#npm

NPM workspaces help manage multiple nested packages within a single top-level package, improving since the release of NPM CLI 7.0. You can easily add dependencies to workspaces and handle duplications. Running scripts and orchestration in a monorepo is made easier with NPM workspaces. The npm pkg command is useful for setting and retrieving keys and values from package.json files. NPM workspaces offer benefits compared to Lerna and future plans include better workspace linking and adding missing features.

I'm Zebe, a JavaScript developer with a focus on security. Let's talk about the risks of consuming NPM packages, particularly malicious ones. We explore how to obtain and run malware, as well as evaluate and analyze JavaScript malware in Node.js. Malware can be delivered as pre-compiled bytecode, and defenses involve tools like npm audit. Hardin JavaScript and Lafamote are security tools that protect JavaScript applications and dependencies. Lafamote puts each package in its own compartment and provides tooling to create access policies. It prevents stolen cookies and restricts access to sensitive globals. Limited time offer to help set up projects with Lafamote.

This Talk discusses pain points and effective package management in monorepos, including the use of hoisted or isolated layouts and the challenges of working with peer dependencies. It introduces the tool Bit, which addresses these issues and handles dependency management and version control. Bit enables automatic installation and management of dependencies, supports multiple versions of a peer dependency, and seamlessly updates components across different environments.

Mark Erickson discusses the complexities of publishing TypeScript libraries, including considerations like build artifact file formats, package exports, and different user environments. He shares his experiences with ESM support and interop with other module formats, and the challenges faced in migrating Redux to TypeScript. Erickson highlights the importance of understanding file formats and module types, and the insights gained from discussions with the TypeScript team. He also emphasizes the need for better tools and documentation in the ecosystem for publishing and maintaining TypeScript libraries.

The Talk discusses speeding up MonrayBus in a pmpm workspace by organizing packages and considering dependencies. It covers installing and configuring the nx package, including choosing cacheable scripts. The nx-graph command is introduced for analyzing dependencies and optimizing the build process.

This talk discusses the security challenges in the JavaScript ecosystem, including supply chain security, lock file tampering, and arbitrary command execution. It highlights the risks of blind upgrades and hidden comments in code. The talk also covers dependency confusion attacks and the importance of establishing a threat model for node applications.

npm install can be a mysterious process, but understanding how package managers work is essential. NPM solved problems like large node_modules, circular dependencies, and multiple instances of the same package. Managing package versions and conflicts is crucial for consistency across projects. Alternative approaches to package management, like PNPM and Yarn2, provide insights into the hidden complexities of package managers.

Welcome to my talk on what's new in the NPM CLI. NPMv7 introduced many new capabilities, including installing peer dependencies by default. npm v7 also introduced support for workspaces, allowing the definition of projects within your root project. The NPM team is continuously improving the CLI with weekly releases and is working on exciting features in collaboration with GitHub. NPM is not an acronym for Node Package Manager, and the CLI will continue to improve with the support of the growing team.