Connect with us


What Does GitHub’s npm Acquisition Mean For Developers?



Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.

So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.

What is npm?

Many Hackaday readers will be familiar with npm (Node Package Manager), one of the backbones of the open-source JavaScript community. If you’ve played around with any kind of web or JavaScript project recently, you’ve probably used npm to install and manage dependencies, with it currently servicing 75 billion downloads a month. It is the most popular package manager for JavaScript, and enables re-use and sharing of modules throughout the JavaScript community; it’s what’s responsible for the node_modules folder in your project munching all your disk space.

At its most basic level, npm allows you to download and install JavaScript modules from the online registry, either individually, by running for example, npm install express, or installing from a package.json file, which contains details of all a project’s dependencies. If you want to read more about how npm manages dependencies and how its parallels with the Node Module Loader allow some neat simultaneous version loading, npm have written a nice explainer here.

npm is certainly not without criticism or competitors, but most developers are familiar with basic use, and I think would agree that it’s played a vital role in the growth of the JavaScript ecosystem, whether that’s new frameworks, niche modules, Typescript, polyfilling or testing.

What is its history?

npm was started in 2009, by [Isaac Schlueter], who details in a blog post his thoughts on the recent acquisition.

npm Inc is a company, not an entirely open source project. They provide the open-source registry as a free service, and charge a fee for private, commercial packages. It has previously been rumored that there was trouble making ends meet from low quantity, low fee license sales.

As a business, it has previously received venture capital funding, and also brought in new executive management to attempt to dramatically increase revenues. Under new management, numerous employees were dismissed, with many claiming they were dismissed unfairly. Further employees resigned voluntarily, raising questions about company culture and the stability/longevity of npm. We hope that the acquisition by GitHub will relieve the financial pressure on the company and allow it to resolve these issues whilst serving the open-source community more effectively, under stable conditions.

Enter GitHub

In npm’s blog post, [Isaac Schlueter] talks about how an acquisition by GitHub has been on the cards for a while, even going so far as recounting asking the GitHub product lead [Shanku Niyogi] why on earth they hadn’t already bought npm.

Why did it seem so obvious? With the source for so many npm packages hosted on GitHub, and GitHub launching the moderately popular GitHub Packages, it seemed only natural that both could benefit from tighter integration. So what might we see in the future?

Many users of GitHub will be familiar with its automated security alerts for vulnerabilities. When your project contains a dependency that has had a security vulnerability disclosed, GitHub will send you an automated email/notification containing the level of risk, the affected code, and an automatically generated pull request which fixes the issue. This is a pretty neat feature, and this author has been glad of it on numerous occasions. While this works well in theory, in complex projects with many interdependent packages, I’ve found that the automated security fixes can sometimes awkwardly bump package versions without fully propagating through the dependency tree, requiring a lot of manual hassle to fix.

I’m very hopeful that this acquisition can bring about a security update experience with much tighter integration with npm, whether that’s making the automated updates more intelligent and frictionless for the developer, or making it easier for maintainers to disclose vulnerabilities and release automated GitHub patches faster. In GitHub’s blog post announcing the acquisition, they state their commitment to using the opportunity to improve open source security, and their aim to “trace a change from a GitHub pull request to the npm package version that fixed it”.

As far as GitHub Packages is concerned, the aim is to move all private packages from npm’s paid service to GitHub Packages, with the view of making npm an entirely public package repository.

Even with these obvious benefits in mind, there is still some uncertainty as to whether the move was driven and initiated by GitHub for these reasons, or whether it’s because of the value it provides to Microsoft as a whole instead.

What npm means to Microsoft

Microsoft’s appetite for open source is growing. It seems like yesterday that we wrote about Microsoft acquiring GitHub, and despite all the speculation on its future at the time, it only seems to have grown stronger with the extra resources available. Since the acquisition, we’ve notably seen the release of free unlimited private repos, GitHub Security Lab and GitHub Actions, all welcome and overdue features that have been well-received in the open-source community. GitHub mobile apps for iOS and Android have also been released in the past few days, attracting a few raised eyebrows for not being open source.

A cynic might say that acquiring npm is a cheap way of Microsoft trying to win some sentiment from the open-source community, and of course, that may be a factor, but the move will have technical benefits for them too. Microsoft are increasingly big users of JavaScript, and are invested in the ecosystem. Notably, they’ve created Typescript, and they need a stable and solid package repository as much as any group of developers.

It’s yet to be determined whether npm will have any integration with any of Microsoft’s offerings, or if it’s purely of use to GitHub. At this stage, it’s hard to say, though it’s telling that GitHub announced the move along with their strategy, whilst Microsoft has stayed quiet on the topic.


