2021 npm Year‑End Review: Major Releases, Supply‑Chain Attacks, and Future Outlook
The article reviews npm’s 2021 milestones—including the official release of npm 7.0 with performance gains and new features—while highlighting a wave of supply‑chain attacks on popular packages, discussing the rise of Corepack, and offering a forward‑looking perspective on the ecosystem’s challenges and opportunities.
2021 saw npm reach a pivotal point with the official launch of npm 7.0 after being announced in 2020, bringing major changes such as a 46% reduction in internal dependencies, a 17% increase in code coverage, automatic installation of peerDependencies, support for yarn.lock (package‑lock v2), and workspace management for monorepos.
At the same time, npm became an increasingly attractive target for supply‑chain attacks. Notable incidents include the event‑stream compromise that introduced a Bitcoin‑mining backdoor via the flatmap‑stream dependency, the malicious injection into the widely‑downloaded UAParser.js package, and the hijacking of the coa library used by many React projects.
Other alarming trends were highlighted, such as the discovery of an empty package named Runkit that silently appears as a dependency in over 100 other packages, and the emergence of deliberately malicious placeholder packages that can be inadvertently installed.
In response to these security concerns, the Node.js team introduced Corepack as an experimental built‑in CLI to manage package managers (npm, yarn, pnpm, cnpm) without manual installation, signaling a shift away from npm as the default package manager in future Node.js releases.
The article also touches on broader ecosystem issues, including the financial struggles of major frontend tooling projects like Babel, the need for sustainable funding models, and the growing importance of alternative tools such as Vite and SolidJS.
Looking ahead to 2022, the author anticipates continued rapid growth of modules and developers, warns of potential npm outages, and encourages the community to stay vigilant against supply‑chain threats while exploring newer package managers like pnpm and yarn 2+.
Performance improvements in npm 7
Automatic peerDependencies handling yarn.lock and workspace support
Supply‑chain attacks on event‑stream, UAParser.js, coa Introduction of Corepack in Node.js 16.9
Calls for better funding of open‑source tooling
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.