GitHub completed npm’s acquisition in April this year. GitHub then signaled plans to grow npm along three axes: infrastructure, developer experience, and community. Thomson detailed in his talk the current initiatives taken by Github to improve the npm CLI and the npm registry.
Thomson commented on the ongoing efforts targeting the CLI:
Right now, the team is working on NPM v7 […] the next version of the CLI. It’s actually a really big shift. The CLI team is doing some major refactoring. They are improving correctness and performance. They are helping secure your software better and they are trying to improve compatibility with the other tools in the ecosystem.
The npm CLI team is improving the experience around
npm audit Thomson demoed the new functionalities by showing the different CLI outputs between npm v6 and npm v7. In the former case, vulnerabilities involving the
minimist package are found and displayed in a space-consuming tabular format. The issue with
minimist is reported for every package in which it appears as a dependency. With npm v7, the information about the security vulnerabilities and how to fix them is more quickly accessible and displayed more succinctly. The
minimist ‘s vulnerability issues are thus only displayed once. npm v7 further recognizes that
minimist is the only package causing issues and prompts the user to run
npm audit fix to automatically fix the issues.
Where npm 6 may recommend a major dependency update to fix issues — i.e. an update with breaking changes potentially requiring the developing to refactor his code, npm 7 may instead attempt to automatically fix the issues by downgrading package versions. Additionally, npm v7 will coexist better with yarn (and its yarn lock file). Thomson explained:
We want to make sure that these two tools interact as nicely as possible. There once was a time when the two command-line interfaces (yarn and npm) really walled off from each other, but with npm 7, we’re going to see big improvements in their compatibility.
Workspaces, a feature that is popular in large projects will also be supported in npm v7. npm v7 will have at least the workspace feature support of Yarn, and will set the stage for more advanced workspace features in v8. Workspaces allow developers to set up multiple packages with only one run of the installation script (e.g.,
yarn install) and install all of them in a single pass. A single lockfile may be used rather than a different one for each project, which means fewer conflicts and easier reviews.
Regarding the npm registry, GitHub seeks to better integrate npm and GitHub, reinforce npm’s infrastructure and enable npm’s paying customers to move to GitHub packages. Thomson detailed:
Today, npm has several paid plans for private package hosting and we’re going to set it up so that paying npm customers can move over to GitHub packages. This will let us focus each of the repositories on what it does best. It will let GitHub packages be a great solution for hosting private packages and let npm continue to focus on being a great public registry for open source packages.
Thomson invited developers to provide feedback on GitHub initiatives regarding npm. Developers may consult the npm’s RFCs and npm’s blog. Thomson’s full talk is available online and contains additional information on GitHub’s initiatives regarding npm.