►
From YouTube: I want my npm - Daniel Sauble & Orion Letizi
Description
Security, speed and dev experience in enterprise JavaScript
A
Hello,
everyone
and
welcome
to
hit
today's
webinar
a
technical
session
called
I
want
my
MP
M.
My
name
is
Danielle
Wambach
and
I'll,
be
a
moderator,
I
work
here
on
the
marketing
team
at
NPM
and
I'm
excited
to
be
hosting
today's
session.
I'm
pleased
to
introduce
today's
and
PM
speakers
Daniel
self,
who
is
a
product
manager
in
Orion,
LED
TV,
who
is
a
product
marketing
manager
before
he
handed
over
to
them.
I,
have
a
few
housekeeping
items
to
cover
about
the
presentation
and
the
bright
top
webinar
platform.
A
First,
today's
webinar
will
be
available
on
demand
after
the
live
session
and
is
accessible
through
the
same
link
you're
using
now,
we've
also
added
some
attachments
which
are
available
through
the
attachment
tabs
at
the
bottom
of
your
screen.
This
is
where
you
can
find
today's
slides
and
other
content,
including
and
Pam's
blog
in
all
of
our
webinars
next
we'd
love
to
hear
from
you
during
today's
presentation.
A
If
you
have
a
question
for
Daniel
or
Ryan,
please
feel
free
to
send
it
through
the
ask
a
question
tab
at
the
bottom
of
your
player,
we'll
be
answering
questions
at
the
end
of
the
sessions,
but
please
feel
free
to
submit
during
any
time.
If
we
don't
get
to
your
question
during
today's
webinar,
we
will
be
sure
to
follow
up
with
you
afterwards
now
over
to
well
Ryan.
B
Unfortunately,
friction
between
open-source
JavaScript
and
enterprise
requirements
can
make
it
a
challenge
to
take
advantage
of
the
full
JavaScript
ecosystem
in
an
enterprise
context.
We
like
to
close
by
presenting
a
formula
for
using
the
tools
and
best
practices
of
open
source
JavaScript
in
the
enterprise.
With
that
I'll
hand
it
over
to
Daniel
great
thanks.
C
C
And
it
turns
out
that
again
most
people
who
use
javascript
use
NPM
as
its
package
manager,
and
so
it
wasn't
that
long
ago,
when
the
way
you
use
javascript
was
to
add
a
script
tag
to
your
HTML,
pointing
to
a
JavaScript
file
host
on
some
external
server.
But
we've
come
a
long
way
from
there
today.
So
today,
99.5%
of
the
JavaScript
developers
use
NPM
to
manage
their
JavaScript
and
of
people
who
use
JavaScript.
C
The
reason
why
people
use
javascript
is
because
of
this
open
source
package
ecosystem
around
the
language
and
75%
of
people
say
that
that's
why
they
use
javascript,
and
so
when
we
look
at
kind
of
a
typical
web
app,
you
see
that
97%
of
the
code
is
downloaded
from
NPM.
So
it's
really
kind
of
amazing.
These
numbers
are
all
really
incredible,
but
just
to
kind
of
focus
on
that
that
last
one
97
percent
of
that
code
comes
from
NPM,
so
in
the
same
way,
that
javascript
is
really
the
world's
most
dominant
programming.
C
B
Cool
so,
as
we
all
know,
development
with
JavaScript
is
extremely
modular.
That's
a
significant
part
of
why
the
library
is
so
successful.
The
units
of
reuse
are
small
enough
that
for
any
given
need
you're
likely
to
find
that
there's
a
package
for
that,
and
there
also
tends
to
be
less
overlap
and
redundancy.
The
extreme
modularity
does
come
at
some
degree
of
cost.
B
However,
in
the
old
days
when
there
was
just
a
few
libraries
choose
from
finding
the
right
tool
what's
more
about
reading
the
docs,
but
now
it's
more
about
finding
the
right
package
and
without
a
tool
like
NPM
to
provide
package
discovery
and
to
manage
the
complex
interdependencies
between
packages.
The
current
shape
of
the
library
would
be
impossible
to
use.
B
In
another
cost,
first
increasing
risk
the
total
vulnerability
of
your
cook
abilities
in
your
code
and
of
each
package
in
your
dependency
graph
and
if
the,
but
by
far
the
largest
percentage
of
the
code
in
your
project,
is
comes
from
outside
of
your
development
group.
You
are
not
in
control
of
the
security
risks
that
you're
that
you're,
bringing
into
the
into
your
into
your
team
and
into
your
production
code.
So
with
the
explosive
growth
of
the
number
of
packages
available.
B
Inevitably,
security
and
compliance
risks
creep
in
and
become
difficult
to
manage,
so
those
are
those
risks
in
the
enterprise
are
often
poorly
managed,
especially
where
infrastructure
and
processes
tend
to
lag
behind
the
bleeding
edge.
