New in Node.js: Certified Modules, Free Orgs Collaboration Tool
- By David Ramel
- March 27, 2017
New developments in the popular Node.js ecosystem include curated Certified Modules from NodeSource and a free version of the Orgs collaboration tool from npm Inc.
Its popularity is exemplified in a huge new global developer survey from Stack Overflow, which revealed it's the most popular tool under the "Frameworks, Libraries and Other Technologies" category.
Node.js is also being put to new uses. In a user survey published last April, the Node.js Foundation noted the platform -- with more than 3.5 million users and an annual growth rate of 100 percent -- is emerging as a popular tool for Internet of Things (IoT) developers, along with more traditional Web apps and other enterprise applications.
Judging from the recent announcements from NodeSource and npm, the ecosystem is continuing to thrive. Here's a look at both of the new developments:
NodeSource Certified Modules are described as a way for developers and organizations to use the npm registry's universe of more than 435,000 Node.js modules with assurances of security, reliability and support.
Basically, NodeSource vets each version of every npm module and provides trustworthy packages to developers in their own secure registry that's identical to the main npm registry except that it contains only packages that have passed through the certification process and subsequently assigned a score.
"As the Node.js ecosystem continues to grow, more organizations are relying on untrusted third-party modules to run mission-critical applications and services," NodeSource said in a news release this month. "NodeSource Certified Modules addresses this issue with a highly available registry, with the packages themselves certified through rigorous analysis with NodeSource's proprietary certification algorithm."
In that certification process, each module within a registry is evaluated by the company and is assigned a qualitative trust score, providing developers and organizations with a confidence factor in using a module. The process is bolstered by ongoing, real-time security monitoring, which NodeSource said adds another layer of assurance.
"These checks aren't shallow -- we dive deep into the dependency tree to ensure that down the line there's zero module vulnerabilities in what are usually invisible dependencies, and that you can ensure that licenses are open-source throughout," NodeSource said in a blog post.
Key features of the product highlighted by NodeSource include:
- NodeSource evaluates publicly available packages based on security, compliance, quality and other unique tests to determine the trust score for each package.
- With ongoing security vulnerability monitoring is ongoing, as the risk profile of any single package changes, teams can update or swap modules accordingly.
- Teams can take advantage of the rich ecosystem of third-party modules more securely and efficiently with Node.js while managing their risk.
- It is no longer necessary to devote resources to manually vetting publicly available modules and for compliance teams to perform laborious compliance checks before pushing code to production.
While the Node.js ecosystem's hundreds of thousands of modules provide valuable functionality of all kinds, they can be problematic to work with. Perhaps the most famous recent case illustrating the issue was a naming squabble surrounding a module provided by npm Inc.'s Node Package Manager. In the midst of a module duplicate-naming controversy, the module's developer "un-published" it, causing thousands of builds that depended on the module to suddenly fail.
Although processes have been enacted to forestall such emergencies in the future -- and the "un-publishing" problem wasn't addressed specifically by NodeSource in its announcement -- Certified Modules may serve to instill more trust in Node.js code provided by others.
"The product was developed so that organizations can quantify and mitigate the risks associated with using third-party Node.js modules," NodeSource said. "The company provides a framework for governance of Node.js modules that are more dependable."
Certified Modules are available for a free 14-day trial.
To help developers and organizations get a better handle on using those aforementioned 435,000-plus packages, npm Inc. last week announced a free version of its Orgs developer collaboration tool.
The tool reportedly lets dev teams provision access to open source code contributors to specific packages based on assigned roles and responsibilities, obviating the need to pay to use private packages.
According to the npm Web site, Orgs, lets development teams manage permissions for multiple members at the same time, simplifying package management with security groups and one-click configuration, while helping to find reusable code. Teams can also use it to secure private code, letting them publish and manage modules in a private namespace and allowing for the seamless mix of open source and private dependencies.
"With npm Orgs, individuals can transition seamlessly among open source solo projects, public group projects and commercial teams, making it easy to combine code from public and private packages into a single project," npm said in a statement. "In particular, companies that use open source tooling and methods for projects that include proprietary code need to be able to restrict and manage access to certain packages."
Product features and benefits highlighted by the company include:
- Role-based access control for organizing developers into teams, making it easier and faster to share and collaborate with specific people.
- Semantic versioning that lets developers easily communicate and understand which versions of code are compatible with one another.
- Powerful package discovery for quickly searching for and discovering private and open source code packages.
"We launched Orgs in 2015 for companies that needed to mix public and private code," npm said in a blog post. "They wanted an easy way to set permissions for multiple team members and multiple packages. Now, teams who don't need private packages can use this functionality too.
"Why would we give away our most popular product? Making it easier to collaborate on open source projects is good for the whole community, and anything that reduces friction makes it easier for everyone to build amazing things."
David Ramel is an editor and writer for Converge360.