What makes Verdaccio a successful project?

Welcome to our spotlight on Verdaccio. Today we’re welcoming Juan Picado, the maintainer of the open source email agent npm package Verdaccio. We observed that Verdaccio scores very high in terms of overall package health score in the Snyk Advisor Verdaccio package page and we want to drill down into the details.

What is Verdaccio?

In a nutshell, Verdaccio is a lightweight private registry and proxy with no dependencies and zero configuration built in Node.js. The application has some level of customization and is really simple to set up, if you have published a package at npmjs you already know how to use Verdaccio.

What are some interesting use cases you’ve seen for the package?

The most common use case is hosting a private registry, which, for small teams does not require many resources. Any micro-size virtual machine in any SaaS is enough to cover most of the needs. 

Verdaccio is really appreciated in the open source ecosystem, the main reason of which is that those projects do not need to rely on third-party services for testing publishing packages and it adds privacy and an extra security layer that avoids accidentally any leak going to public registries. A real example might be, publishing several packages from a mono repository with the idea of testing the integrity of the final installation.

Having a register is key to learning Node.js, create modules, and distribute them as part of the foundations of Node.js. What could be better that any developer can run their own registry in just a few seconds? That’s priceless for many developers that are in the beginning of the learning path in Node.js.

Could you tell us about your role as a maintainer in the Verdaccio project?

In 2016, Verdaccio was created based on a fork of a project named Sinopia. There were several debates on how the project would continue. I was a Sinopia’s user back then and really needed a registry for my own development until the project was abandoned. I quickly noticed the potential of the idea for the community and when I was actively contributing I got ownership from the co-founders. At that moment, there were 200 stars and only a few hundred downloads per week, Sinopia was still a thing and my main goal was onboard as many contributors as I could, and it worked.

Nowadays, I am leading this project entirely in my spare time and my main goal is to help the Node.js community to grow. Verdaccio has more than 11,000 stars on GitHub and roughly 2 million Docker pulls and 100,000 downloads at npm every month. The best way to support the project is via contributions, but also we enable you to donate to the project to help future development via GitHub sponsors: https://github.com/sponsors/verdaccio.

We flagged Verdaccio as growing in popularity, gaining over 30,432 downloads a week. What do you think made it a successful project?

• The simplicity — definitely. The learning curve for using Verdaccio the first time is really low, just typing npx verdaccio is enough to have a registry running.

• Users understand that a registry can be complex. Verdaccio makes it simple.

• JavaScript and Node.js popularity have an important role in the success. There is a need for privacy and security and Verdaccio provide both at zero cost.

• Docker has been definitely the best way to reach many users.

What are your favorite features of Verdaccio?

My favorite is a feature named uplinks. This feature gives users a range of possibilities to connect with other registries. In combination with another feature named package access, a user can decide by package name pattern which uplinks should resolve a specific dependency or even chain multiple uplinks until the package is resolved. No other product can achieve this so far.

What are the new features in the latest Verdaccio release?

One of the latest features released is the possibility to display deprecated packages on the user interface, thus, it is easy to communicate to users some packages are unmaintained and should stop using them.

Why do developers choose to use Verdaccio?

I think developers like Verdaccio for its privacy, flexibility, simplicity, and being free. Privacy because you do not need to share their code with third-party services, flexibility because the behaviour of the application can easily be changed, simplicity due the low learning curve needed to use it the first time, and free because it is open source and anyone can contribute and make the project better.

Are there other projects that you see developers migrate from?

I’ve seen a tendency over last years developers moving from Nexus and Artifcatory to Verdaccio. Most Node.js developers do not need a big solution for publishing a package. If you are running a small company, freelancing, learning, or just playing around, there is nothing more simple and fast than Verdaccio in the market.

What are good signals for the health of the Verdaccio project in your mind? We flagged Verdaccio as a healthy project and see a great commit trend and pull request action.

Definitely provide a feeling of security. Any open source project depends on other projects and is a huge chain of dependencies. Their issues, improvements, or breaking changes affect you eventually. I update dependencies as often I can, either manually or using automated tools. Their security patches also patch any sort of issue at Verdaccio and fundamentally I do the same so those who have this project as a dependency also take advantage of the good health of the project. Furthermore, we have channels for security policies reports, so anyone can report security vulnerabilities which are priority for maintainers.

What is the biggest challenge today, in being an open source project maintainer?

The time, being a full-time, paid open source developer for me is a chimera. Only a few have been able achieve that with full independence. Having a full-time job, family, personal hobbies, and normal life leave you not much time/space for open source, so definitely time is the biggest challenge, sometimes you have 1 hour or less at day and definitely you need to decide which task to prioritize. Not to forget other secondary tasks such as blogging, tweeting, and promoting the project at conferences or meetups. It’s also important not to feel pressure about time, just enjoying the little that you get is really important.

It looks like Verdaccio has a good track record of dealing with security issues in previous versions. How do you go about managing this security risk today with the recent 4.x branch?

I’m not a security specialist, thus, I must rely on third-party services or security specialists that approach me that help me to understand and identify potential issues. Since the early days the Verdaccio team was invited to be part of the open source security program Snyk with Liran Tal. Since then I committed to being more responsible in this area, the project received really good feedback on how to deal with security issues, and of course learning in the process.

Even before being part of that program I’ve used Snyk free service for open source projects and getting instant feedback about available patches for security vulnerabilities via Pull Request or emails helps to keep the project in good shape.

Daniel Ruf, core team member, is a security specialist based in Germany, he joined the project due his love for security and open source and since the beginning has been a really good inspiration for his commitment about security in Verdaccio. 

Contributors also do their part, I’m approached via the official security policy, which is the SECURITY.md file in the master branch, once a vulnerability is detected, and following the procedures a patch is shipped as soon as possible, I have one single rule, security matters and I take it seriously.

What are your top 5 favorite open source projects?

• Yarn 2 (berry) is one of my favorites. The project is so well done, code-wise, plugin-based, documentation and also good communication on how to migrate from classic to berry, a new concept that will change many things at the Node.js ecosystem. 

• Babel.js: I could not imagine development without it, I like to combine it with Typescript which allows me to live on the edge of JavaScript features.

• pnpm: Future development at Verdaccio is already based in pnpm and I like the approach the project follows, easy to set up, monorepo support, fast, and it covers all my needs — and saving hard drive space is key to me. 

• Pino.js: Definitely the best Node.js logger available right now, fast, well documented and a vibrant community. 

• Jest: I use jest in every project I work on professionally. there is no doubt is the most complete test runner, well maintained, and ships features fast.

Best tip to get started as an open source contributor?

• You must enjoy doing it, that’s the unique ingredient required to do open source. For me, it is a hobby that allows me to learn and expand my comfort zone and help so many developers for learning and enjoy Node.js.

• Don’t be afraid! The maintainers are not almighty gods which know everything in each field. They are humans and make mistakes and also learn. Starting small is a good way to jump into open source. Eventually, you will have good project context, get more responsibility at the project, and become a maintainer (if that is what you are looking for).