NPM Enterprise update attempts to improve security, code visibility of JavaScript projects

Updates promised by npm, inc. are finally being delivered to increase security of Node.js projects to assuage concerns following years of problems.

Node.js JavaScript vs PHP: Which programming language is winning over developers? A report highlights the growing popularity of Node.js JavaScript as a server-side language to support online sites and services.


Security updates to NPM Enterprise were announced Wednesday by npm, inc., which add package filtering, give administrative visibility to JavaScript code deployed across the enterprise prior to adding it to a build and test pipeline, and offer single sign-on support for developers, along with multi-user management improvements. 

The updates come relatively on schedule following discussion of the features last December with TechRepublic, when NPM vice president of security Adam Baldwin noted that "Users of Javascript in the enterprise share responsibility with NPM."

SEE: 10 signs you might be working for the wrong company (free PDF) (TechRepublic)

NPM's track record for security and corporate governance has been dicey—the infamous left-pad incident was prompted by npm, inc., following their acquiescence to demands from lawyers representing the messaging service Kik demanding that an unrelated package be renamed. After the author of the package declined, npm, inc. reassigned the package to Kik, prompting the original author to unpublish every other package they owned, breaking downstream programs that required those packages, with a 575,000 using the left-pad package.

Noted programmer David Gilbertson takes issue with importing third-party packages for obvious reasons, noting in a Medium essay that "we live in an age where people install npm packages like they're popping pain killers."

Last November, a hacker socially engineered their way into getting control of the event-stream package. That was leveraged by the malicious package maintainer to insert obfuscated code used to steal cryptocurrency wallet information. Baldwin previously characterized this to TechRepublic as a "cat and mouse game" which is "difficult when you have 100,000 mice out there."

From a corporate governance standpoint, npm, inc. has taken heat throughout most of 2019 for layoffs affecting five employees, following the formal announcement of new CEO Bryan Bogensberger, who has been accused of replacing existing staffers with people from a startup that Bogensberger exited.

For more, check out "Programming languages: JavaScript developers reveal their favorite frameworks, platforms, and tools" and "JavaScript programming language: Final chance to drop early Web Components API before Chrome ditches support" at TechRepublic.

Also see

developerathome.jpg

DragonImages, Getty Images/iStockphoto