hub; a hotfix was released the same day to remove the issue, however.[33]
Alternatives
There are a number of open-source alternatives to npm for installing modular JavaScript, including ied
, pnpm
, npmd
, Yarn,[34] Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from NPM Registry or any centralized repository[35] and it's support of NPM registry is still a subject of ongoing work in progress as of January 2024.[36] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.[37]
See also
References
- ↑ 1.0 1.1 "Microsoft-owned GitHub to acquire JavaScript package manager Npm". 17 March 2020. https://www.geekwire.com/2020/microsoft-owned-github-acquire-javascript-package-manager-npm/.
- ↑ "Earliest releases of npm". https://github.com/npm/npm/releases?after=v0.1.1.
- ↑ Dierx, Peter (30 March 2016). "A Beginner's Guide to npm – the Node Package Manager". https://www.sitepoint.com/beginners-guide-node-package-manager/.
- ↑ Schlueter, Isaac Z. (25 March 2013). "Forget CommonJS. It's dead. **We are server side JavaScript.**". https://github.com/joyent/node/issues/5132#issuecomment-15432598.
- ↑ https://github.com/npm/cli#is-npm-an-acronym-for-node-package-manager
- ↑ npm [@npmjs]. ""npm" doesn't stand for "Node Package Manager". It stands for "npm Is Not An Acronym". Why not "NINAA"? Because then it would be an acronym.". https://twitter.com/npmjs/status/105690425242820608. Missing or empty |date= (help)
- ↑ Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". https://www.digitalocean.com/community/tutorials/how-to-use-npm-to-manage-node-js-packages-on-a-linux-server.
- ↑ "npm-install". https://docs.npmjs.com/cli/install.
- ↑ "semver". https://docs.npmjs.com/misc/semver.
- ↑ "npm-version". https://docs.npmjs.com/cli/version.
- ↑ Koirala, Shivprasad (21 August 2017). "What is the need of package-lock.json in Node?". https://www.codeproject.com/Articles/1202361/What-is-package-lock-json-file-in-Node-NPM.
- ↑ Ampersand.js. "Ampersand.js – Learn". https://ampersandjs.com/learn/npm-browserify-and-modules/.
- ↑ "Critical Linux filesystem permissions are being changed by latest version". https://github.com/npm/npm/issues/19883.
- ↑ npm. "'npm audit': identify and fix insecure dependencies". https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure.
- ↑ npm. "The Node Security Platform service is shutting down 9/30". https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting.
- ↑ 16.0 16.1 Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". 2012 International Conference for Internet Technology and Secured Transactions. IEEE. ISBN 978-1-4673-5325-0. https://ieeexplore.ieee.org/document/6470829. Retrieved 22 July 2016.
- ↑ Nassri, Ahmad (April 14, 2020). "So long, and thanks for all the packages!". https://blog.npmjs.org/post/615388323067854848/so-long-and-thanks-for-all-the-packages.
- ↑ "npm Code of Conduct: acceptable package content". https://docs.npmjs.com/policies/conduct#acceptable-package-content.
- ↑ Vorbach, Paul. "npm-stat: download statistics for NPM packages". https://npm-stat.com/.
- ↑ "registry | npm Docs". https://docs.npmjs.com/cli/v7/using-npm/registry/.
- ↑ Yegulalp, Serdar (23 March 2016). "How one yanked JavaScript package wreaked havoc". http://www.infoworld.com/article/3047177/javascript/how-one-yanked-javascript-package-wreaked-havoc.html.
- ↑ Williams, Chris. "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript". The Register. https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/.
- ↑ Collins, Keith (27 March 2016). "How one programmer broke the internet by deleting a tiny piece of code" (in en). https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/.
- ↑ "kik, left-pad, and npm". http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.
- ↑ "changes to unpublish policy". npm Blog (Archive). http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy.
- ↑ "ERR_INVALID_PACKAGE_TARGET". Github. https://github.com/then/is-promise/issues/13.
- ↑ "Virus in eslint-scope? · Issue #39 · eslint/eslint-scope". https://github.com/eslint/eslint-scope/issues/39.
- ↑ "Details about the event-stream incident". The npm Blog. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident.
- ↑ "Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2". Github. https://github.com/dominictarr/event-stream/issues/115.
- ↑ "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". Bleeping Computer. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/.
- ↑ "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/.
- ↑ Juha Saarinen (March 17, 2022). "'Protestware' npm package dependency labelled supply-chain attack". nextmedia. https://www.itnews.com.au/news/protestware-npm-package-dependency-labelled-supply-chain-attack-577488.
- ↑ Proven, Liam (18 March 2022). "JavaScript library updated to wipe files from Russian computers". Situation Publishing. https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/.
- ↑ "Hello, Yarn!". 11 October 2016. https://blog.npmjs.org/post/151660845210/hello-yarn.
- ↑ "Managing Dependencies". https://docs.deno.com/runtime/tutorials/manage_dependencies.
- ↑ "Node and npm modules | Deno Docs" (in en). https://docs.deno.com/runtime/manual/node/.
- ↑ Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". http://yehudakatz.com/2016/10/11/im-excited-to-work-on-yarn-the-new-js-package-manager-2/.
External links
Original source: https://en.wikipedia.org/wiki/Npm.
Read more |