npm passes the 1 millionth package milestone! What can we learn?

wordpress-sync/NPM-blog-2

June 4, 2019

0 mins read
wordpress-sync/DPrdrdPVQAAEAoN

June 4th is a historic date. Not only is it our very own Liran Tal’s birthday (Mazal Tov, Liran!) but it is also the date that the millionth package was indexed into the npm registry. npm is a package manager for JavaScript packages. The core component of npm is its public registry, hosting JavaScript packages that can be accessed by the npm client to build JavaScript applications.

Screen-Shot-2019-06-04-at-11.59.32

If you’re a user of npm and are interested in how you can use it more securely, be sure to read our npm security cheatsheet, listing ten top best practices on how to use npm safely.

A brief history of npm, including security incidents

  • January 2010: npm was created by Isaac Z. Schlueter, written in JavaScript.

  • March 2016: popular JavaScript package, left-pad, was unpublished from the npm repository due to a naming dispute. After much disruption among the JavaScript world, tightened up its unpublishing policy.

  • July 2018: a malicious version of the eslint-scope package was released which exposed npm credentials of users to the attacker.

  • November 2018: the malicious package, flatmap-stream, was released to npm which was added as a dependency to the popular event-stream package. The package targeted Copay the bitcoin wallet.

  • June 4th 2019: npm indexes its one-millionth package.

npm’s top ten packages

The npm website lists its top ten most popular packages. These are as listed below, with vulnerability information included. Interestingly, the request package has seen 17 typosquatting attempts.

Package

Vulnerabilities

lodash

3 vulnerabilities (1 high sev)

request

1 vulnerability (17 typosquatting attempts)

chalk

0 vulnerabilities (1 typosquatting attempt)

react

2 vulnerabilities (1 high sev)

express

1 vulnerability

commander

0 vulnerabilities

moment

3 vulnerabilities

debug

1 vulnerability

async

0 vulnerabilities

prop-types

0 vulnerabilities

If we consider popularity as the number of total downloads we can see which libraries are used heavily both as direct and indirect dependencies:

Package

Downloads

debug

>40 million weekly downloads

kind-of

>34 million weekly downloads

supports-color

>34 million weekly downloads

readable-stream

>31 million weekly downloads

source-map

>30 million weekly downloads

yargs

>27 million weekly downloads

camelcase

>26 million weekly downloads

minimist

>25 million weekly downloads

strip-ansi

>25 million weekly downloads

chalk

>25 million weekly downloads

Out of the above 10 packages, only debug was found to contain a security vulnerability.

npm by numbers

The sheer scale of the popularity and growth of npm is staggering as we can see from this graph, showing the number of indexed packages over just the last couple of years. In fact, we see a 250% growth of the platform in just over 2 years, since January 2017.

wordpress-sync/01-1

Even month-by-month the growth of npm usage is visible, as we can see from the number of packages that are downloaded each month in 2019.

wordpress-sync/03-1

Here are some more npm stats:

  • 1 million indexed packages (+ those that have been indexed since this post was written!)

  • 10.9 billion downloads last week

  • 46.9 billion downloads last month

  • The top package is debug and accounts for more than 40 million weekly downloads

  • The 1000th most downloaded package is merge-stream and accounts for about 3.5 million downloads a week

  • 250kpackages added to npm in 2018

  • 110kpackages added to npm in 2019, so far

  • 144k downloads of the Snyk CLI npm package each week!

  • 41 packages are owned by Snyk, yay!

GitHub user, dominykas, and a friend from NearForm, provided some stats in a GitHub issue as part of some work being done in the Node.js Foundation’s Package Maintenance working group. Their data shows how general package maintenance varies significantly between authors.

Percentile

Last commit

Last publish

10%

4 days old

11 days old

20%

5 days old

37 days old

30%

19 days old

88 days old

40%

57 days old

157 days old

50%

119 days old

246 days old

60%

194 days old

369 days old

70%

328 days old

559 days old

80%

563 days old

777 days old

90%

887 days old

1098 days old

95%

1194 days old

1372 days old

100%

2201 days old

2792 days old

Summary

We’d like to send our congratulations to npm for running and maintaining the largest open source language repository, and to the great maintainers and developers in the community who power the ecosystem and assisted in reaching this great achievement. It’s extremely important to make sure that when you use open source packages, you use versions that do not contain known vulnerabilities. It’s straightforward to test your applications for free against the industry-leading Snyk vulnerability database. Try it now, and see the scan results instantly.

Test your JavaScript app with a free Snyk account today.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo