►
From YouTube: The journey of a package from the npm registry to your computer - Jeffrey Lembeck @ JSHeroes
Description
Ever wonder what happens when you `npm install` something? Follow an odyssey across the wires as our hero client embarks on an adventure to bring you the software that you need, right when you ask for it. After this talk you'll have a better understanding of the course a package takes - helping you understand architecture that works at scale as well as being able to troubleshoot package installation problems.
Recorded on 2018-04-12
A
I,
don't
I,
don't
know
how
many
of
you
have
spoken
at
conferences,
at
least
23
of
you
have,
because
you
know
today
or
if
this
this
thing
by,
like
sometimes
you
follow
up
like
a
really
good
speaker
and
you're
like
and
I'm
following
up
all
of
them.
So
right
now,
I'm
in
like
super
weird
panic
mode
and
that's
fine.
It's
been
a
really
incredible
conference
and,
as
the
last
person
up
here,
I
get
to
do
things
like
everybody,
give
a
round
of
applause
for
all
the
speakers.
A
And
a
really
really
big
one
for
all
of
the
organizers
who
can't
possibly
have
done
a
better
job.
Thank
you
seriously.
The
community
here
is
amazing.
So,
as
as
mentioned,
I
am
Jeff
Lembeck
I
this
is
my
twitter.
Handle
screens
are
there
and
there
I'm
looking
everywhere,
like
which
one
should
I
look
at
down
there?
A
Probably
so
there's
my
Twitter
handle
you
can
like
holler
at
me
there
and
say
really
nice
things
about
my
talk,
while
I'm
talking
and
then
I'll
get
them
afterward
and
feel
super
good
or
you
could
say
like
terrible
things
and
I'll
block
you
just
immediately
cuz.
Who
does
that
also,
my
slides?
Are
there
there's
the
URL
for
it?
A
It
has
presenter
notes
inside
of
it,
which
I
realized
earlier
that
I
leave
actual
notes
for
myself,
like
don't
do
that
you
idiot
and
that
definitely
made
it
in
there
this
time
so
good
times
so
force
more
unnecessary
introduction.
I
am
once
again
from
Seattle
and
I'm
an
extremely
Seattle
person
like
every
stereotype,
Under,
the
Sun
I
roast
my
own
coffee,
yeah
and
I,
but
I
don't
drink
Starbucks
at
all,
so
you
know
Marcy.
A
This
is
a
picture
of
Seattle.
That's
incredibly
accurate,
I
I
took
it
from
from
my
house,
don't
Google
what
Seattle
looks
like
it's
just
like
that.
So
just
trust
me.
But
most
importantly,
though,
that
that
picture
is
it's
not
a
current
picture
of
Seattle
it's
from
from
the
beforetime.
You
see
today,
I'm
here
to
tell
you
a
story,
a
story
about
a
hero.
So
let's,
let's
go.
A
The
world
is
veiled
in
darkness.
Dependencies
are
inconsistent,
builds
are
slow
version
numbers
matter,
not
the
people
wait
their
only
hope
of
prophecy.
When
dependency
hell
has
plagued
your
JavaScript
project,
a
tool
will
come
after
a
long
journey.
Some
programmers
arrive
each
holding
a
pretty
loaded
metaphor
for
a
technical
talk.
I
give
to
you
package
quest.
A
A
A
This
task
sounds
grueling.
Building
each
piece
of
a
website
from
nothing
involves
strong
magic,
patience
and
time
and
in
a
world
where
each
of
these
items
is
scarce,
we
need
something
to
help
us
something
to
guide
us
something
to
give
us
the
pieces
that
leave
us
less
exposed
to
the
cruel
monstrous
insects
that
anger,
our
user
gods.
A
The
registry,
the
only
thing
that
we
know
is
that
tend
to
the
registry,
there's
talk
of
a
tool,
a
magical
weapon
to
destroy
dependency,
hell
that
was
forged
by
sorceress.
As
of
colorful
hair.
This
tool
survived
multiple
iterations
and
was
faster
and
more
powerful
than
anybody
could
have
imagined.
