NPM: Free public JavaScript registry will continue

Company says the free NPM package registry is here to stay, releases security upgrade for NPM Enterprise

NPM: Free public JavaScript registry will continue

Is the public NPM JavaScript package registry going away? NPM, the company behind the popular online repository of Node.js and JavaScript code, insists it will remain, despite a recent rumor to the contrary.

The company wants to dispel any notion that the public registry will be eliminated or that its elimination was ever under consideration. NPM is, in fact, continuing the public registry while also making recent improvements to its behind-the-firewall, commercially licensed, private registry for enterprises.

Rumor of a planned termination of the freely available public registry, leaving only the paid enterprise service, was reported by The Register. But Ahmad Nassri, NPM CTO, has sought to dispel this suggestion. “We clearly want to dismiss [this notion],” Nassri said. Such a move was not a conversation that ever happened or will ever happen, he stressed.

Despite reports of turmoil at the company, including dismissals of five persons and the resignation of co-founder Laurie Voss, Nassri insisted nothing was out of the ordinary at NPM. A startup company like NPM that has been important in the JavaScript community is going to come under scrutiny, Nassri said. He described NPM as a growing company trying to achieve a level of sustainability, to maintain the open source JavaScript registry forever. The NPM registry now hosts more than one million packages. The NPM client that works with the registry is distributed with the Node.js JavaScript runtime.

Amidst the turmoil, NPM has added an enterprise security policies capability to NPM Enterprise. Administrators can choose a maximum vulnerability level allowed for in-house JavaScript projects. Packages that do not meet security requirements will be filtered out. NPM’s security policies provide an extra layer of security at the beginning of the development lifecycle, where problems are easier to fix.

Also part of the security upgrade are organization-specific vulnerability reports, available in a beta release for select customers. Another improvement is SAML support for single sign-on in addition to OpenID Connect, for authenticating users with user management infrastructure rather than maintaining a separate set of user accounts. NPM Enterprise moved to a production-level status in February.

Copyright © 2019 IDG Communications, Inc.