Category: npm

Categories
JavaScript npm Package Management

npm 5: Lockfiles Finally Arrive

npm 5 is shipping with package-lock.json, and the irony isn't lost on anyone. After Yarn forced npm's hand by introducing lockfiles in October 2016, npm is finally catching up. This is competition working exactly as intended—but it also exposes some uncomfortable truths about JavaScript dependencies.

What Changed

npm 5 introduces package-lock.json which locks down the entire dependency tree. Run npm install on any machine with the lockfile, and you get identical versions of every package, including transitive dependencies. This matches what Yarn's yarn.lock has been doing since launch.

{
  "name": "my-app",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "dependencies": {
    "lodash": {
      "version": "4.17.4",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz",
      "integrity": "sha1-eCA6TRwyiuHYbcpkYONptX9AVa4="
    }
  }
}

The performance improvements are also significant. npm 5 is noticeably faster than npm 4, though still not quite matching Yarn's speed.

Continue reading “npm 5: Lockfiles Finally Arrive”
Categories
JavaScript npm Open Source

The left-pad Incident: npm’s Single Point of Failure

This week, the JavaScript ecosystem had a wake-up call. A developer unpublished a tiny npm package—11 lines of code—and broke thousands of projects including major ones like Babel and React. The incident exposed fundamental fragility in how npm dependencies work.

The technical fix was quick. The implications aren't.

What Happened

Continue reading “The left-pad Incident: npm’s Single Point of Failure”