The
risk
management
tools
that
enterprises
do
have
in
place
tend
to
be
out-of-band
of
the
standard,
developer,
workflow
and
the
friction
of
this
tools.
Mismatch
causes
a
drag
on
productivity.
B
It
also
provides
a
perverse
incentive
for
developers
to
circumvent
the
institutional
processes
simply
to
get
their
jobs
done,
and
this
gap
between
the
canonical
JavaScript
tools
and
processes
and
those
often
required
in
the
enterprise,
make
it
difficult
to
discover
vulnerabilities
and
assess
impact
enterprise-wide
with
many
customers
who,
despite
having
security
tools
in
their
CIC
D
chain,
have
found
vulnerable
packages,
make
it
through
to
production
anyway,
and
often
to
their
surprise
and
chagrin.
Obviously,.
B
So
using
open
source
JavaScript
does
add
risk
to
businesses,
even
though
it
provides
a
great
deal
of
power.
Often
enterprises
because
of
this
are
forced
to
sacrifice
productivity
and
efficiency
benefits
I'm
using
the
public
registry
in
favor
of
mitigating
risk,
and
especially
since
most
large
shops
use
many
different
programming
languages.
They
tend
to
adopt
some
kind
of
private
package
repository
solution
that
tries
to
manage
the
risks
of
using
open
source
across
all
platforms.
B
Unfortunately,
probably
thought
artifacts
doors
like
that
are
built
to
serve
a
common
denominator
across
all
languages,
which
necessarily
requires
some
compromise
for
JavaScript
developers.
Those
compromises
come
in
the
form
of
limited
collaboration
across
teams,
because
search
and
discovery
is
limited
or
non-existent,
and
a
non-standard
frustrating
/
inefficient
javascript
workflow
that,
in
the
worst
case,
can
introduce
more
risk
because
of
perverse
incentive.
Workarounds.
B
The
conflict
between
developer
enterprise
needs
leads
to
an
impedance
mismatch
between
what
JavaScript
developers
are
used
to
and
want
to
do,
and
what
the
enterprise
allows.
Enterprises
need
to
ensure
compliance
security
reliability,
but
they
need
tools
to
do
that
in
a
way
that
helps
developers
complete
projects
on
time
and
under
budget,
and
for
my
last
slide,
we
have
a
solution
for
this.
B
Impedance
mismatch
a
way
for
JavaScript
developers
to
safely
bring
the
best
practices
of
open
source
JavaScript
and
the
entire
JavaScript
ecosystem,
seamlessly
into
an
enterprise
context,
using
the
tools
that
they're
familiar
with
in
the
30
that
they
like
to
use.
With
that
I'll
hand,
the
mic
over
to
Daniel
to
show
how
our
flagship
commercial
product
NPM
enterprise
does
just
that.
C
So
NPM
Enterprise
is
a
solution
to
this.
This
tension
problem
that
checks
a
lot
of
boxes
for
both
developers
and
enterprises,
so
it's
kind
of
like
a
repository
manager,
but
it's
a
repository
manager
that
has
a
great
developer
experience
with
all
those
controls
that
enterprises
need
so
we'll
kind
of
get
into
some
of
these.
These
areas
in
the
following
slides.
C
So
the
first
thing
that
Enterprise
NPM
Enterprise
gives
you
is
really
seamless
integration.
With
your
existing
developer
workflows,
it
has
full
support
for
the
NPM
sea
alliance
or
all
those
p.m.
commands
you
use
work
just
as
well
with
MTM
enterprises
as
they
do
with
the
public
registries,
and
the
search
experience
is
really
great
it
again.
It
works
just
as
well
as
Public
Registry.
So
if
you're
searching
your
packages,
you're
not
only
searching
the
the
fields
and
metadata
on
those
packages,
but
also
the
readme,
so
you
end
up
getting
results
that
represent
kind
of.
C
What's
in
your
your
private
packages
that
are
being
hosted
with
NPM
Enterprise,
along
with
those
public
packages
and
finally,
the
the
web
interface
for
MTM
enterprises
again
is
very
very
similar
to
that
public
registry,
and
so
the
the
sum
of
all
these.
These
these
things
means
that
the
learning
curve
for
developers
is
very
close
to
zero.
C
C
Third
thing
that
NPM
Enterprise
gets,
you
is,
is
much
better
security,
and
so
it
has
all
the
security
features
that
you
expect
from
the
public
registry.
So
things
like
the
vulnerability
reports
when
you
run
NPM
audit
or
NPM
install
it
has
two-factor
authentication,
it
has
information
about
security
advisories,
but
it
also
adds
a
few
features
which
provide
additional
security
that
really
matters
in
an
enterprise
context,
so
things
like
Lola
based
access
control
or
that
single
sign-on.
C
C
And
the
kind
of
the
last
area
of
features
that
NPM
Enterprise
gives
you
is
improved,
visibility
and
control
into
into
JavaScript.
