Professional JavaScript in 2019
FinJS NYC, 2019-03-19
with
Who is this guy?
Laurie Voss
Chief Data Officer & co-founder, npm Inc.
@seldo
What are we talking about?
npm
Enterprise
Security
Compliance
Collaboration
Control
11 million developers,
12 billion downloads per week
JavaScript: the world's most popular language
GitHub repositories created, 2008-2018
The npm feedback loop
97%
of the code in a modern web app comes from npm
Over 30,000 packages in active use by financial firms
You use JavaScript for everything
Finance cares more about security than any other industry
Security analysis of 8 banks
In one month:
- 23+ million downloads
- 22,563 unique packages
- 824 vulnerablities
- 3% of all packages
- 55 critical vulnerabilities
- 7% of vulnerable packages
I don't want to be alarmist, but this is alarming
The bank that did that is in this room
Good news:
we fixed this already
Bad news: not everyone is using the fix
JavaScript security: the old methods
- White & black lists
- Package code reviews
- Approval forms
You can't just hope nobody notices how much JavaScript you're using
JavaScript security: the new way
1. Continuous code audit
JavaScript security: the new way
2. Live security feeds
JavaScript security: the new way
3. Fail insecure builds
Speed up your CI
Get a 25x faster version of npm:
npm install npm -g
Run CI builds 2x faster than install:
npm ci
works for fresh installs anywhere!
JavaScript compliance:
the old way
- More blacklists
- Lawyers reading code
- The WTFPL
JavaScript compliance:
the new way
Let us do it for you.
Collaboration
You have a JavaScript community inside your company
Internal discovery
Full search and READMEs
Decouple your devs
npm allows 11 million developers to collaborate safely
And it can do the same for you
and also
npm init @mycompany/app
npm init react-app
Control
I didn't include stock art of the CTRL key here.
You're welcome.
Management
vs.
Labor
Developers:
they're crafty
A tool your developers really use is better than any tool they only pretend to use
What does control mean?
1. Single sign-on
Works with any
OIDC provider
- Okta
- Auth0
- Google Sign-In
- Azure ID
Sign in
from the CLI
With 2FA and any auth provider
What does control mean?
2. Full visibility
What does control mean?
3. Dedicated hardware and domain
Professional JavaScript:
You're not doing it.
But you could be.
npm ❤️ you
Hello everybody!
Professional JavaScript in 2019 FinJS NYC, 2019-03-19 with