npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Better package selection with npm Enterprise

A couple months ago, we added the ability to block bad package downloads from npm Enterprise. For a security team, this is awesome because it lets you define compliance policies that are automatically enforced by the tools your developers already use.

However, this can result in a rather unpleasant developer experience. It’s not a great experience to run `npm install` and have the CLI try to fetch packages that can’t be downloaded due to policy violations.

We’re pleased to announce that we’ve made some changes that improve this experience. Now, npm Enterprise provides clients a list of package versions that are allowed by policy.

For example, run the following command against an npm Enterprise instance:

npm install lodash

The CLI will ask npm Enterprise for a list of versions that are available for lodash. The change we made was to split the list of versions that are allowed by policy from the list of versions that are not allowed by policy. There are two upsides to this:

  1. Older versions of the CLI won’t break. They’ll be able to automatically select a version that both meets your range criteria and is allowed by policy.
  2. If you’re running npm@6.11.0 or newer, it can tell the difference between a package that was not found and a package that exists but is not allowed by policy. It uses this to provide a better developer experience.

For example, if no allowed versions exist in the requested version range, the updated CLI will tell you this directly:

npm ERR! code E403
npm ERR! 403 Could not download lodash@1.3.1 due to policy violations.
npm ERR! 403 Use `npm audit fix` to upgrade this dependency.
npm ERR! 403
npm ERR! 403 In most cases you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy
npm ERR! 403 please contact your npme admin.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/admin/.npm/_logs/2019-08-09T20_46_04_225Z-debug.log

Before this change, you would just get an obscure 403 message as the CLI would try (and fail) to download a blocked package. This new experience is much better, since it gives you an idea of how to resolve the problem.

If npm won’t let you download a particular package version, you can use the CLI to query for a list of versions that are allowed by policy. This capability also allows you to find secure packages up front, before you’re blocked at install time.

For example, run the following command against an npm Enterprise instance:

npm view lodash versions

The CLI will display a list of all versions allowed by policy. In this case, our policy is to block all packages with vulnerabilities.

[
    ‘0.5.0-rc.1’,
    '1.0.0-rc.1’,
    '1.0.0-rc.2’,
    '1.0.0-rc.3’,
    '4.17.12’,
    '4.17.13’,
    '4.17.14’,
    '4.17.15’
]

Considering that there are 110 versions of lodash available, but only 8 have no vulnerabilities, this can save you a lot of time when figuring out what package versions to use.

If you’re an existing npm Enterprise customer, we hope you enjoy this new functionality! If you’re interested in learning more about npm Enterprise, let us know. We’d be happy to chat.