npm

This article is a stub. You can help the IndieWeb wiki by expanding it.

npm is the Node package manager (although the npm project maintains it is not an acronym), though it can be used to manage javascript package for any type of javascript project (not limited to node.js or server-side js). It provides quick access to all of the packages available at https://www.npmjs.org

Criticism

Dependency hell

• 2020-12-16 Jeremy Keith npm ruin dev

  Ever had to revisit a project after, say, six or twelve months? Maybe you just want to make one little change to the CSS. But you can’t because a dependency is broken. So you try to update it. But it relies on a different version of Node.

Malware updates

• https://twitter.com/bantg/status/1504213698658938881
  • "🚨 The authors of node-ipc have pushed malware in an update, which wipes your disk if you happen to have Russian or Belorussian IP address.
    
    This affects some large projects like Vue CLI where it is a dependency.
    
    https://github.com/RIAEvangelist/node-ipc/issues/233" @bantg March 16, 2022

Packages vulnerable to hijacking

• https://mobile.twitter.com/firefart/status/1532091679741825024
  • "Want to watch the world burn? Here is a tool to check all NPM package maintainers for unregistered domains to hijack those packages by registering the domain again. NPM security guys are not interested in this data so here you go:
    
    https://github.com/firefart/npmdomainchecker" @firefart June 1, 2022

See Also

• Node
• Humor: https://twitter.com/ikasliwal/status/1567640775659520000
  • "The governor has declared a state of emergency and asked all Californians to not run `npm install` between 4 PM and 9 PM today in an effort to save energy." @ikasliwal September 7, 2022