- In March 2016, npm attracted press attention after a package called
- In February 2018, an issue was discovered in version 5.7.0 in which running
sudo npmon Linux systems would change the ownership of system files, permanently breaking the operating system.
- In July 2018, the npm credentials of a maintainer of the popular
eslint-scopepackage were compromised resulting in a malicious release of
eslint-scope, version 3.7.2. The malicious code copies the npm credentials of the machine running
eslint-scopeand uploads them to the attacker.
- In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package
event-stream. The malicious package, called
flatmap-stream, contained an encrypted payload that steals bitcoins from certain applications. npm administrators responded by removing the offending package.
In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages. The source of security issues were taken from reports found on the Node Security Platform (NSP), and has been integrated with npm since npm’s acquisition of NSP.
package.json file. In the
package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the
package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in
The above is a brief about Node Package Manager. Watch this space for more updates in the latest trends in Technology.