Highlights of npm 6 at npm at Node+ JS Interactive 2018

Recently, Laurie Voss, the co-founder and COO of npm, at the Node+JS Interactive 2018 event spoke about npm and the future of JavaScript. He discussed several development tools used within the npm community, best practices, frameworks that are on the rise, and frameworks that are dying.

He found these answers with the help of 1.5 billion log events per day and the JavaScript Ecosystem Survey 2017 consisting of 16,000 JavaScript developers. This survey gives data about what JavaScript users are doing and where the community is going.

Key highlights of this talk:

npm is secure, popular, and fast

  • With more than 10 million users and 6 billion package downloads every week, npm has become ridiculously popular.
  • According to GitHub Octoverse 2017, JavaScript is the top language on GitHub by opened pull request. 85% of the developers who write JavaScript are using npm which is rising rapidly to reach 100%. These developers write JavaScript applications that run on 73% of browsers, 70% of servers, 44% of mobile devices, and 6% of IoT/robotics.
  • The stats highlight that, npm is the package manager for mainly web developers and 97% of the code in a modern web app is downloaded from npm.
  • The current version of npm, that is, npm 6 was released in April this year. This release comes with improved performance and addresses the major concern highlighted by the JavaScript Ecosystem survey, that is, security.

Major improvements in npm 6:

npm 6 is super fast

npm is now 20% faster than npm 4, so it is time for you to upgrade! You can do that using this command:

npm install npm -g

npm 6 locks by default

This was one of the biggest changes in npm 6, which makes sure that what you have in the development environment is exactly what you put in production. This functionality is facilitated by a new file called package-lock.json . This so-called “lock file” saves information about your node_modules/ tree since the time you last edited your dependencies.

npm ci

This command is similar to npm install, but is meant to be used in automated environments. It is primarily used in environments such as test platforms, continuous integration, and deployment.It can be about 2-3x faster than regular npm install by skipping certain user-oriented features.

Advances in npm security

Two-factor authentication

In order to provide strong digital security, npm now has two-factor authentication (2FA). Two-factor authentication confirms your identity using two methods:

Something you know such as, your username and password

Something you have such as, a phone or tablet

Quick audits

Quick audits tells you whether the packages you are installing are secure or not. These security warnings will be more detailed and useful in npm 6 as compared to previous versions.

The rise and fall of frameworks

After speaking about the current status of npm, Laurie moved on to explaining what npm users are doing, which frameworks they are using, and which frameworks they are no longer interested to use.

Not all npm users develop JavaScript applications

The interesting thing here was that, though most of the JavaScript users use npm, it is not that they are the only npm users. Developers writing applications in other languages also use npm. These languages include Java, PHP, Python, and C#, among others:


Some predictions based on the survey

  • It would be unwise to bet against React as it has tons of users and tons of modules
  • Angular is a safer but less interesting choice
  • Keep an eye on Next.js
  • If you are looking for something new to learn, go for GraphQL
  • With 46% of npm users using TypeScript for transpiling it is surely worth your attention
  • WASM seems promising
  • No matter what happens to JavaScript, npm is here to stay

This article was originally published on Packt Hub.