|Original author(s)||Isaac Z. Schlueter|
|Developer(s)||Rebecca Turner, Kat Marchán, others|
|Initial release||12 January 2010|
6.13.6 / 10 January 2020
|License||Artistic License 2.0|
sudo npmon Linux systems would change the ownership of system files, permanently breaking the operating system.
eslint-scopepackage were compromised resulting in a malicious release of
eslint-scope, version 3.7.2. The malicious code copies the npm credentials of the machine running
eslint-scopeand uploads them to the attacker.
event-stream. The malicious package, called
flatmap-stream, contained an encrypted payload that steals bitcoins from certain applications. npm administrators responded by removing the offending package.
In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages. The source of security issues were taken from reports found on the Node Security Platform (NSP), and has been integrated with npm since npm's acquisition of NSP.
When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the
package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.
npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the
package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in
yarn, the last of which was released by Facebook in October 2016. They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.
The company behind the npm software is npm, inc, based in Oakland, California. The CEO Bryan Bogensberger who joined the company in January 2019 resigned in September 2019.