"The initial release was just bringing in the functionality that developers know and love from npm and enabling that in the enterprise," Ahmad Nassri, CTO of npm, told ITPro Today. "Now we're taking it a step even further, with advanced workflows that service the administrators and the enterprise security teams from a large team perspective, as opposed to an individual maintainer for a package."
"We're effectively giving enterprise administrators and the security teams at companies keys and the knobs to configure the workflows that they need to surface, based on their risks and the business policy that they want to apply," Nassri said.
Nassri added that in the new update, the package filtering features can enable an enterprise administrator to dictate a level of policy. So, for example, packages that have a known vulnerability at a given severity level cannot be used within the business. Going a step further, the plan is to further enhance the control and visibility around packages such that other attributes of npm packages will be surfaced for users.
"Just because something is published on the public registry doesn't necessarily mean it's free and doesn't necessarily mean it's not copyrighted and is allowed for your business," he said. "Our current trajectory for improving those workflows for our enterprise customers is to dive deeper into those areas, but right now this initial release is going to look at the security aspects of things."
Integration with single sign-on (SSO) has also been enhanced in the npm Enterprise update, making it easier for organizations to enable more advanced access and authentication options. Among the SSO enhancements are support for the OpenID Connect and Security Assertion Markup Language (SAML) standards.
The SSO support is particularly useful for npm orgs—at npm every team can have a different org with a specific scope for their own team with their own set of technologies, according to Nassri. Tying in the SSO can now enable an npm Enterprise administrator to invite those outside of a company, including contractors, to be part of the org group, with an appropriate level of scope.
Using npm Enterprise
The public npm registry has been in use since 2010, and developers tend to already have an established workflow for how they work with npm in general. Nassri emphasized that npm Enterprise doesn't change the developer workflow in terms of the process that developers are already familiar with using.
"So if you're a developer and you rely on npm as part of your CI [continuous integration environment, if an administrator comes in and starts applying a policy, your workflow stays the same. You don't have to change anything in terms of your build tools or your local tools," he said. "Instead, what you're seeing is when the policy starts hitting against risk profiles, or areas that an administrator has disabled, you start getting more meaningful messages about that."
"We're actually trying to provide them context with a better understanding of their footprint, and helping to get an understanding of how developers are building things," he said. "Every organization has different patterns and different workflows."
"We want to work closer with enterprise customers and make sure we're surfacing the right patterns and patterns that scale to the size that they operate in," Nassri said. "That could surface in so many different ways, whether in product features, user management features or with information that we can provide about usage patterns."