Skip navigation
JavaScript code Getty Images

npm Updates Enterprise JavaScript Developer Platform

The latest version of npm Enterprise adds new package filtering capabilities and enhances single sign-on, in an effort to improve developer workflow.

npm Inc. is continuing to grow its enterprise JavaScript platform with new features that improve developer workflow and security.

npm Inc. is the commercial organization behind the node package manager (npm) and its associated public registry, which is used by more than 11 million developers to support application development with the widely used node JavaScript framework. The first release of npm Enterprise came out in March, providing organizations with features that go beyond what is in the public npm registry to help enable enterprise development workflows. In the new update, npm Enterprise is building out those enterprise capabilities to provide additional functionality.

"The initial release was just bringing in the functionality that developers know and love from npm and enabling that in the enterprise," Ahmad Nassri, CTO of npm, told ITPro Today. "Now we're taking it a step even further, with advanced workflows that service the administrators and the enterprise security teams from a large team perspective, as opposed to an individual maintainer for a package."

The npm Enterprise offering is a cloud-based platform that both enables organizations to manage private JavaScript packages as well as provides integration with the public npm registry. The enterprise JavaScript platform provides collaboration and now security controls to promote best practices for code usage across an organization. The updated package filtering capabilities in the npm Enterprise update are designed to make it easier for organizations to keep track of the packages being used.

"We're effectively giving enterprise administrators and the security teams at companies keys and the knobs to configure the workflows that they need to surface, based on their risks and the business policy that they want to apply," Nassri said.

Nassri added that in the new update, the package filtering features can enable an enterprise administrator to dictate a level of policy. So, for example, packages that have a known vulnerability at a given severity level cannot be used within the business. Going a step further, the plan is to further enhance the control and visibility around packages such that other attributes of npm packages will be surfaced for users.

"Just because something is published on the public registry doesn't necessarily mean it's free and doesn't necessarily mean it's not copyrighted and is allowed for your business," he said. "Our current trajectory for improving those workflows for our enterprise customers is to dive deeper into those areas, but right now this initial release is going to look at the security aspects of things."

npm Orgs

Integration with single sign-on (SSO) has also been enhanced in the npm Enterprise update, making it easier for organizations to enable more advanced access and authentication options. Among the SSO enhancements are support for the OpenID Connect and Security Assertion Markup Language (SAML) standards.

The SSO support is particularly useful for npm orgs—at npm every team can have a different org with a specific scope for their own team with their own set of technologies, according to Nassri. Tying in the SSO can now enable an npm Enterprise administrator to invite those outside of a company, including contractors, to be part of the org group, with an appropriate level of scope.

Using npm Enterprise

The public npm registry has been in use since 2010, and developers tend to already have an established workflow for how they work with npm in general. Nassri emphasized that npm Enterprise doesn't change the developer workflow in terms of the process that developers are already familiar with using.

"So if you're a developer and you rely on npm as part of your CI [continuous integration environment, if an administrator comes in and starts applying a policy, your workflow stays the same. You don't have to change anything in terms of your build tools or your local tools," he said. "Instead, what you're seeing is when the policy starts hitting against risk profiles, or areas that an administrator has disabled, you start getting more meaningful messages about that."

The npm Enterprise service also provides JavaScript footprint analysis and usage pattern reporting capabilities. Nassri said that many organizations have not been fully prepared for the growth of JavaScript usage within their development teams.

"We're actually trying to provide them context with a better understanding of their footprint, and helping to get an understanding of how developers are building things," he said. "Every organization has different patterns and different workflows."

Looking forward, the plan for npm Inc. is to continue to improve its enterprise JavaScript platform and the overall developer experience.

"We want to work closer with enterprise customers and make sure we're surfacing the right patterns and patterns that scale to the size that they operate in," Nassri said. "That could surface in so many different ways, whether in product features, user management features or with information that we can provide about usage patterns."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.