I don’t think anyone can deny that the open-source JavaScript development experience has the potential to become significantly smoother when the largest source repository becomes more integrated with the largest package repository. It remains to be seen how these improvements are implemented, whether they’re made available for public/private users, and how kind they’ll be to open-source competitors, but only time will tell.

Source link

قالب وردپرس

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Cellular Tracking Used During COVID-19 Pandemic



As most in the technology community know, nation states have a suite of powerful tools that can be used to trace and monitor mobile phones. By and large, this comes up in discussions of privacy and legislation now and then, before fading out of the public eye once more. In the face of a global pandemic, however, governments are now using these tools in the way many have long feared – for social control. Here’s what’s happening on the ground.

The Current Situation

With COVID-19 sweeping the globe, its high level of contagiousness and rate of hospitalizations has left authorities scrambling to contain the spread. Unprecedented lockdowns have been put in place in an attempt to flatten the curve of new cases to give medical systems the capacity to respond. A key part of this effort is making sure that confirmed cases respect quarantine rules, and isolate themselves to avoid spreading the disease. Rules have also been put in place in several countries where all overseas arrivals must quarantine, regardless of symptoms or status.

“According to an epidemiological investigation you were near a corona patient on 06/03/20. You must immediately enter a home isolation by 20/03/20 to protect your relatives and the public. If you have fever, cough, etc. call A-101. Learn more at the link” – An Israeli government text message. Source: @kann_news

In order to achieve this, Israel has begun to use the cellular devices to track suspected coronavirus cases. Using technology initially developed for counterterrorism purposes, it allows Israeli authorities to monitor the movements of individual citizens. If a citizen is detected as having spent 10 minutes or more within 2 meters of an infected person, they are sent a text message instructing them to self-isolate until a particular date. While a very effective method of tracing possible infection contacts, it also shows the incredible granularity of the data available to Israel’s Shin Bet intelligence agency. With this capability, it would also be trivial to track phone users for enforcement purposes, too.

South Korea has also been actively tracing citizen’s mobile phones. Public health organisations have sent out texts detailing the recent movements of infected people, revealing intimate details of their citizens private lives. In one ridiculous case, a woman who had supposedly sustained serious injuries in a recent car accident was noted to be travelling to weddings and restaurants, leading to a grilling by TV reporters after she was identified by internet users.

Iran tried a more obvious method, asking users to install an app that promised to help diagnose coronavirus symptoms. It secretly leaked user’s live location data, and once this was public knowledge, it was promptly removed from the Play Store for breaking Google’s Terms of Service. This method is quite transparent to even a moderately technical user, and stands out for this reason. Of course, this does not mean that Iran doesn’t have more serious capabilities behind the scenes for cellular tracking, but it does raise questions as to why such a blatantly obvious approach would be attempted.

A screenshot of a Chinese website used to determine whether individuals have travelled to disease hotspots.

China has dealt with COVID-19 longer than anyone, and is heavily experienced with domestic surveillance technologies. An independent source has confirmed this technology is being used for access control to buildings. At entry points, individuals scan a QR code which takes them to a phone provider’s website. Entering their details, the user is shown a record of their location in the last 14 days. If they have avoided disease hot zones, they’re granted admittance to the facility.


The ideal democracy governs with the consent of the people. While people might object to the invasion of their privacy like this in normal circumstances, they may be willing to make this tradeoff in times of peril. It’s not clear that any of the above-mentioned countries attempted to obtain their citizens’ consent.

What stops governments from using these same domestic spying powers after the health crisis ends? Oftentimes, even if it’s not used in the mainstream, intelligence organisations that operate in the dark can get away with using such tools with impunity, even in violation of the country’s own laws. We know that many have been doing so for years. If anything, it serves as a useful reminder to the public that no mobile device can be considered secure from nosy government actors.

Looking Ahead

It’s important to remember that cellphone-based tracking systems come with a major caveat. Those who don’t wish to be tracked always have the option of simply not carrying a cellular device. There are currently no nation states that enforce the carrying of a mobile phone, and so the best way to dodge such tracking is to simply opt-out of the technology altogether. In this modern era, anyone making such a decision is giving up a lot, and it’s not one that can be made lightly. For some though, it’s no option at all – where phones are used for access control to buildings, it’s hard to avoid. In China, for instance, a corona-tracking function has been tied into Alipay, the most popular pay-by-phone app, and some cities require a green light on a cellphone to use public transportation.

World governments have shown their hand, making it clear to the public that they have an immensely powerful and threatening technology at their disposal, and that they’re willing to use it without consent. While it is currently being employed in service of public health, the potential ramifications are plain to see. It may prove difficult for citizens to win back civil liberties that have been suspended in the current quarantine. Time will tell.

