#npmjs

This study is adapted from my presentation npm and the Future of JavaScript. No data is perfect; if you have questions about ours you can read about the methodology used to gather this data.

npm has over 10 million users who download well over 30 billion packages every month. On an average Tuesday—npm’s busiest day—users download more than 1.3 billion packages of open source JavaScript. This gives us a lot of information about what JavaScript users are up to. On top of that data, in partnership with the Node.js Foundation and the JS Foundation we survey of over 16,000 developers to ask what they’re up to.

From these two sources, we’ve uncovered some insights about the makeup of the npm community, as well as information about what the community considers to be best practices. This will help you make your technical choices in 2019.

JavaScript is the world’s most popular programming language

It’s no news to anyone that JavaScript is incredibly popular these days. Stack Overflow’s 2018 developer survey has JavaScript as the most popular programming language (with fellow web languages HTML and CSS at the #2 and #3 spots). GitHub’s most recent Octoverse infographic ranks languages by the number of pull requests received, and JavaScript is the top there, too.

The total number of JavaScript developers is hard to estimate. Slashdata’s 2018 survey suggests there were 9.7M by the end of 2017 and growing quickly, meaning there are well over 10M at this point. npm’s own estimates suggest there are over 10M npm users, and we see similarly rapid growth. There are JavaScript developers who do not yet use npm, but as a percentage of all JavaScript developers they are quite small, possibly fewer than 10%.

The npm Registry contributes to the popularity of JavaScript

Without question, JavaScript’s popularity is driven by its ubiquity as the only language directly usable for developing web applications. However, a fascinating paper by Leo Meyerovich and Ariel Rabkin at Berkeley studied the factors contributing to programming language adoption and found that, overall, the availability of open-source libraries relevant to the task at hand was the most important factor in selecting a programming language.

Our own survey data support the conclusions of this study. The most common reason respondents gave for choosing JavaScript was the number of libraries available.

With over 836,000 libraries currently available, npm is the largest single collection of open-source libraries in the world, by a significant margin—although JavaScript’s tendency towards smaller libraries means this comparison isn’t entirely apples-to-apples. Regardless, this enormous reservoir of open source code means that the popularity of JavaScript and npm works both ways: the language gains popularity because of the Registry, and vice versa.

npm is used to build every kind of application

We asked users where the JavaScript they write is used. An overwhelming 93% of respondents said that they write code for the web, with a still-substantial 70% saying they write JavaScript that runs on servers, i.e., Node.js. However, many other application areas including Internet of Things (IoT), desktop applications, native mobile applications, and others saw substantial numbers of users, too.

This is a significant change for those of us who work at npm, Inc. and maintain the npm command-line tool. npm was invented to serve the needs of server-side app developers, and the needs of web developers are different. Becoming a majority-web platform has meant changing our priorities, which has ledto new features like package locking by default.

npm is essential to web development

When npm, Inc. started in 2014, a tree of a few dozen JavaScript packages was typical. These days, the average modern web application has over 1000 modules, and trees of over 2000 modules are not uncommon. In fact, 97% of the code in a modern web application comes from npm. An individual developer is responsible only for the final 3% that makes their application unique and useful.

This is a huge success story for code reuse, for the strength of the npm community, and for open source in general. The time saved by not re-inventing the code in thousands of modules is saving millions of developers hundreds of millions of coding-hours.

npm has focused on security in 2018

To a great many developers, npm has simply become the way you build a website. This is a responsibility we take seriously. In our survey, 77% of developers said they were concerned about the quality and security of the open source libraries they used, and a worrying 52% said the tools currently available were inadequate. We went into more depth on these results in our post Attitudes to Security in the JavaScript community earlier this year.

In April, we announced that we acquired ^Lift Security and their product, the Node Security Platform. Today, the NSP is integrated directly into npm, and every install of npm includes security audits that notify users if they are installing insecure modules. We also furnish tools to easily correct these vulnerabilities by automatically installing secure versions of their modules. In addition, users of npm Enterprise and paid npm Organizations users receive notifications of embargoed vulnerabilities not yet publicly disclosed.

The demographics of npm users

The basic demographics of our survey respondents are covered in our methodology post, but there are several important facts worth highlighting:

1. We are mostly new. 25% have been using JavaScript for less than 2 years, and 51% have been using npm for less than 2 years. This is a side effect of the community doubling in size in that time!

2. We are mostly self-taught. 69% of npm users mostly taught themselves JavaScript, with the next highest being 22% who learned on the job.