So,
for
example,
we
mentioned
that
there's
a
extreme
level
of
modularity
in
JavaScript,
and
what
NPM
Enterprise
is
really
good
at
is
helping
you
tease
out
that
web
of
transitive
dependencies
to
better
understand
the
true
surface
area
of
what
your
application
is
pulling
in.
C
So
this
is
a
diagram
which
might
help
to
better
illustrate
how
NPM
enterprise
could
fit
within
your
existing
development
workflow.
So
on
the
far
left,
you
see
the
NPM
public
registry.
So
this
is
the
thing
that
your
your
teams
and
your
tools
talk
to
you
today.
So
you
can
see
that
NPM
enterprise
kind
of
sits
immediately
to
the
right
and
serves
as
a
drop-in
replacement
for
that
public
registry.
C
So,
as
we
mentioned,
it's
a
single
tenant
instance
with
a
bunch
of
security
features
that
are
useful
in
the
enterprise
and
because
it
sits
in
front
of
public
registry,
it's
in
a
really
good
place
to
provide
enforcement.
Make
sure
that
these
security
policies
are
actually
applied
in
your
organization.
C
Another
interesting
point
that
you
see
here
is
that
before
those
teams
talk
directly
to
the
public
registry,
but
now
they
talk
directly
to
NPM
Enterprise.
So
when
they're
doing
search
and
discovery
they're
going
through
your
your
NPM
Enterprise
instance-
and
this
becomes
really
interesting
for
a
number
of
reasons.
One
point,
which
is
that
it's
a
really
great
search
experience.
C
C
So,
as
a
last
point,
you
can
see
also
that
NPM
Enterprise
fits
really
well
with
your
boosting
tooling,
in
the
same
way
that
the
people
who
who
talk
to
the
public
registry
now
just
talk
to
NPM
enterprise
and
instead
of
your
package
manager,
proxying,
the
public
registry,
you
just
proxy
MPM
enterprise
and
it's
basically
just
changing
a
URL.
So
it's
really
easy
to
add
in
NPM
Enterprise
into
your
existing
CIC
D
pipeline.
B
Well,
you
know,
obviously,
javascript
is
a
dominant
programming
languages
and
it's
if
you're
using
javascript,
there's
a
toolkit
that
you
know
and
love
and
is
sometimes
hard
to
use
in
a
large
organization,
because
they
have
restrictions
on
what
you're
allowed
on
what
tooling
you're
allowed
to
use.
So
we're
offering
a
solution
to
that
impedance
mismatch
in
the
form
of
NPM
Enterprise.
So
you
can
have
your
NPM
the
way
you
like
it
and
the
enterprise
gets
all
of
the
security
and
compliance
satisfied
as
well.
C
So
I
see
one
question
here:
asking:
how
did
you
get
those
JavaScript
usage
stats
design?
Is
that
info
publicly
available
somewhere?
So
those
stats
come
from
I
believe
it's
called
the
2018
like
JavaScript
ecosystem
report,
which
I
believe
was
generated
through
a
survey
so
that
that's
where
those
those
numbers
around
JavaScript
usage
came
from.
B
Here's
here's
one
I'll,
take
all
ready,
have
a
package
manager.
How
does
NPM
enterprise
works
with
other
package
managers?
I
mean
we
sort
of
went
over
it,
but
the
thing
is
that
like
yet
the
package
manager
we're
not
you're
gonna
use
the
package
manager.
You've
got
because
that's
what
you
have
to
use,
but
that's
part,
is,
is
really
for
the
once
once
you've
thrown
your
throat
over
the
wall
to
the
pipe
into
into
the
build
pipeline.
B
What
we're
saying
with
NPM
Enterprises
is
use
this
at
the
front
of
your
development
pipeline.
As
a
developer,
you
can
use
NPM
Enterprise
as
as
a
essentially
a
drop-in
replacement.
They
Justice
Whitney.
Basically
you
just
log
into
it
and
you
start
using
NPM
Enterprise
and
it
looks
and
acts
exactly
the
way
the
public
registry
works
and
then,
if
you,
when
you
want
to
use
it
in
the
in
the
downstream
CI
CD
pipeline,
reconfigure,
which
end
point,
the
package
manager
uses
to
look
at
the
public
registry
and
it
as
if
nothing
had
changed.
C
C
A
Great
well,
thank
you
so
much
Daniel
and
Orion.
As
mentioned
earlier,
today's
webinar
will
be
available
on
demand
after
the
live
session
and
is
accessible
through
the
same
link
you're
using
now,
we've
also
added
some
related
material
which
are
available
through
the
attachment
tabs
at
the
bottom
view
screen.
Finally,
if
you
like
what
you
heard
today,
please
try
out
your
thoughts
on
today's
webinar
using
hashtags
and
PM
sacs.
Thank
you
for
joining.