Cover Your Apps While Still Using npm

By Tierney Cyren

Elevator Pitch

npm has outages and issues. Insecure code ships. Modules are unpublished. Do you have a plan for when the code you rely on becomes unavailable?

In this talk, we’ll cover the tooling available to end-users, to ensure they’re not exposing themselves to risk when the modules they depend on go away.

Description

In the front-end and Node.js ecosystems, we’ve had two extinction-level events: left-pad and pinkie-promise.

These events were both caused by something simple - a module became temporarily unavailable. Something seemingly innocuous caused thousands of developers and businesses builds to break and installs to fail. They weren’t prepared, and many were eager to blame npm as the single point of failure of the entire JavaScript ecosystem.

In reality, npm has made it dead-simple for developers and organizations to make sure their modules and highly available. The majority of the ecosystem isn’t aware of this, nor do they implement it effectively.

As we grow ever closer to 1 million modules published to the public npm registry, how can you protect yourself from the next extinction-level event when it happens?

In this talk, we’ll go over what can and will go wrong when using third-party JavaScript from a trusted source and how you can cover your apps with modern tooling - both as an individual developer and as a business.

Notes

This talk is a mixture of slides and live coding - a projector or display is needed.

I’ve worked pretty extensively in this space, and had the opportunity to work with everyone from individual developers to large-scale enterprises who were bitten on their weekend projects to the developers at major enterprises who went into full-panic mode and had to deal with the left-pad incident.