This
tool
is
called
NPM.
A
According
to
old
documentation
found
in
the
runes
of
github,
our
magical
tool
requires
the
help
of
three
companions:
shishi
gommi,
the
forest
spirit,
poco
che
the
master
of
packages
and
registry
client,
a
smuggler
that
can
give
you
a
special
passcode
to
enter
the
registry.
Each
of
these,
when
brought
to
the
sorceress
is
of
colourful
hair
can
be
forged
together
by
the
light
of
JavaScript
to
create
the
NPM
tool
and
so
hero
to
begin.
We
visit
shisha
gommi
the
creator
of
the
dependency
tree.
A
The
forest
spirits
job
is
to
piece
together
exactly
what
you
need
from
your
install
it
scours
through
your
list
of
package
demands
and
also
through
what
you
already
have
installed
and
puts
together
an
ideal
tree,
a
perfect
structure
of
your
dependencies.
So
all
your
needs
will
be
served.
It
achieves
this
by
first
reading,
your
local
package
tree.
It
does
this
by
combining,
through
your
node
modules
folder.
A
A
A
A
A
Kkuk
ashes,
poco
J's
nearly
endless
pack
of
fun.
It
is
a
key
value
storage
system
written
in
nodejs.
That
is
immensely
fast
by
the
way.
No,
that
is
actually
named
kick
ash.
What
it
does
best
is
get
you
the
correct
data
quickly.
It
does
this
with
great
concurrency,
incredible
fault,
tolerance,
support
for
sha-1
and
512
and
data
consistency
that
notices,
if
it's
data
is
corrupted
during
installation
with
the
npm
tool
to
cache
stores
the
package
data
on
disk
there.
A
If
the
content,
if
the
content
is
unavailable
in
the
cache
but
coche
uses,
make
fetch
happen
to
fetch
the
package,
make
fetch
happen
is
a
wrapper
around
node
fetch,
it's
a
which
is
a
node.js
implementation
of
the
browser's
window.
Fetch
make
fetch
happen,
tax
on
HTTP,
cache,
support,
request,
pooling
and
several
more
features
to
make
it
very
easy
to
use
and
very
fast.
Its
caching
system
relies
upon
Kakashi,
because
poco
chain
knows
that
make
fetch
happen,
uses
Kakashi
as
its
caching
system.
A
When
package
a
is
asked
to
fetch
a
package,
it
can
use
Kakashi
directly
to
get
any
data
that
it
would
use.
Make
fetch
happen
to
request
before
it
uses,
make
fetch
happen
to
get
the
package,
so
first
it
asks
cache.
Do
you
know
about
the
package?
I
need
many
times.
The
cache
says
yes,
but
when
it
says
no.
A
So
it
can
build
your
dependency
tree
perfectly,
but
Kochi
is
largely
the
workhorse
of
the
NPM
tool
and
lives
in
a
repository
on
github,
where
you
can
find
her,
you
ask.
She
eagerly
joins
your
party
if
you
actually
want
to
find
/
coche,
it's
a
under
cat,
so
it's
easy
cat,
/
coche
should
have
a
point
there
book.
1
chapter
3,
the
last
and
final
spirit
you
need
to
build
the
tool.
Is
the
registry
client
much
like
many
other
API
clients?
A
The
registry
client
is
a
wrapper
around
an
external
API
registry
client
allows
you
to
talk
to
the
registry
for
most
anything
revolving
around
your
account
and
management
of
things
you
own.
This
includes
changing
ownership
of
packages,
publishing
and
unpublishing
packages,
adding
and
removing
members
to
and
from
your
orgs
and
teams,
and
in
this
case
authentication
when
you
use
the
registry
client
for
authentication,
it
asks
you
for
your
username,
password
and
email
address.
A
Then
it
takes
that
to
the
registry
and
returns
with
an
authentication
token
when
you
authenticate
the
registry
remembers
your
token
and
you
store
it
in
your
NPM
RC
file.
