10 Things

You Didn't Know About

Reactathon, 2018-09-08

Read these slides on your device:

Who is this guy?

Laurie Voss

COO & co-founder, npm Inc.


What are we talking about?

  1. What npm knows about you
  2. What you should know about npm

But I use Yarn!

npm recommends you use npm

Breaking news: company recommends own product!

I am not here

to bash Yarn

It's hard to bash something so warm and fuzzy.

10 N things

You Didn't Know About npm

npm: pretty popular

Part 1: what npm knows about you

Our sources of data

  • 1.5 billion log events per day
  • 16,000+ survey responses

npm users are mostly new

npm is the package manager for all JavaScript

JavaScript is enormously popular

Top 5 languages on GitHub

by number of pull requests opened

But npm is especially for web developers


of the code in a modern web app comes from npm

Share of Registry

How we measure popularity at npm.

Absolute vs. Relative

 60% of npm users use React


React Router

React is a triumph of modular design




46% of npm users are using TypeScript


Say what?!

Part 2: what you should know about npm

Team A / Team B

npm is super fast now

npm install npm -g

Why not destroy the conference wifi by upgrading right now?

Is npm faster than Yarn?

npm 6

locks by default

Yarn to the rescue

Lock files prevent unexpected changes

Oh, and they make everything a lot faster.

npm 6 saves

by default

There was never a good reason for this not to be the default. Our bad.

npm ci will

double the speed of your builds

npm ci

You can use

anywhere you used to use

npm install

and it will be twice as fast

npm is safer now

A bunch of new features

npm 6 has 2FA:

two-factor auth

Secure your npm account in 30 seconds:

npm Quick Audits

Just run npm install!

React apps are vulnerable to security issues

Recent security alerts:

  • react-svg: XSS
  • react-marked-markdown: XSS

React users are directly targeted by malicious packages

npm Quick Audit stats

3.5 million scans per week


npm audit

Just run in your current project:

npm audit

npm audit fix

Just run in your current project:

npm audit fix


npm audit fix --force

for the adventurous

Use npm because npm is safer than Yarn

Yarn to npm migration tool:

A user journey from Yarn back to npm:

BREAKING NEWS: Company recommends own product.


will help you out

npx will save you time

npx <any package name>

will instantly run that package for you,

no need to install.

npm init understands "create" syntax

npm init react-app
yarn create react-app

is the same as

Coming soon:

npm workspaces

npm is a company that sells good and services that you will find useful

All the other stuff

  • Everybody gets a scope!
  • Organizations are free!
  • Run scripts will save you time!
  • npm init can standardize setup for you!

npm ❤️ React


These slides are available right now

Now would be a good time to follow me on Twitter

10 Things You Didn't Know About npm

By seldo

10 Things You Didn't Know About npm

  • 4,790