We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Open SourceEngineering

Mastering Node.js version management and npm registry sources like a pro

Liran Tal, Juan PicadoAugust 28, 2019

In continuation to the 10 npm security best practices guide we published earlier this year, I’d like to further explore how to make it easier to switch between different Node.js versions and to switch between different npm registries while working in a development environment.

Node version manager

When developing Node.js applications, you may need to install multiple versions of Node.js in order to handle your day-to-day tasks. This might happen, for example, if you need to solve a bug in production, or if you need to switch between projects. Doing this manually every single time can take a lot of effort and anyway—there is a better way.

Node Version Manager (nvm) is a tool that allows the user to switch between different versions of Node.js, helping reduce overhead when reproducing production bugs in development environments.

The default installation is only supported on macOS and Linux environments. If you are a Windows user, check out nvm-windows, which should cover your needs. 

Using the CLI, you can install any Node.js version by running the following:


nvm install  8.9.4
nvm install node   # nvm install the latest release
nvm install --lts  # nvm install the latest LTS release

That was easy! Now let’s review some typical scenarios that show how NVM can help:

  • Sometimes, some team members might work with a different Node.js version than others on the same team. This, however, is a common mistake and can get you into trouble, such as merging code that is not supported by the Node.js version that is used across the rest of the team. To enforce the version that all team members should use, the team can implement the `.nvmrc` file.
    For example:

    $ echo "10" > ~/.nvmrc

    Once installed, when a team member runs <code>nvm install</code>, it will always use the version listed in that file by default and prevent team members from contributing if using a different version. In this way, for instance, you avoid shipping any incompatible Node.js features or using syntax that might potentially break your app.
  • Need to reproduce a bug in an older or newer Node.js version than the one you have installed? Without NVM, having multiple instances of globally installed npm versions at one time is daunting due to manual installs. With NVM however, just run another `install` command in order to run different parallel instances with different versions and you’re set. See example below

When you have installed multiple instances of Node.js, each with multiple global npm modules, you’ll need to re-install all of those modules over and over again, every time you change Node.js versions. 

Here’s a quick solution for that:

$ nvm install 10 --reinstall-packages-from=8

NPM registry manager

NPM Registry Manager is another useful utility to have on hand if you’re making use of several registries, which is a common situation when working in an enterprise, or if you’re using a tool such as verdaccio for personal use on a local private registry. With GitHub’s launch of their package registry this is even more useful and common.

NRM supports several registries out of the box, including:

  • npm: https://registry.npmjs.org
  • cnpm: http://r.cnpmjs.org
  • nj: https://registry.nodejitsu.com

With NRM, adding, removing, and managing registry settings as well as switching between registries is as easy as this:

$ nrm use cnpm

For more npm security productivity tips be sure to take a peek at our  10 npm security best practices guide cheat sheet.

Stay Secure!

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom