npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Why we created npm Enterprise

image

Last week we launched npm Enterprise, a fact that might come as a surprise to those of you who’ve been paying attention and know that we’ve had an enterprise product since 2014. The new Enterprise is a totally different beast, the result of recognizing that the way npm works is fundamentally new and different to previous package ecosystems.

One of the strange things about npm’s ubiquity in 2019 is that the whole world is already our customer: the percentage of JavaScript developers who use npm has been steadily climbing from an estimated 50% in 2014 to something like 99% by the end of 2019. Everybody who writes JavaScript depends on npm, but it’s so reliable that it becomes invisible. That reliability and ease means people use more JavaScript without worrying about it, and the result is that Registry traffic has grown 23,500% in the last 5 years.

Dependency management used to be a discrete process. You could have a conversation about it or a meeting. You could fill in a form that listed the open-source software you depended on (early investors in npm asked us to list the open source we use and were surprised to receive a list containing tens of thousands of items that was usually 5 or 10 items long). Fundamentally, things were moving at a human speed and in numbers that your dev team could be expected to handle manually.

That’s not how JavaScript works. More than 97% of npm users are using it to build web applications (with a healthy 77% also writing Node.js apps on the server), and the average modern web application has more than 2000 modules in it. The result is that 97% of the code in your JavaScript application is written by other people and downloaded from npm.

This creates a difference in quantity that becomes a difference in kind. Enterprise security and change management processes did not anticipate this kind of scale. When your application has two thousand dependencies, you can’t inspect them all yourself. You can’t hope they’re all secure. You can’t assume they’ve all got permissive licenses. And at least one of the packages you’re using will get an update every single day. You have to move from manual, discrete processes to automated, continuous processes.

Our earliest enterprise customers saw the public registry the way they saw previous package repositories: an unreliable source. They wanted a package management solution they could host themselves, where they could lock everything down to specific versions, where they could inspect everything for security. They wanted to be disconnected from the public npm Registry.

But you can’t work that way with modern JavaScript. In 2019, you can’t write JavaScript without open source code, and nearly all open source JavaScript is hosted on npm. You can’t disconnect from the public Registry, because you need it every hour of every day. You want your developers to move quickly by re-using code inside your organization without constantly running into roadblocks caused by half-implemented npm repository mirrors. You want your developers to develop securely without feeling slowed down by lengthy and inaccurate security scans.

So the new npm Enterprise is designed to feel exactly like npm. Its website looks just like npm’s, with full READMEs and world-class search. It supports all the npm commands, not just install, and it’s just as fast as the public registry. Your npm Enterprise runs on its own dedicated hardware on a securely isolated network, but is plugged directly into the Registry, and run by the same team. You get package updates the moment they happen, and you get security updates the moment we have them, often days before third-party security products.

We saw too many products that tried to do package management that were the bane of developers’ lives. They would complain about missing features, poor performance, mysterious bugs. They were in conflict with IT and security departments that needed stronger guarantees around auditability, security and uptime. With npm Enterprise, we can satisfy both camps. The developers get the smooth, uninterrupted experience they’ve been wanting, and IT and security get the insight they need to sleep at night.

npm Enterprise is enterprise-grade security and collaboration software that works the way npm does: quickly, silently, and so trouble-free you forget it’s even there. It’s so reliable that it becomes invisible. That’s the way it should be, and we hope you like it as much as we do.

To learn more about the ways npm Enterprise can help your business, visit our product page.