Verdaccio npm package

What makes Verdaccio a successful project?

Welcome to our brand new recurring post series Project Spotlight about verdaccio, where we share open source project insights, deep dive to the best parts of a project, and get to know the maintainers and contributors.

Today we’re welcoming Juan Picado, the maintainer of the open source email agent npm package verdaccio. We observed that verdaccio scores very high in terms of overall package health score in the Snyk Advisor verdaccio package page and we want to drill-down in the details for some of them with you.

What is verdaccio?

In a nutshell, Verdaccio is a lightweight private registry and proxy with no dependencies and zero-configuration built in Node.js. The application has some level of customization and is really simple to set up, if you have published a package at npmjs you already know how to use verdaccio.

What are some interesting use-cases you’ve seen for the package?

The most common use-case is hosting a private registry which for small teams does not require much resources, any micro-size virtual machine in any SaaS is enough to cover most of the needs. 

Verdaccio is really appreciated in the Open Source ecosystem, the main reason is that those projects do not need to rely on third-party services for testing publishing packages, real taste, privacy and add an extra security layer that avoids accidentally any leak going to public registries. A real example might be, publishing several packages from a mono repository with the idea of testing the integrity of the final installation.

Having a register is a key on learning Node.js, create modules and distribute them is part of the foundations of Node.js, what could be better that any developer can run it own registry in just few seconds?, that’s priceless for many developers are in the beginning of the learning path in Node.js.

Could you tell us about your role as a maintainer in the verdaccio project?

A: In 2016, Verdaccio was created based on a fork of a project named Sinopia, there were several debates how the project would continue. I was a Sinopia’s user back then and really needed a registry for my own development, until the project was abandoned. I quickly noticed the potential of the idea for the community and when I was actively contributing I got the ownership by the co-founders, in that moment there were 200 stars and only a few hundred downloads per week, Sinopia was still a thing and my main goal was onboard as many contributors I could, it did work. Nowadays I am leading this project entirely in my spare time and my main goal is helping the Node.js community to grow. Verdaccio has more than 11,000 stars at GitHub and roughly 2 million docker pulls, 100,000 downloads at npm every month. The best way to support the project is via contributions, but also we enable you to donate to the project to help future development via GitHub sponsors https://github.com/sponsors/verdaccio.

We flagged verdaccio as growing in popularity, gaining over 30,432 downloads a week. What do you think made it a successful project?

verdaccio package popularity graph
  • The simplicity, definitely the learning curve for using verdaccio the first time is really low, just typing `npx verdaccio` is enough to have a registry running.

  • Users have a picture of a registry can be complex, verdaccio makes it simple.
  • JavaScript and Node.js popularity have an important role in the success, there is a need for privacy and security and  verdaccio provide both at zero cost.
  • Docker has been definitely the best way to reach many users.

What are your most favorite features of verdaccio?

My favorite is a feature named uplinks, this feature gives users a range of possibilities to connect with other registries. In combination with other feature named package access an user can decide by package name pattern which uplinks should resolve an specific dependency or even chain multiple uplinks until the package is being resolved, none other product can achieve this by far.

What are the new features in the latest verdaccio release?

One of the latest features released is the possibility to display deprecated packages on the User Interface, thus, it is easy to communicate to users some packages are unmaintained and should stop using them.

Why do developers choose to use verdaccio?

I think developers like Verdaccio for its privacy, flexibility, simplicity and being free. Privacy because you do not need to share their code with third-party services, flexibility because the behaviour of the application can easily be changed, simplicity due the low learning curve needed to use it the first time and free because it is Open Source and anyone can contribute and make the project better.

Are there other projects that you see developers migrate from?

I’ve seen a tendency over last years developers moving from Nexus and Artifcatory to Verdaccio, most of Node.js developers do not need a big solution for publishing a package, if you are running a small company, freelancing, learning or just playing around there is nothing more simple and fast that Verdaccio in the market.

What are good signals for the health of the verdaccio project in your mind? We flagged verdaccio as a healthy project and see a great commit trend and pull request action.

verdaccio package maintenance graph

Definitely provide a feeling of security. Any Open Source project would depend on others projects, and is a huge chain of dependencies. Their issues, improvements or breaking changes would affect you eventually. I update dependencies as often I can, either manually or using automated tools. Their security patches also patch any sort of issue at Verdaccio and fundamentally I do the same so those who have this project as dependency also take advantage of the good health of the project. Furthermore, we have channels for security policies reports, so anyone can report security vulnerabilities which are priority for maintainers.

What is the biggest challenge today, in being an open source project maintainer?

The time, being a full time paid Open Source developer for me is a quimera, only few have been able achieve that with full independence. Having a full time job, family, personal hobbies and normal life leave you not much time-space for Open Source, so definitely time is the biggest challenge, sometimes you have 1 hour or less at day and definitely you need to decide which task to prioritize. Not to forget other secondary tasks such as blogging, tweeting and promoting the project at conferences or meetups. It’s also important not to feel pressure about time, just enjoying the little that you get is really important.

It looks like verdaccio has a good track record of dealing with security issues in previous versions. How do you go about managing this security risk today with the recent 4.x branch?

verdaccio package security analysis

I’m not a security specialist, thus, I must rely on third-party services or security specialists that approach me that help me to understand and identify potential issues. Since early days the Verdaccio team was invited to be part of the Open Source security program Snyk with Liran Tal, since then I committed to be more responsible in this area, the project received really good feedback on how to deal with security issues, and of course learning in the process.

Even before being part of that program I’ve used Snyk free service for Open Source projects and getting instant feedback about available patches for security vulnerabilities via Pull Request or emails helps to keep the project in good shape.

Daniel Ruf, core team member is a security specialist based in Germany, he joined the project due his love for security and open source and since the beginning has been a really good inspiration for his commitment about security in Verdaccio. 

Contributors also do their part, I’m approached via the official security policy, which is the SECURITY.md file in the master branch, once a vulnerability is detected, and following the procedures a patch is shipped as soon as possible, I have one single rule, security matters and I take it seriously.

What are your top 5 most favorite open source projects?

  • Yarn 2 (berry) is one of my favorites. The project is so well done, code wise, plugin based, documentation and also good communication on how to migrate from classic to berry, a new concept that will change many things at the Node.js ecosystem. 
  • Babel.js:  I could not imagine development without it, I like to combine it with Typescript that allows me to live on the edge of JavaScript features.
  • pnpm: Future development at verdaccio is already based in pnpm and I like the approach the project follows, easy to set up, monorepo support, fast, cover all my needs and saving hard drive space is key to me. 
  • Pino.js: definitely best Node.js logger available right now, fast, well documented and a vibrant community. 
  • Jest: I use jest in every project I work professionally, there is no doubt is the most complete test runner, well maintained and fast shipping feature.

Best tip to get started as an open source contributor?

  • You must enjoy doing it, that’s the unique ingredient required to do Open Source, for me is a hobby that allows me to learn and expand my comfort zone and help so many developers for learning and enjoy Node.js.
  • Don’t be afraid, the maintainers are not almighty gods which know everything in each field, they are humans and make mistakes and also learn, start small is a good way to jump into open source, eventually you will have good project context, get more responsibility at the project and get a maintainer if is what you are looking for.
Oren Hacohen
February 2, 2021
| By Oren Hacohen