That
token
will
be
useful
when
you
and
Poe
kochiya
use
the
tool
to
go
and
get
your
package,
you
find
registry
client
lurking
behind
a
corner
on
github.
You
pass
it
a
note
saying.
A
Well,
you
joined
my
party,
it
nods
its
head
and
follows
behind
you
book
1
in
chapter
4,
but
coach,
Ashish,
egami
and
the
registry
client
have
guided
you
to
NPM
Inc
home
of
the
Sorceress's
of
brightly
colored
hair.
They
introduced
themselves
and
walk
you
and
your
new
party
members
to
the
Installer
within
the
realms
of
the
Installer.
They
forged
together
the
spirits
of
your
party
members
to
be
called
upon
anytime.
You
desire.
A
Their
magic
is
strong
and
they
have
added
to
the
tool
the
ability
to
increase
its
level
to
learn
new
skills
and
talents
along
the
way,
while
simultaneously
making
the
quest
to
obtain
your
packages
smoother.
You
can
tell
this.
You
can
do
this
by
telling
the
tool
to
install
itself,
and
as
of
today,
you
will
character
off
as
of
today.
A
You'll
get
version
6,
but
not
like
today,
right
now,
today,
West
Coast
time
in
the
US,
so
tomorrow
do
it
tomorrow,
there's
new
functionality,
an
improved
update
command,
a
new
NPM
view,
a
new
in
it
which
can
takes
initializers
like
you,
can
do
NPM
and
yet
react
app
and
it
will
use
create
react
app
to
create
an
application
and
to
anything
else
that
follows
that
very
specific
setup.
Npx
is
in
there
and
that
was
actually
added
in
five.
A
A
Cli
CLI
CLI
they
chant
the
tool,
is
yours.
Go
login,
then
install
book
to
chapter
one
with
the
mission
to
forge
the
CLI
complete.
We
turn
to
our
map
to
see
where
the
path
forward
leads
all
signs
point
to
the
great
registry
registry,
npm,
JSC
org.
Let
us
make
the
journey.
You
start
your
quest
at
the
land
of
terminal
point.
A
A
Email
Jeff,
a
Tempe,
MJS
comm,
and
with
that
you're
whisked
away,
we
ride
the
road
of
the
great
network
to
the
first
destination.
On
this
request,
the
shopkeep
she
goes
by
the
name
of
CDN
CDN
is
a
class
who
specializes
in
speed
she
and
her
sisters
all
with
the
same
name
and
same
personality
like
just
different
locations
like
a
nurse
joy
or
Officer,
Jenny
kind
of
character.
A
Anyway,
if
you
get
that
reference,
that's
cool,
spread
the
globe
and
position
themselves
in
ways,
so
you'll
get
to
them
far
more
quickly
and
then,
if
you
were
to
reach
out
to
just
one
part
of
the
world,
she
handles
the
cash
for
packages.
And
if
you
approach
her
with
the
name
of
the
package,
you
were
looking
for,
she
will
do
her
best
to
get
it
for
you.
A
Unbeknownst
to
many
CDN
also
provides
traffic
routing.
She
handles
all
requests
to
the
registry
and
will
forward
them
along
to
where
they
need
to
go.
How
she
does
her
work
is
largely
based
on
two
things:
her
cache
and
a
light
routing
layer,
written
vcl
CDN,
looks
at
you.
What
brings
you
here
authentication?
A
Let
me
see
right.
This
way,
CDN
guides
you
to
a
path
ahead,
lies
Fourier,
go.
You
are
whisked
away
to
the
next
destination
book.
2
chapter
2
foyer
operates
as
the
entry
point
to
the
NPM
registry
information
about
packages,
users,
orgs
teams
and
any
modification
to
these
things
must
first
go
through
foyer
foyer
also
handles
the
path
taught
indication
you
and
registry
client
knock
on
the
doors
from
behind
the
walls
you
here.
What
is
your
purpose?
A
One
moment
the
guard
behind
the
door
whisks
away
book,
2,
chapter
3,
NPM,
auth
ws-
is
who
the
guard
takes
you
to
and
is
a
gatekeeper
for,
proving
who
you
are
and
where
you
can
go.
