and the future

of JavaScript

Spotify, 2018-10-25

Read these slides on your device:

Who is this guy?

Laurie Voss

COO & co-founder, npm Inc.


This talk is about you

Three parts:

  1. What you should know about npm

  2. What npm knows about you

  3. The future of JavaScript

npm is popular

Part 1: what you should know about npm

JavaScript is enormously popular

Top 5 languages on GitHub

by number of pull requests opened

Who's using npm?

  • All 50 of the Fortune 50
  • All 50 of the 50 biggest banks
  • All 50 of the 50 biggest tech companies
  • All 500 of the Fortune 500

(we checked!)


is the most important programming language

in the world

npm is the package manager for all JavaScript

But npm is especially for web developers


of the code in a modern web app comes from npm

npm is super fast now

npm install npm -g

Why not destroy the conference wifi by upgrading right now?

Is npm faster than Yarn?

npm 6

locks by default

npm ci will double the speed of your builds

npm ci

You can use

anywhere you used to use

npm install

and it will be twice as fast

npm Security

A bunch of new features

npm 6 has 2FA:

two-factor auth

Secure your npm account in 30 seconds:

npm Quick Audits

Just run npm install!

npm Quick Audit stats

4 million scans per week


npm audit

Just run in your current project:

npm audit

npm audit fix

Just run in your current project:

npm audit fix


npm audit fix --force

for the adventurous

Use npm because npm is safer than Yarn

Yarn to npm migration tool:

A user journey from Yarn back to npm:

BREAKING NEWS: Company recommends own product.

npm is a company that sells good and services that you will find useful

Part 2:

What npm knows about you

  • 1.5 billion log events per day
  • 16,000+ survey responses

Part 2A: demographics

Please stand up!

(If you can't stand up, raise a hand)

Sit down if you don't match the description.

Stay standing if you

use npm

Stay standing if you

write JavaScript that runs in browsers

Stay standing if you

write JavaScript

at work

Stay standing if you

are concerned about security of open source code

Stay standing if you

mostly taught yourself JavaScript

Stay standing if you

also write PHP or Java sometimes

Stay standing if you

work at a company that isn't considered a "tech company"

Stay standing if you

started using npm less than 2 years ago

Stay standing if you

use webpack

Stay standing if you

use babel

Stay standing if you

work on a React app

Stay standing if you

use TypeScript

So we know some stuff about you

npm users don't always write JavaScript

The programming language you pick is determined by the libraries available

Devs pick JavaScript because of npm

npm users are concerned about security

  • 77% are concerned
  • 52% said current tools aren't adequate

npm Enterprise can help your security

Part 2B:

the tools we use

I am about to make you angry

with graphs

Growth in context

Everything in npm grows

Share of registry

Front end frameworks

Frameworks never die; they only fade away


60% of npm users say they use React



Angular is seeing fewer downloads,

please don't yell at me about it.


The comeback kid


The next big thing?

The React ecosystem

React Router

React is a triumph of modular design




Back-end frameworks





This looks weird

Team A / Team B


What tools do we use?


46% of npm users are using TypeScript


Say what?!

Source: npm user survey, 2017/2018


So about ESLint...

The ESLint Credentials Harvester


npm Security

in action


Take JavaScript security seriously



Splitting developers by experience

Best practices come with experience

Security is associated with experience

Part 3:

the future of JavaScript

Learning from history:

nothing last forever

jQuery, we hardly knew ye.

Use React

Ill-advised prediction

If people start re-using React modules, React will live forever

What about web components?

Web components would be great if they worked but they don't, yet.

Don't @ me.

What about that slowdown in React?

The best framework is always the one with the most users.

Learn GraphQL

Ill-advised prediction

You will be bundling, transpiling and linting for quite some time

Ill-advised prediction

Use TypeScript

Ill-advised prediction

What happens to npm in the future?

npm is not only JavaScript

and it hasn't been for some time

WASM is coming

WASM is already here

JavaScript's position as the language

of the web

is not guaranteed

Mandatory transpilation

is a code smell

Node + JavaScript: merge or die

npm is for the web

The future looks fun

The web will remain under construction

Professionalizing JavaScript

JavaScript is the most important programming language in the world

So why don't we treat it that way?

Because you are spending money on JavaScript

Why should I care?

It's time

to treat JavaScript like the enterprise language it is

JavaScript snuck into the Enterprise

Professionalizing JavaScript

  • Ship quickly
    • Modular code
    • Easy discovery
    • Frictionless workflows
  • Ship safely
    • Vulnerability management
    • Secure access
    • Compliance

Modular JavaScript

is key

to shipping quickly

Replicate JavaScript's positive feedback loop

exponential productivity inside your organization

Shipping safely

When 97% of your code is written

by people who don't work for your company

Managing the other 97% of your code

npm audit fix

Access control


Don't all get excited at once

Compliance can have unintended outcomes for security

You can't just hope nobody notices how much JavaScript you're using

Fear can create barriers

npm Enterprise is professional JavaScript

Enterprise-friendly JavaScript

Ship faster

  • More code sharing
  • Better discovery
  • Online documentation

Ship safely

  • Dedicated hardware
  • Locked to your network
  • Automatic security audits
  • Pre-disclosure security alerts
  • Full logging

Secure access

  • Single sign-on (SSO) support
    • both website and command line
  • Two factor auth (2FA)
  • Teams, organizations
  • Granular publish & install

The real npm

npm Enterprise

  • Your own Registry at
    • Dedicated hardware
    • Enterprise-grade support
    • Single sign-on (SSO)
    • Two-factor auth (2FA)
  • Your own npm private npm website
    • Private code hosting
    • Full-featured search
    • Built in documentation
  • npm Security
    • Security audits
    • Embargoed vulnerabilities
    • Compliance reporting

npm Inc.

is really good

at JavaScript


These slides are available right now

Now would be a good time to follow me on Twitter

npm ❤️ you

npm and the future of JavaScript

By seldo

npm and the future of JavaScript

  • 5,034