We don’t just write JavaScript. People who use npm aren’t always strictly JavaScript developers—30% each report writing Java, PHP, and Python, and smaller numbers of lots of other languages.

We don’t just work at “tech” companies. 55% of npm users describe themselves as working at a company that wouldn’t be considered a “tech” company.

There are also some ways that npm users don’t differ from the general population of software developers, which is itself interesting. For example, npm users work at every size of company, in roughly the same proportion as those companies exist. JavaScript isn’t a “big company” or a “small company” tech. npm users also are evenly distributed across every industry, as well as other demographics such as age and education level.

Everybody would like less tooling

JavaScript in 2018 is somewhat notorious for requiring a lot of tooling to get going, which is quite a reversal from the situation in 2014, when Node.js was considered an “everything included” framework. Today, most developers wouldn’t consider Node to be a framework at all. True to that, all of our survey respondents would like to see less tooling, less configuration required to get started, and better documentation of the tools that do exist. But what tools?

We went in-depth into the popularity of JavaScript frameworks in our “State of JavaScript Frameworks” series (part 1, part 2, part 3) earlier this year. We won’t reiterate all the findings of that analysis, but rather dive into a few updates of what’s changed in the 9 months since then.

As a reminder, it’s important to understand the “share of registry” metric we are using here: a “flat” graph in this case means strong growth, just not growth relative to the growth of the registry, which is always growing quickly.

React’s growth has slowed

React continues to dominate the web scene. Over 60% of npm’s survey respondents say they are using React, and it has grown further since then. However, that growth in 2018 has been slower than in 2017.

Angular downloads have stayed flat

The two major flavors of Angular combined have stayed roughly flat in terms of market share.

Ember’s popularity has rebounded

In a very unusual phenomenon, Ember’s popularity, which appeared to be declining, has continued a strong rebound. By September, more than twice as many developers were using Ember as at the beginning of the year. We’re going to keep a close eye on this story, but we think Ember’s resurgence is part of the explanation for the slowdown in React.

Vue’s strong growth has continued

Vue was already growing quickly and that continued in 2018. Many Vue users report that they picked it over React because in their opinion it’s easier to get started while maintaining extensibility. Our current theory is that React’s growth has been slowed by many newer users picking Vue.

GraphQL continues hyper-growth

GraphQL, tracked by its most popular client library Apollo, continues to explode in popularity. We think it’s going to be a technical force to reckon with in 2019.

Transpilers rule, led by Babel—and a surprise: TypeScript

Babel is familiar to any React user as the tool used to transpile React’s next-generation JavaScript into the currently-supported JavaScript standards. In line with React’s 60% market share, 65% of npm users report using Babel. (It also has uses outside of the React ecosystem.)

Something of a surprise, however, was TypeScript, with 46% of survey respondents reporting they use Microsoft’s the type-checked JavaScript variant. This is major adoption for a tool of this kind and might signal a sea change in how developers write JavaScript. We are definitely going to be asking more questions about TypeScript usage in the next version of our survey.

npm’s predictions for 2019

It’s always difficult to make predictions about an ecosystem as huge, varied, and fast-changing as JavaScript, but our data has led us to make a few predictions for 2019 that we think we can commit to.

1. You will abandon one of your current tools. Frameworks and tools don’t last in JavaScript. The average framework has a phase of peak popularity of 3–5 years, followed by years of slow decline as people maintain legacy applications but move to newer frameworks for new work. Be prepared to learn new frameworks, and don’t hold on to your current tools too tightly.

2. Despite a slowdown in growth, React will be the dominant framework in 2019. 60% market share for a web framework is unheard-of, and that’s partly because React isn’t a full framework, just part of one. This allows it to flexibly cover more use-cases. But for building a web app in 2019, more people will use React than anything else, and that will result in a big advantage in terms of tutorials, advice, and bug fixes.

3. You’ll need to learn GraphQL. It might be too early to put GraphQL into production, especially if your API is already done, but 2019 is the year you should get your mind around the concepts of GraphQL. There’s a good chance you’ll be using them in new projects later in the year and in 2020.

4. Somebody on your team will bring in TypeScript. 46% adoption implies that TypeScript is more than just a tool for enthusiasts. Real people are getting real value out of the extra safety provided by type-checking. Especially if you’re a member of a larger team, consider adopting TypeScript into your 2019 projects.

Stay tuned

npm offers a way for security researchers, package users, package maintainers, and community members to report security vulnerabilities via the “Report a Vulnerability” button on npm Package pages. This provides the community a way to participate in coordinated disclosure with the package maintainer instead of opening a public issue, which could put users at risk.