She
is
quiet
and
only
speaks
with
messengers
from
behind
the
doors
of
foyer
and
p.m.
auth.
Ws
will
be
handling
your
authentication
today,
authentication
being
when
you
can
prove
who
you
are.
A
The
synecdoche
api
is
the
glue
that
binds
together
the
two
beholders
of
truth
user,
a
CL
2
and
payments
API
its
api
acts
as
a
proxy
for
user,
a
CL
2,
and
when
requests
come
through
that
gather
or
change
information
about
payment,
it
also
makes
a
call
to
the
payments.
Api
they're
they're
easy
to
remember
in
these
sweet
illustrations,
because
user,
a
cl2
has
like
the
fancy.
Plume,
where
she
keeps
track
of
everything
and
payments
API
has
a
super
fresh
coat
and
lots
of
jewels
as
the
MPM
off
ws
reaches
out
to
login.
A
The
request
is
proxied
through
synecdoche
api
to
use
her
ACL
to
as
mentioned
user,
a
seal
to
is
the
grand
beholder
of
truth.
If
any
changes
are
made
to
any
accounts,
it
is
written
by
user
ACL
to
and
then
that
information
is
sent
elsewhere
via
and
SQ
messages
any
of
the
calls
to
foyer
from
the
registry
client
that
might
involve
changing
teams,
organisations,
package,
permissions
or
users,
user
ACL
to
and
most
relevant
for
this
story,
logging
in
happens
and
user
ACL
to
MPN
auth
ws
is
trustee
client
friend,
npm,
ooofff
user
API.
A
A
A
Your
token
is
written
in
your
NPM
RC
file.
You
are
now
logged
in
book,
3,
chapter
1,
now
that
you
are
logged
in
it's
time
to
install
you
look
around
and
are
surrounded
by
nothing
terminal
point
is
empty.
With
the
exception
of
you
and
the
CLI,
your
mouth
starts,
making
a
sound
like
it
had
made
a
thousand
times
before
NPM
in
it.
A
Yes,
you're,
not
sure
where
that
came
from
or
where
you'd
heard
it
if
you've
ever
heard
it,
but
there
it
was,
and
now
in
front
of
you
is
a
package.json
file.
You
look
at
the
CLI
once
again
and
say:
MPM
install
Express,
shishi
gommi
arrives
and
looks
around
seeing
no
node
modules.
Folder
no
package
lock
JSON.
She
she
got
me
whistles
and
Paco.
Che
arrives,
carrying
cash
over
her
shoulder
or
in
her
hand
like
this.
A
A
Excellent
go
along.
You
remember
from
before
that
a
Corgi
is
a
metadata
file
for
the
package
requested,
it's
significantly
smaller
than
your
standard,
JSON
representation
of
the
package,
and
it
includes
dis
tags
version
numbers
in
each
versions
dependencies.
Since
the
package
is
unscoped,
it
is
a
public
package.
So
there's
no
security
to
worry
about
all
public
packages
are
readable
by
everybody.
A
Cdn
sends
you
to
a
specific
address
in
the
Cave
of
Wonders,
you
arrive
at
the
Cave
of
Wonders
and
s3
or
Google
Cloud
storage
instance,
that
is
the
home
of
packages
and
their
information
served
right
from
the
disk
who
disturbs
my
snow
hello.
What
do
you
need
we're
here
for
the
Corgi
of
this
unscoped
package
here?
Is
the
address
very
well
go
right
along.
A
And
take
it
back
to
CDN
who
then
cashes
it
for
quicker
retrieval
the
next
time
it's
needed
after
that,
you
head
back
to
terminal
point
once
arriving
you
and
put
coach
a
hand
over
the
Corgi
dock,
sheesh
egami,
who
reads
it
and
then
sends
the
two
of
you
back
to
the
Corgi
for
each
dependency.
This
occurs
until
all
the
Corgi
docks
are
retrieved
once
shisha
gommi
has
all
the
docs
necessary
it
produces
a
dependency
tree.
