npm, Inc. Releases npm@6 Package Manager with Powerful, Built-In Security Protections

Major update of JavaScript development tool includes automatic warnings of insecure code and actionable insights to help developers pinpoint vulnerabilities

OAKLAND, Calif.--()--npm, Inc., which runs the world’s largest software registry and maintains the `npm` software package management application, today announced npm@6, a major update to its JavaScript software installer tool with powerful new security features for developers who work with open source code. npm@6 will be included as part of the Node.js v10.x release line, also announced today, and leverages the assets of the Node Security Platform, the definitive source of JavaScript vulnerabilities, recently acquired by npm, Inc.

In an npm, Inc. survey of over 16,000 worldwide developers, 97% of JavaScript developers confirm they use open source code, although 77% express concern about whether the open source software they use is secure, and 52% believe that there aren’t satisfactory methods for evaluating whether code is safe.

The Node Security Platform has identified over 824,000 versions of npm packages in the npm Registry that are impacted by at least one vulnerability.

npm@6 brings protection against insecure code into the workflow that’s already used by 10 million JavaScript developers to download over 900 million packages of reusable, modular code per day.

These new protections include automatic warnings if a developer attempts to use open source code with known security issues, and `npm audit`, an npm command that allows developers to analyze complex, interdependent code to pinpoint specific vulnerabilities.

`npm audit` and insecure code warnings are available today to beta users and will roll out automatically to all users of npm@6 and the npm Registry over a period of weeks. The protections are free of charge to all users of the npm Registry with no required registration. In addition, customers of npm, Inc.’s paid offerings will receive pre-publication vulnerability disclosures, formerly a premium tier of the Node Security Platform product.

“Node.js has proven to be a reliable platform for applications at any scale. It is used across industries to build everything from APIs to cloud, mobile and IoT applications,” said Mark Hinkle, Executive Director of the Node.js Foundation. “The release of npm@6 is another great testament to the Node.js ecosystem’s focus and work on making security a top priority, and helping developers build the world’s most scalable, mission-critical JavaScript applications.”

When a user downloads code from the npm Registry, npm will review the request against the Node Security Platform database and return a warning if the code contains a vulnerability. In addition, the `npm audit` command within npm@6 will allow the developer to recursively analyze trees of dependent code to identify specifically what’s insecure. Typical packages can be analyzed in less than one second.

Without npm@6, developers must rely on manual code reviews of complex, interdependent packages, or third-party scans and audits that introduce additional complexity into developer workflows.

Instead, npm is giving away these protections with npm@6 for maximum community benefit. The move is the latest step by the world’s largest software registry to improve the performance and stability of how developers build applications.

Other notable npm@6 benefits include:

  • Performance enhancements—up to 17X faster than npm of one year ago.
  • Optimizations for continuous integration (CI)—a special `npm ci` mode makes using npm within CI workflows 2–3X faster.
  • Webhooks management—to configure real-time notifications of npm registry and package changes and use these to power new developer tools.
  • More visible package integrity metadata—makes it easier to verify that a package hasn’t been tampered with or corrupted.
  • Automatic resolution of lockfile conflicts—enables teams to more easily share reproducible code builds.

“Before npm security, people were just hoping for the best,” Adam Baldwin, Head of Security at npm, Inc. “Every developer needs to know that the code they use is safe. By alerting the entire npm community to security vulnerabilities within a tool they already use, we can make JavaScript development safer for everyone.”

Node Security Platform vulnerability alerts are already available to users of npm’s beta registry and will become available to all npm Registry users in coming weeks. To learn more, visit:

About npm, Inc.

npm, Inc., founded in Oakland, California, in 2014 by Isaac Z. Schlueter and Laurie Voss, maintains the npm package manager for JavaScript and hosts the world’s largest software registry. Created in 2009 as an open-source package manager for Node.js, npm has been embraced by millions of developers worldwide for client- and server-side applications as diverse as IoT, mobile development, financial services and aerospace. More than 150,000 companies, including BBC, DocuSign, eBay, Electronic Arts, Juniper Networks, Nvidia, Slack and Visa, rely on npm’s products and services to reduce developer friction and build amazing things.


FOLIO Communications Group, LLC
Cybele Diamandopoulos, 512-535-4422

Release Summary

New protections include automatic warnings of insecure code and actionable insights to help developers pinpoint vulnerabilities.


FOLIO Communications Group, LLC
Cybele Diamandopoulos, 512-535-4422