Npm has released Enterprise add-ons, allowing developers to directly integrate third-party tools for the first time.
Ben Coe, general manager of npm Enterprise, told InfoQ:
Think: a security vendor’s green checkbox verifies that code is safe; a license audit tool warns that a package’s dependency relies on the GPL; a CI tool watches for dependency updates and warns of what would break...
In npm's blog post Introducing add-ons for npm Enterprise Coe said npm Enterprise exposes an API allowing third-party developers to build on top of npm Enterprise product.
Explaining the motivation behind the move, Coe said add-ons have "the power to combine what were discrete parts of your development workflow into a single user experience, and knock out the barriers that stand in the way of bringing open source development’s many-small-reusable-parts methodology into larger organizations."
A typical Node.js application consumes hundreds of dependencies: too many to be easily tracked. This challenge is made even harder as most of these dependencies are indirect, and fetched via another package.
Coe likens reviewing the license requirements "of each piece of external code" to security research, saying "trying to manually confirm the licensing of every dependency (and their dependencies, and their dependencies…) is impossible to scale."
The security risks associated with an enterprise using open source code mean that if a package has security vulnerabilities, the application may become exposed, and if they are malicious, the application can be compromised.
In the blog post The npm Meltdown Uncovers Serious Security Risks Nicolás Bevacqua said “The vast majority of npm users are benevolent, though. This is why semver mostly works. Trusting package authors mostly works. Until it doesn’t.”
Partner to npm, Node Security Platform, known for providing security information on audited modules announced in a blog post their security add-on on for npm Enterprise.
Adam Baldwin, founder of the NSP, said:
For years, our nsp tool has been a pivotal source of intelligence on vulnerabilities in Node dependencies.
Beginning today, nsp’s security vulnerability notices will be exposed conveniently right inside of npm Enterprise.
The nsp add-on provides developers with security information in the sidebar of the module detail page, including details on if a module has known vulnerabilities, giving a link to a more detailed security report.
Baldwin promises that also coming soon for Enterprise customers is published information on verified modules, as audited by the Node Security team.
According to npm, everyone stands to benefit from the movement to bring open source code, workflows, and tools into the enterprise.
"When companies develop proprietary code the same way communities build open source projects, then the open source community’s methods and tooling become the default way to build software," Coe said.