This article relies too much on references to primary sources. (June 2020) (Learn how and when to remove this template message)
Current as of 2020
|Original author(s)||Isaac Z. Schlueter.|
|Developer(s)||npm, Inc. (a subsidiary of GitHub, a subsidiary of Microsoft)|
|Initial release||12 January 2010|
7.6.0 / 25 February 2021
|License||Artistic License 2.0|
- In March 2016, npm attracted press attention after a package called
- In February 2018, an issue was discovered in version 5.7.0 in which running
sudo npmon Linux systems would change the ownership of system files, permanently breaking the operating system.
- In July 2018, the npm credentials of a maintainer of the popular
eslint-scopepackage were compromised resulting in a malicious release of
eslint-scope, version 3.7.2. The malicious code copies the npm credentials of the machine running
eslint-scopeand uploads them to the attacker.
- In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package
event-stream. The malicious package, called
flatmap-stream, contained an encrypted payload that steals bitcoins from certain applications. npm administrators responded by removing the offending package.
- In April 2020, a small package called
is-promiseresulted in outage in serverless applications and deployments worldwide by virtue of being a dependency of many big and important applications.
In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages. The source of security issues were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.
When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the
package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.
npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the
package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in
npmd, and Yarn, the last of which was released by Facebook in October 2016. They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.
The company behind the npm software is npm, Inc, based in Oakland, California. The CEO Bryan Bogensberger who joined the company in July 2018 resigned in September 2019. Before Bogensberger's resignation, npm co-founder Laurie Voss resigned in July 2019.
- "Earliest releases of npm". GitHub. Retrieved 5 January 2019.
- "Release v7.6.0". Retrieved 1 March 2021.
- "Initial drop. Ugly, sketchy, and not even yet quite a "work in progr… · npm/cli@4626dfa". GitHub.
- Collins, Keith. "How one programmer broke the internet by deleting a tiny piece of code". Quartz. Retrieved 23 December 2020.
- "kik, left-pad, and npm". Retrieved 9 May 2017.
- "changes to unpublish policy". Retrieved 9 May 2017.
- "Critical Linux filesystem permissions are being changed by latest version". GitHub. Retrieved 25 February 2018.
- "Virus in eslint-scope? · Issue #39 · eslint/eslint-scope". GitHub.
- "Details about the event-stream incident". The npm Blog. Retrieved 28 November 2018.
- "Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2". Github. Retrieved 28 November 2018.
- "ERR_INVALID_PACKAGE_TARGET". Github. Retrieved 22 August 2020.
- Dierx, Peter (30 March 2016). "A Beginner's Guide to npm – the Node Package Manager". sitepoint. Retrieved 22 July 2016.
- Ampersand.js. "Ampersand.js – Learn". ampersandjs.com. Retrieved 22 July 2016.
- Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". 2012 International Conference for Internet Technology and Secured Transactions. IEEE. ISBN 978-1-4673-5325-0. Retrieved 22 July 2016.
- Nassri, Ahmad (14 April 2020). "So long, and thanks for all the packages!". The npm Blog. Retrieved 6 January 2021.
- "npm Code of Conduct: acceptable package content". Retrieved 9 May 2017.
- Vorbach, Paul. "npm-stat: download statistics for NPM packages". npm-stat.com.
- npm. "'npm audit': identify and fix insecure dependencies". The npm Blog. Retrieved 14 August 2018.
- npm. "The Node Security Platform service is shutting down 9/30". The npm Blog. Retrieved 14 August 2018.
- Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016.
- "npm-install". docs.npmjs. Retrieved 22 October 2016.
- "semver". docs.npmjs. Retrieved 22 October 2016.
- "npm-version". docs.npm. Retrieved 29 October 2016.
- Koirala, Shivprasad (21 August 2017). "What is the need of package-lock.json in Node?". codeproject.
- "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016.
- Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". Retrieved 17 December 2016.
- JSConf (3 June 2019), The economics of open source by C J Silverio | JSConf EU 2019, retrieved 3 June 2019
- npm, inc. "NPM CEO Bryan Bogensberger Resigns September 2019". Business Insider. Retrieved 17 February 2020.
- Friedman, Nat (16 March 2020). "npm is joining GitHub". The GitHub Blog.