The Future of Trust in Node.js Dependencies
The Future of Trust in Node.js Dependencies
In this article, the CTO of NodeSource takes a look at some of the new features, as well as what's to come, for Node.js dependencies.
Join the DZone community and get the full member experience.Join For Free
At Node.js Interactive 2016 in Austin, TX, we were able to announce an entirely new product - NodeSource Certified Modules™ - in our Day One keynote with Joe McCann. Your reception has been phenomenal, only enhancing our own excitement and dedication to Certified Modules. A big shout out to everyone who signed up, provided feedback, and helped us tune the user experience.
Today, we are happy to make NodeSource Certified Modules generally available.
Start using Certified Modules to secure your Node.js apps. Get NodeSource Certified Modules
What Are NodeSource Certified Modules?
The npm registry is home to nearly half a million packages, but not all of these are secure, well-maintained, or up to date. Yet, organizations rely upon untrusted third-party Node modules to run mission-critical applications and services. With NodeSource Certified Modules, NodeSource provides a quantified level of trust in each of the modules we certify.
Why Use NodeSource Certified Modules
NodeSource Certified Modules is a solution that automatically evaluates publicly available packages that compose the Node.js ecosystem, based on two types of criteria: major and minor. The result of the evaluation is a "trust score" for each package. Once evaluated and scored, all packages are put into an independent, immutable registry with high-availability - meaning your modules are available when you need them.
The criteria for certification currently includes:
- Security: All published modules are checked for known security vulnerabilities.
- Licensing: Every module is checked to ensure it is fully licensed as open-source.
- Integrity: Quality marks like quantitative documentation, testing tooling, and install size.
These checks are run against every version of every module that is published to npm. These checks aren’t shallow - we dive deep into the dependency tree to ensure that down the line there are zero module vulnerabilities in what are usually invisible dependencies and that you can ensure that licenses are open-source throughout.
How Do You Use NodeSource Certified Modules?
When you begin using NodeSource Certified Modules, you will get a secure registry that is yours. This registry is identical to the npm registry, with one key difference: every version of every package in the registry is passed through the NodeSource Certification Process™ and assigned a score based on the outcome.
To begin using your NodeSource Certified Modules registry, you’ll need to make a simple, one-time change to your
.npmrc file - you simply need to set your default registry to the unique URL of your NodeSource Certified Modules registry.
This is a simple change that you can make by running the
npm config CLI command to set your default registry to the NodeSource Certified Modules registry that’s created for you when you setup your account. Once your registry is pointed to your NodeSource Certified Modules registry, you’re only an
npm install away.
We provide a simple web interface that allows you to find and review the certification scores of all packages in the registry at any point. As a developer, there will be no true workflow changes other than enhanced errors when installing modules.
Additionally, we’ve built a complementary tool called
nscm to provide a command-line interface that allows inspection of a Node.js application to see versions, scores, and, if possible, the most recent version that is certified. Additionally, the tool allows customers to whitelist one or more packages, to exclude them from the certification screening process until they can be refactored and/or replaced.
The Complete NodeSource Story
NodeSource is the Node.js Company. We provide solutions for businesses that depend on Node.js to drive innovation and digital transformation. Our products include N|Solid, the enterprise-grade platform for secure, production deployment of Node.js. Together with NodeSource Certified Modules, this provides a comprehensive Node.js toolset backed by NodeSource’s open source and product teams, tuned to satisfy the needs of the most demanding Node.js users in the world.
Published at DZone with permission of Dan Shaw . See the original article here.
Opinions expressed by DZone contributors are their own.