A
You've
gained
a
dependency
tree.
Now
that
you
have
your
dependency
tree,
the
tool
begins
glowing
again.
It
calls
upon
PO
kochi
to
get
the
packages,
but
coche
sees
the
versions
and
packages
needed
and
uses
those
to
create
new
routes.
To
request
this
time,
it's
tgz
files,
tar
balls
but
coche
checks
inside
of
her
bag.
It's
empty,
she
pulls
out,
make
fetch
happen,
says
a
few
words
grabs
your
hand
and
once
again
you're
on
the
road
to
CDN
tar
balls,
our
CDN
specialty,
exciting,
but
coche
walks
up
to
CDN.
A
It
says
here
that
I
need
to
reach
this
address.
Oh,
let
me
see
if
this
is
in
my
cache.
It
is
here
you
are,
but
thanks
and
you're
on
your
way
back,
see
DNS
caching
system
stores,
cashable
tar
balls
at
its
points
across
the
globe.
That
means
that
public
packages
have
been
downloaded
by
other
users.
Weren't
that
have
been
downloaded
by
other
users
can
be
saved
after
they've
been
retrieved
from
the
package
servers.
This
makes
for
an
extremely
quick
experience,
but
coaches
make
fetch
again
stores
the
package
away
for
you
in
cash.
A
Just
in
case
you
need
it
again
side
note.
If
you
use
NPM
install
just
prefer
offline,
you
can
just
hit
every
time
with
no
network
hit
a
cache
first
and
if
you've
installed
it
in
any
package,
it
automatically.
That's
where
you
end
up
downloading
from
so
you
do
it
with
no
network
hit.
So
if
you've
installed
for
a
project
before
and
nobody's
added
any
new
stuff,
and
maybe
that
directory
got
wiped
out
prefer
offline
well,
like
you
could
do
it
on
a
plane
like
even
a
United
one,
their
Internet's
terrible.
A
Sorry,
if
you
work
on
United
stuff
on
to
the
next
package
array,
flat,
inversion,
1.1.1
and
back
to
CDN,
you
go
on
the
way
you
ask.
Poco
che:
do
you
really
make
one
trip
at
a
time?
Poco
che
laughs?
Oh
dear
developer,
this
is
no
js'
and
some
guys
just
on
a
stage
teaching
people
about
how
this
works.
It's
of
course,
as
async
we're
walking
through
this
serial
leave
for
learning
benefits.
You
nod.
A
A
We're
here
for
this
specific
unscoped
package,
very
well,
we'll
go
right
along
you
grabbed
the
package
and
head
back
to
CDN
who
asks
if
she
can
make
a
copy
in
case.
Someone
else
wants
this
later.
Then
you
head
back
to
terminal
point.
This
continues
through
all
of
these
public
packages,
but
coach
hxk
cache
does
not
have
the
necessary
package
heads
to
CDN.
She
either
has
the
package
or
not.
If
not,
she
sent
you
to
the
closest
package
server
and
makes
sure
to
cache
the
package
on
your
way.
A
A
Npm
install
fashions,
you
hear
a
song
sing
the
words
pre-install
build,
install
post,
install
finalize
refresh
package.json,
your
package.json
has
changed
all
your
files
are
properly
placed
in
built
and
they
are
now
requiring
your
project
and
you
can
use
them
the
in
the
end,
look
for
chapter
one
I'm
coming
up
way
over
this
time.
Sorry,
all
things
are
peaceful
again.
You
can
move
quickly
and
build
your
web
application.
A
Now
that
you
have
a
framework
in
place,
but
you
need
another
package
and
this
time
it's
a
private
one
for
your
org,
you
pull
out
your
trusty
CLI
and
speak
into
it.
Npm
install
my
private
baggage,
sheesh
egami
arises
again
and
calls
upon
Paco
che
for
you
to
get
the
Corgi
for
your
scoped
package.
You
and
coach
a
head
off
to
the
CDN
CDN
asks
what
you're
here
for
and
notices
that
your
Corgi
doc
request
is
for
a
scoped
package
before
you
can
say
anything
else.
