npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

npm Security 2019 in Review

A year in review from VP of Security Adam Baldwin (in the style of Harper’s Index):

Number of npm tokens revoked that were erroneously published to either the registry or to GitHub: 737

Value, in millions of dollars, of cryptocurrency saved from theft by catching the Komodo Agama wallet backdoor: 13

Total security advisories in the npm database: 1,285

Created in 2019: 595

Number, in thousands, of inbound security alert tickets triaged by @eleuterio_ via 2.2

Percentage of maintainers now covered by 2FA: 9.27

Percentage of maintainers who should: 100

Percentage of new account passwords improved by rejecting reused passwords compromised in previous breaches (h/t haveibeenpwned):  13.37

Number of transactions––including torrents and movie advertisements––blocked by our anti-spam system: 11,526

Number, in millions, of run-time reports generated by our behavioral analysis API: 1.4

Terabytes of behavioral analysis data generated: 15.6