The npm Blog

Today, npm Enterprise has just grown hugely more extensible and powerful with the release of npm Enterprise add-ons.

It’s now possible to integrate third-parties’ developer tools directly into npm Enterprise. This has the power to combine what were discrete parts of your development workflow into a single user experience, and knock out the barriers that stand in the way of bringing open source development’s many-small-reusable-parts methodology into larger organizations.

What are npm Enterprise add-ons?

npm Enterprise now exposes an API that allows third-party developers to build on top of our npm Enterprise product:

• add additional UI components to enterprise customers’ private npm websites;
• add hooks to package installation and publishing events;
• automate important parts of the software development lifecycle — for example, to automatically apply a security scan when you attempt to install a package for the first time.

With this deceptively simple functionality, developers can offer a huge amount of value to enrich the process of using npm within the enterprise.

Why?

Enterprise developers already want to take advantage of the same code discovery, re-use, and collaboration enjoyed by millions of open source developers, billions of times every month. But this requires accommodating their companies’ op-sec, licensing, and code quality processes, which often predate the modern era.

For example…

Enterprises have strict security restrictions.

In the past, it was possible to manually research the security implications of external code. But with the average npm package relying on over 100 dependencies and subdependencies, this process just doesn’t scale.

Without a way to ensure the security of each package, a company can’t take advantage of open source code.

Enterprises strictly enforce license compliance.

Software that is missing a license, or that’s governed by a license unblessed by a company’s legal department, simply can’t be used at larger companies. Much like security screening, many companies have relied upon manually reviewing the license requirements of each piece of external code. And just like security research, trying to manually confirm the licensing of every dependency (and their dependencies, and their dependencies…) is impossible to scale.

Enterprise developers need a way to understand the license implications of packages they’re considering using, and companies need a way to certify that all of their projects are legally kosher.

Enterprises depend on good software development practices.

Will bug reports be patched quickly? Is the code written well? Do packages rely on stale or abandoned dependencies? These questions demand answers before an enterprise can consider relying on open source code.

Without a way to quantitatively analyze the quality of every code package in a project, many enterprise teams simply don’t adopt open source code or workflows for mission-critical projects.

Our three launch partners, Node Security Platform, FOSSA, and bitHound, address these concerns, respectively.

You can learn about the specifics of each of them here:

• Announcing the Node Security Project’s npm Enterprise Add-On
• npm partners with FOSSA to deliver open source license compliance to enterprise JavaScript
• bitHound introduces npm Enterprise add-on

By integrating them directly into the tool that enterprise developers use to browse and manage packages, we make it as easy as possible to scratch enterprise development’s specific itches. As more incredible add-ons join the platform, the barriers to open source-style development at big companies get knocked down, one by one.

Now what?

The Node Security Platform, FOSSA, and bitHound add-ons are available to existing npm Enterprise customers today. Simply contact us at support@npmjs.com to get set up.

If you’re looking to bring npm Enterprise and add-ons into your enterprise, let us show you how easy it is with a free 30-day trial.

Interested in building your own add-on? Awesome. Stay tuned: API documentation is on its way.

This is just the beginning

The movement to bring open source code, workflows, and tools into the enterprise is called InnerSource, and it’s the beginning of a revolution.

When companies develop proprietary code the same way communities build open source projects, then the open source community’s methods and tooling become the default way to build software.

Everyone stands to benefit from InnerSource because everyone stands to benefit from building software the right way: open source packages see more adoption and community participation, companies build projects faster and cheaper without re-inventing wheels, and developers are empowered to build amazing things.

Add-ons are an exciting step forward for us. We’re thrilled you’re joining us.