Built in security features
npm v6 is the result of the collaboration between npm and their acquisition of the Node Security Platform. This introduces two new security features:
Every user of the npm v6 Registry will begin receiving automatic warnings if the code used has a known security issue. npm will automatically review install requests against the NSP database and return a warning if the code contains a vulnerability.
npm v6, has a new command, ‘npm audit’, which allows developers to recursively analyze their dependency trees to identify specific insecurities, following which developers can swap in a new version or find a safer alternate dependency.
Apart from the security features, there are also a large number of other performance updates:
- npm v6 is up to 17x faster than the npm of one year ago.
- npm ci is optimized to use npm within the continuous integration/continuous deployment (CI/CD) workflow almost 2x–3x faster.
- Webhooks are now configurable directly within the npm CLI.
- Easy verification of package with respect to tampering and corruption, with more visibly integrated metadata.
- Teams can now more easily share reproducible builds with automatic resolution of lockfile conflicts.