A Beginner's Guide to NPM

A Beginner's Guide to NPM

January 11, 2017

If you've messed around with Node.js at all, then you've probably become familiar with things like npm init and npm install. While it's true that you are already using npm with these commands, there's a lot more to this JavaScript package manager that beginners are quick to overlook. In this article, we explore what exactly npm is, important things to consider when using npm, and even some potential security concerns when using the package manager.

What is npm?

NPM stands for Node Package Manager. It is THE most popular package manager for JavaScript used today. It was originally developed by Isaac Z. Schlueter and released in January of 2010 so it's relatively new compared to other package managers out there.

But What's a Package Manager?

Package managers are tools that automate the installation of software and their dependencies. They make it extremely easy to incorporate existing libraries/code into your own project. For example, you may want to write a web service but don't want to worry about constructing the http requests from scratch. In this case, you would use the Express framework, an extremely light-weight library that already does that for you. Rather than downloading the library yourself, you can use a package manager to quickly fetch a specific version of the library and include it in the project for you. This is the essence of npm and other package managers. It makes your life much easier as a developer and allows you to quickly bootstrap your own work onto what's already been figured out. Likewise, it's easy to upgrade and remove dependencies through package managers.

More on npm

With npm, developers can easily share and update code. When developers find solutions to small but powerful problems, they submit their code to npm's central registry. Here anybody can download the code as well as receive future updates on the 'module' or 'package'. Some packages are widely used (such as Socket.io which had nearly 800,000 downloads in the last week). Others have never been used or tested. This is both a blessing and a curse. While developers can easily share code with a centralized community, they open the doors to anyone and create major security vulnerabilites.

Security Issues

There have been several incidents with npm since it's inception. Most notably was just last year (March 23, 2016), when a npm package (left-pad) was taken down by it's author. This package was used by thousands of developers and the entire community was brought down. Although the problem was fixed within 10 minutes, it demonstrates the disadvantages of such an open relationship between developers and a centralized community.

Earlier that year, Google also discovered an exploit involving the fact that node modules can act on user systems and republish malicient modules to the central registry. If hackers can get just one unsuspecting developer to install an npm module, they can republish and change packages from that user, potentially affecting thousands.

Conclusion

While npm remains young and somewhat vulnerable, it's still the top package manager for front end developers. For those developers just entering the game, it will be a cornerstone for all your javaScript needs. As they say, it's important to trust npm, but always verify.


Join the conversation...



Submit

if you don't trust curl, then don't trust package managers. Sure, package managers are a cornerstone of virtually all development but don't underestimate the security vulnerabilities you face with npm and other package managers...
Posted by Josh Surack on January 11, 2017


More by the stackchief