npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

npm registry is now fully HTTPS!

Effective yesterday morning, all requests to the npm registry are made via HTTPS.

What’s different

Practically this means:

Does this mean that package data is/was insecure?

No! The CLI client checks a shashum to verify the package and that check always has been over HTTPS.

How it affects you

How to weather these changes

We’ve developed an ecosystem of tools that you can use to replicate the registry in a way that is resilient to these changes:

  1. _changes feed: https://skimdb.npmjs.com/registry/_changes?descending=true&limit=10

    For every change in a package in the registry, the whole package object (with changes) gets emitted as data on the _changes feed of CouchDB.

  2. follower: https://github.com/npm/concurrent-couch-follower

    Users wishing to follow the changes feed can use our CouchDB follower wrapper, which will ensure you don’t miss any documents even if you process them asynchronously.

  3. normalizer: https://github.com/npm/normalize-registry-metadata

    Finally, we also provide a normalizer, so that you can clean up the data you receive, and implement the changes from the changes feed.

We will never stop making replicating public packages utterly trivial. If anything, we’ll keep making it easier.

We believe these tools should minimize any disruption from our transition to HTTPS — but of course there are edge cases! If you experience difficulty, we want to hear about it and help you out. As always, don’t be shy to reach out: support@npmjs.com.

Happy replicating!