Professional JavaScript in 2019

FinJS NYC, 2019-03-19

with

Who is this guy?

Laurie Voss

Chief Data Officer & co-founder, npm Inc.

@seldo

What are we talking about?

npm

Enterprise

Security

Compliance

Collaboration

Control

11 million developers,

12 billion downloads per week

JavaScript: the world's most popular language

GitHub repositories created, 2008-2018

The npm feedback loop

97%

of the code in a modern web app comes from npm

Over 30,000 packages in active use by financial firms

You use JavaScript for everything

Finance cares more about security than any other industry

Security analysis of 8 banks

In one month:

23+ million downloads
22,563 unique packages
824 vulnerablities
- 3% of all packages
55 critical vulnerabilities
- 7% of vulnerable packages

I don't want to be alarmist, but this is alarming

The bank that did that is in this room

Good news:

we fixed this already

Bad news: not everyone is using the fix

JavaScript security: the old methods

White & black lists
Package code reviews
Approval forms

You can't just hope nobody notices how much JavaScript you're using

JavaScript security: the new way

1. Continuous code audit

JavaScript security: the new way

2. Live security feeds

JavaScript security: the new way

3. Fail insecure builds

Speed up your CI

Get a 25x faster version of npm:

npm install npm -g

Run CI builds 2x faster than install:

npm ci

works for fresh installs anywhere!

JavaScript compliance:

the old way

More blacklists
Lawyers reading code
The WTFPL

JavaScript compliance:

the new way

Let us do it for you.

Collaboration

You have a JavaScript community inside your company

Internal discovery

Full search and READMEs

Decouple your devs

npm allows 11 million developers to collaborate safely

And it can do the same for you

and also

npm init @mycompany/app

npm init react-app

Control

I didn't include stock art of the CTRL key here.

You're welcome.

Management

vs.

Labor

Developers:

they're crafty

A tool your developers really use is better than any tool they only pretend to use

What does control mean?

1. Single sign-on

Works with any

OIDC provider

Okta
Auth0
Google Sign-In
Azure ID

Sign in

from the CLI

With 2FA and any auth provider

What does control mean?

2. Full visibility

What does control mean?

3. Dedicated hardware and domain

Professional JavaScript:

You're not doing it.

But you could be.

npm ❤️ you

npmjs.com/enterprise

Us:

@npmjs

info@npmjs.com

Me:

@seldo

laurie@npmjs.com

Professional JavaScript in 2019

Who is this guy?

Laurie Voss

What are we talking about?

npm

Enterprise

Security

Compliance

Collaboration

Control

11 million developers,

12 billion downloads per week

JavaScript: the world's most popular language

The npm feedback loop

97%

of the code in a modern web app comes from npm

Over 30,000 packages in active use by financial firms

You use JavaScript for everything

Finance cares more about security than any other industry

Security analysis of 8 banks

I don't want to be alarmist, but this is alarming

The bank that did that is in this room

Good news:

we fixed this already

Bad news: not everyone is using the fix

JavaScript security: the old methods

You can't just hope nobody notices how much JavaScript you're using

JavaScript security: the new way

JavaScript security: the new way

JavaScript security: the new way

Speed up your CI

JavaScript compliance:

the old way

JavaScript compliance:

the new way

Collaboration

You have a JavaScript community inside your company

Internal discovery

Full search and READMEs

Decouple your devs

npm allows 11 million developers to collaborate safely

Control

Management

vs.

Labor

Developers:

they're crafty

A tool your developers really use is better than any tool they only pretend to use

What does control mean?

Works with any

OIDC provider

Sign in

from the CLI

What does control mean?

What does control mean?

Professional JavaScript:

You're not doing it.

But you could be.

npm ❤️ you

Professional JavaScript in 2019

More from seldo