Professional JavaScript in 2019

FinJS NYC, 2019-03-19


Who is this guy?

Laurie Voss

Chief Data Officer & co-founder, npm Inc.


What are we talking about?







11 million developers,

12 billion downloads per week

JavaScript: the world's most popular language

GitHub repositories created, 2008-2018

The npm feedback loop


of the code in a modern web app comes from npm

Over 30,000 packages in active use by financial firms

You use JavaScript for everything

Finance cares more about security than any other industry

Security analysis of 8 banks

In one month:

  • 23+ million downloads
  • 22,563 unique packages
  • 824 vulnerablities
    • 3% of all packages
  • 55 critical vulnerabilities
    • 7% of vulnerable packages

I don't want to be alarmist, but this is alarming

The bank that did that is in this room

Good news:

we fixed this already


Bad news: not everyone is using the fix

JavaScript security: the old methods

  • White & black lists
  • Package code reviews
  • Approval forms

You can't just hope nobody notices how much JavaScript you're using

JavaScript security: the new way

1. Continuous code audit

JavaScript security: the new way

2. Live security feeds

JavaScript security: the new way

3. Fail insecure builds

Speed up your CI

Get a 25x faster version of npm:

npm install npm -g

Run CI builds 2x faster than install:

npm ci

works for fresh installs anywhere!

JavaScript compliance:

the old way

  • More blacklists
  • Lawyers reading code
  • The WTFPL

JavaScript compliance:

the new way

Let us do it for you.


You have a JavaScript community inside your company

Internal discovery

Full search and READMEs

Decouple your devs

 npm allows 11 million developers to collaborate safely

And it can do the same for you

and also

npm init @mycompany/app
npm init react-app


I didn't include stock art of the CTRL key here.

You're welcome.





they're crafty

A tool your developers really use is better than any tool they only pretend to use

What does control mean?

1. Single sign-on

Works with any

OIDC provider

  • Okta
  • Auth0
  • Google Sign-In
  • Azure ID

Sign in

from the CLI

With 2FA and any auth provider

What does control mean?

2. Full visibility

What does control mean?

3. Dedicated hardware and domain

Professional JavaScript:

You're not doing it.

But you could be.

npm ❤️ you







Professional JavaScript in 2019

By seldo

Professional JavaScript in 2019

  • 3,825