Scaling npmmirror.com to 58B Downloads: cnpmcore Architecture & Insights

Introduction

Zero1, a Node.js engineer at Ant Group and maintainer of npmmirror, shares the current status of npmmirror.com and the newly implemented enterprise‑grade package management service cnpmcore.

npmmirror Overview

npmmirror.com is an npm mirror hosted on Alibaba Cloud, providing free, high‑speed npm registry services for Chinese front‑end developers. It originated from npm.taobao.org and has evolved from a combined web + registry service to a pure registry service, reflecting Node.js technology progress.

Monthly download volume has reached 5.8 billion, a hundred‑fold increase since 2017, with peak CDN traffic of 4 GB/s and 7 K QPS. The service stores the full npm package set (~26 TB) and relies on CDN, multiple ECS instances behind SLB, OSS for file storage, a database for metadata, and Redis for caching.

cnpmcore Features

cnpmcore, the open‑source engine behind npmmirror, adds private package publishing, multi‑registry synchronization, and an emergency bug‑versions mechanism. It supports easy second‑development for enterprise customization.

Bug‑Versions (Emergency Rollback)

Automatically roll back to a non‑buggy version during installation.

Override unsafe install scripts.

Auto‑upgrade to a safe Node version.

These capabilities ensure safe npm dependency installation.

Stability and Reliability

To guarantee high sync success rates, cnpmcore implements a persistent task queue using DB for durability and Redis sorted sets for ordered execution, with a state machine handling retries until success.

Registry Migration

Migration from cnpmjs.org to cnpmcore involves a single synchronization step for public packages, while private packages require automated sync across multiple registries, using scoped configuration to control migration.

Second Development with cnpmcore

cnpmcore is written entirely in TypeScript using the tegg framework and follows Domain‑Driven Design (DDD). It separates concerns into an access layer (HTTP registry), a domain layer (models like Package), and an infrastructure layer (cloud‑agnostic components). Developers can replace modules (e.g., switch from Alibaba OSS to AWS S3) without altering core logic.

Security auditing is facilitated by domain events that broadcast all registry changes, allowing custom listeners to log operations for compliance.

Performance bottlenecks can be addressed non‑intrusively by leveraging tegg’s AOP features to add caching via Redis and invalidate caches through domain events.

Conclusion

The presentation demonstrates how npmmirror.com scales to massive traffic, how cnpmcore enhances functionality and reliability, and how enterprises can customize and extend the registry to meet internal needs.