A
A
Look
for
chapter
2
idea,
if
I
the
master
of
autumn
protector
of
the
cave,
carries
the
keys
to
your
journey
to
package
server.
She
will
make
sure
that
you
are
who
you
say
you
are
and
that
you
are
capable
of
viewing
that
package.
Then
she
will
tell
CDN
if
you
are
worthy.
She
asks
you
for
your
credentials,
mainly
the
authentication
headers.
A
A
Credentials
mainly
the
authentication
headers
that
CDN
makes
sure
you
have
and
sends
you
to
the
eye
of
often
the
eyes.
True
name
is
identify,
I
tried
to
get
it
to
be
named
eye
of
authen,
and
nobody
was
down
with
that
MPM,
which
I
find
very
unfair.
That
name
is
sick
and
you
come
to
it
from
I
do
fi.
It
wants
the
exact
request
you
came
with
and
it
examines
your
headers
in
particular,
it
cares
for
your
authentic
after
your
authorization,
cookie
and
CDN
client
IP
headers.
A
Since
we
were
unable
to
bring
a
session
cookie
from
which
to
feed
the
eye,
it
will
have
to
look
into
our
authorization
header.
An
authorization
header
includes
the
saints
or
includes
the
scheme
and
the
credentials
being
used
for
the
I.
The
scheme
is
bearer
and
the
credentials.
Are
your
authentication
token
bestowed
upon
you
when
you
logged
in
if
your
credentials
match
the
records
that
identify
keeps
it
it
gives
you
with
the
sigil
of
your
house,
I'm
sure,
let's
go
with
that,
you
will
no
longer
be
questioned
and
you
will
be
sent
along
your
way
now.
A
How
does
it
check?
Remember,
logging
in
when
your
token
was
created,
it
was
stored
in
a
Redis
instance.
May
my
voice
is
going
so
now
I'm,
just
like
back
to
speaking.
Normally
it
was
stored
in
a
Redis
instance
that
is
now
being
referenced
by
identify
as
long
as
that
token
remains
in
Redis.
It
is
valid
to
reference
and
can
be
used
to
get
through
identify
the
tokens
that
you've
used
are
available
there.
A
We
will
never
deploy
or
display
your
entire
tokens
also
I
have
way
too
many
tokens
and
probably
should
delete
some
of
those.
That
is
a
security
hazard.
Now
that
your
token
has
been
retrieved,
it
is
set
as
the
value
on
the
response
back
to
ID
author
Phi,
a
bearer
header.
That
header
is
your
sigil.
You
have
been.
You
have
successfully
been
authenticated.
Congratulations
now
that
you
have
proven
that
who
you
that
you
are
who
you
say
you
are
you
show
your
barrier
header
to
ID
ossify?
A
Who
then
will
find
out
if
you're
capable
of
accessing
the
package
that
you
would
like
to
install
in
order
to
get
this
information
idea
if
ID
checks
with
a
keeper
of
user
authentication
data
user,
auth
cache
for
the
sake
of
things,
let's
just
say
that
user
off
cache
goes
and
finds
out
via
user
ACL
and
payments
API
and
today
is
a
good
day
for
you.
Nothing
has
been
invalidated
in
the
wrong
way.
You
have
your
cache.
The
cache
says:
hey
this
person
is
who
they
say
they
aren't
they
have
access
to
what
they
want.
A
The
news
is
good.
You
are
now
allowed
to
proceed
back
to
the
CDN,
with
your
head
held
high.
If
user
s
user
off
cash
returns
with
bad
news
for
idea,
ossify
you
receive
the
mark
of
forbidden,
which
is
a
403
before
chapter
4.
Now
that
you
have
permission
from
ID
author
Phi,
you
return
to
CDN
with
new
credentials.
She
checks
her
cache
to
see
if
there's
an
entry
with
these
specific
credentials
and
this
package,
it
is
not
there.
She
opens
the
door
to
the
path
of
the
Cave
of
Wonders.