Source link

قالب وردپرس

Continue Reading


New iPad Pro security feature cuts the mic when you close the case



  • Apple introduced a new security feature on the 2020 iPad Pro that disconnects the microphone at a hardware level when an MFi case compliant case is attached and closed.
  • This iPad Pro feature keeps microphone data from being collected by any software on the tablet.
  • The hardware disconnect was first introduced on MacBook models in 2018.
  • Visit BGR’s homepage for more stories.

Two weeks ago, Apple revealed a brand new iPad Pro model via a press release on its website. The iPad’s unveiling likely would have been part of Apple’s spring event, had it happened, but the coronavirus pandemic made sure to put a stop to that. All in all, the 2020 iPad Pro isn’t a massive departure from its predecessor — internally, everything has been upgraded, but the design is mostly the same, save for refreshed camera array on the back.

But it turns out that not every feature of the new iPad was disclosed in the original press release. This week, 9to5Mac spotted an update to the Apple Platform Security guide which reveals that new iPads, including the latest model, have a hardware feature that ensures the microphone disconnects when the case is closed.

Here’s the full update from Apple’s website explaining the hardware security feature in detail:

All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures the microphone is disabled whenever the lid is closed. On the 13-inch MacBook Pro and MacBook Air computers with the T2 chip, and on the 15-inch MacBook Pro portables from 2019 or later, this disconnect is implemented in hardware alone. The disconnect prevents any software—even with root or kernel privileges in macOS, and even the software on the T2 chip—from engaging the microphone when the lid is closed. (The camera is not disconnected in hardware, because its field of view is completely obstructed with the lid closed.)

iPad models beginning in 2020 also feature the hardware microphone disconnect. When an MFI compliant case (including those sold by Apple) is attached to the iPad and closed, the microphone is disconnected in hardware, preventing microphone audio data being made available to any software—even with root or kernel privileges in iPadOS or in case the firmware is compromised.

As 9to5Mac notes, this feature was first introduced on MacBook models with the T2 security chip in 2018. This is the first instance of Apple porting the feature to its line of tablets. It’s also incredibly timely, as many of us are using every electronic device with a camera or a microphone in our homes right now for hours on end every day to communicate with coworkers, friends, and family members. Knowing that the microphone will be automatically disconnected as soon as the case has been shut (providing you have a compliant case) should ease some anxiety.

While this feature can only be found on the 2020 iPad Pro and future iPad models, there were a few notable security improvements in the iOS 13.4 and iPadOS 13.4 releases last week, such as Data Vaults that protect data stored in third-party apps and temporary sessions for iPad users that vanish when the user logs off.

Source link

قالب وردپرس

Continue Reading


Potential coronavirus vaccine shows hope in mouse study



A researcher at the University of Pittsburgh works on a COVID-19 vaccine candidate (Reuters)

Initial tests in mice of a potential COVID-19 vaccine delivered via a fingertip-sized patch have shown it can induce an immune response against the new coronavirus at levels that might prevent infection, U.S. scientists said on Thursday.

Researchers around the world are working to develop potential treatments or vaccines against the respiratory disease that has killed nearly 47,000 people and infected almost a million in just a few months.

A team at the University of Pittsburgh School of Medicine in the United States said they were able to move quickly in developing a potential COVID-19 vaccine after working on other coronaviruses that cause Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

‘These two viruses, which are closely related to SARS-CoV-2 (the new coronavirus causing the COVID-19 pandemic), teach us that a particular protein, called a spike protein, is important for inducing immunity against the virus,’ said Andrea Gambotto, an associate professor at Pittsburgh.

‘We knew exactly where to fight this new virus.’

When tested in mice, the prototype vaccine – which the researchers have called PittCoVacc – generated what they described as ‘a surge of antibodies’ against the new coronavirus within two weeks.

The Pittsburgh researchers cautioned that because the animals have not been tracked for very long as yet, it is too early to say whether and for how long the immune response against COVID-19 lasts.

But they said that in comparable tests in mice with their MERS experimental vaccine, a sufficient level of antibodies was produced to neutralize the virus for at least a year.

Researchers have tested a prototype of the vaccine on mice (Getty Images)

Researchers have tested a prototype of the vaccine on mice (Getty Images)

So far, the antibody levels of the SARS-CoV-2 vaccinated animals seem to be following the same trend, they said in peer-reviewed study in the journal EBioMedicine.

The team said they hope to start testing the vaccine candidate on people in clinical trials in the next few months.

The potential vaccine uses a needle patch design, called a microneedle array, to increase its potential potency.

This array is a fingertip-sized patch of 400 tiny needles made out of sugar and the spike protein, Gambotto explained. It is designed to deliver the spike protein pieces into the skin, where the immune reaction is strongest.

Coronavirus latest news and updates

Source link

قالب وردپرس

Continue Reading