These reports go directly to the npm Security team for triage instead of to the package maintainers. This is our way of helping the community spend less time on low-quality security reports.

In order for us to make sure reported vulnerabilities are handled rapidly and effectively, we need you, our community, to provide us with actionable, detailed information. Here’s some basic do’s and don’ts for your security report:

What should be included in a quality security report

The package name and version where you experienced the vulnerability. Example: [email protected] or marked@*

A short description of the vulnerability and its impact. Example: “If a user is able to control input into the function foo then the user is able to execute commands giving the attacker the same access as the user running the application.”

Details of the environment in which you experienced the vulnerability. Example: “This was found to be exploitable using node.js 6.0.0 on OSX, but was not tested using any other platform or Node.js version.”

A demonstrable proof of concept or steps to reproduce the same result. This helps the npm Security team efficiently triage the issue (see the example below).

Any particular references, code snippets, or documents that might help the npm Security team or the maintainer better understand (see the example below).

What should not be reported

Reports without actionable context are very time-consuming for our team to adequately process. These requests should go to the package maintainer in the form of an issue.

The output of npm audit - As the npm Security team already knows about these flaws, it’s better to reach out to the maintainer directly to update dependency versions.

General feature requests

Stack traces or errors without explanation as to what security impact they have.

Also note: Vulnerabilities in the npm Registry, website, or other core services and tooling should be reported to [email protected].

Example quality report

I would like to report a command injection vulnerability in the “foobarbaz” package, version 1.0.0.

Follow the below steps to reproduce this vulnerability.

Environment:

Node.js v10.9.0 on Linux

1. npm i [email protected]

2. Create the following proof-of-concept:

The code below illustrates the issue. Executing this code in a directory that contains the file existingfile.zip (a valid zip file that exists on disk, does not necessarily have to be attacker controlled) will also execute the supplied touch xyz command creating a file, but this could be any command the user executing the code has permission to run.

‘‘‘

var foo = require('foobarbaz');

var unzip = foo.unzip;

// Gather user input from some source. In this case we simulate it with a string

var userinput = './existingfile.zip; touch xyz"';

// This line calls the vulnerable method with our user input.

unzip(userinput, './unzipped', function(){});

‘‘‘

Thank you

I am pleased to announce that npm is transitioning its public issue trackers from GitHub to a Discourse site at npm.community. This will allow us to give the community a single place to report bugs that impact npm, regardless if they're on the website, in the command line tool or in the registry itself.

You can sign up today. Go to https://npm.community and login with your GitHub account or create a npm.community account.

What Will It Accomplish?

By changing from bug tracking software to forum software specifically designed for supporting software support we hope to better empower users to help other users, and to recognize their effort in doing so. This will also make it easier for teams within npm to work with the community to identify and resolve the issues that they're encountering.

Discourse also gives is insight into what problems users are having the most often that GitHub issues do not. We will be producing regular reports on what we're seeing and how that's impacting our plans and priorities.

What About My Issues?

The existing repositories, including the one from the npm CLI will be archived. All existing issues will still be searchable, but further discussion will not be possible. If you want to discuss a previously existing issue, please copy it over to a new post on npm.community in the appropriate section.

What, exactly, is happening?

npm/npm is being archived. Further issues, comments and PRs will no longer be possible.

Requests for help, diagnostics and other support questions go in the support category on npm.community.

Reports of bugs go in the bugs category on npm.community.

Feature requests go in the ideas category on npm.community.

New RFCs will still go in the npm/rfcs repo. Discussion of those RFCS goes in the RFCs category on npm.community.

Pull requests and releases will come from the new npm/cli repo.

npm/registry is being archived. Further issues will no longer be possible.

Requests for help, diagnostics and other support questions go in the support category on npm.community.

Reports of bugs go in the bugs category on npm.community.

Feature requests go in the ideas category on npm.community.

npm/www is being archived. Further issues will no longer be possible.

Requests for help, diagnostics and other support questions go in the support category on npm.community.

Reports of bugs go in the bugs category on npm.community.

Feature requests go in the ideas category on npm.community.

npm/docs is being made private and reorganized.

npm/docs holds all the documentation on https://docs.npmjs.com except the "Using npm", "CLI commands" and "Configuring npm" sections. Those sections will live in npm/cli.

Reports of bugs go in the bugs category on npm.community.

When is this happening?

Kleine Einführung in React. Die Ziele die React verfolgt sind hier recht deutlich dargestellt ...

Kritischer Vergleich Angular2 & React: http://www.joergkrause.de/react-oder-angular