npm and the Future of JavaScript

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi I'm Laurie vos I'm the CEO and co-founder of NPM Inc and my job title right now is CEO but don't take it too seriously they just needed to give me a title because I'm a co-founder and that one happened to be available what I am is a web developer I've been a web developer for 22 years and that's what I think about that's what I care about and that's sort of what I'm talking about today I'm talking about NPM and the future of JavaScript those two things are closely related these days because we're JavaScript gos affects what NPM does and these days what NPM does kind of affects what JavaScript does so this talk is going to have three port parts first I'm gonna tell you what you should know about NPM there's a bunch of essential NPM features some of which are pretty new and a lot of people haven't heard about them yet so I'm just going to go through them quickly and then I'm gonna tell you what NPM knows about you we do a lot of research we have a lot of data we do a bunch of surveys we know stuff about JavaScript developers that JavaScript developers don't necessarily know about themselves so it's hard to know if you're a JavaScript developer if something is genuinely popular or if there's something is just getting a ton of hype and we know so we can tell you and that should help you make some technical choices and then finally I'm going to talk about the future of JavaScript which is a very dangerous thing to do because who the hell would have thought five years ago that this is where we would be today but nevertheless I'm going to go out on a limb and make some predictions to try and help you make the technical decisions about what is going to happen in the near future with JavaScript so let's get started the first thing that you should know about NPM is that these days NPM is ridiculously popular NPM has more than 10 million users and they download nearly 6 billion packages a week we think about 85% of all the people who write JavaScript are already using NPM and that is rising rapidly to 100% like it's you know there's always gonna be a couple holdouts but at this point nearly everybody is using javascript is using NPM to do it and that's even more amazing because by some measures javascript is the most popular programming language in the world right now is the biggest language on github by a long way and it is and 70% of people in Stack Overflow survey of developers this year said that they program in JavaScript so if you put those two numbers both together and you believe those numbers which is not you might not necessarily that means something like over 50% of all working programmers use NPM today so the next thing is that NPM is being used everywhere javascript is being used and javascript is being used everywhere people are building websites and javascript obviously they're also building server-side applications in node but people are doing like robotics and IOT in javascript because it turns out the java scripts just kind of easy to do and all these people are using NPM to do it all of those fields have NPM in them as well which is why NPM s growth is so big this is not just like the growth of web development or the growth of node it's the growth of that and robotics and you know every other frame work that happens in JavaScript these all contribute to this ridiculous amount of growth a 10:00 p.m. so NPM is the package manager for all of JavaScript but above all NPM is for web developers 93% of NPM users say that they are writing code for the browser 70% of them also say that they are writing code for the server so it's not like it's entirely a web browser thing but let's that it's a huge shift in how we think about ourselves NPM you know the N and the P and the M they stood for node package manager don't ask Isaac but like that's what we thought of ourselves when we started the company and that's not what we are now NPM is the way that people put websites together and we've had to change how we think about ourselves and we've had to change how NPM works to reflect that 97% of the code in a modern web app is downloaded from NPM you as the application developer only write the final 3% all of the interesting parts are the final 3% and all of this up a giant pyramid of stuff that you're standing on top of comes from NPM the current version of NPM is 6 if you are still in version 3 or 4 which 40% of you are then you are woefully behind the it is time to upgrade those are the instructions it will take you 30 seconds well it won't take you 30 seconds if you're using version 3 it'll take you like five minutes don't do it right now though because I'm using the Wi-Fi the big reason to move to version six of NPM is that version six of NPM is 20 times faster than version 4 was that is not a typo it is 20 times faster if your build takes 20 minutes right now it will take 30 seconds using NPM 6 you should really try that out is it faster than you or more accurately all the package managers are about the same speed now because of a triumph of how open-source works the makers of PMPM and yarn and NPM they all got together and they created an online community so that he could talk about building package managers which it turns out quite a few people are doing and that place is called packaged dog community which is a URL these days because it's 2018 and the result was that all of these package manager makers cooperating with each other they made all package managers faster when they made them all faster by roughly the same amount so now they're all basically the same speed they're all much faster than they used to be but they're all about the same speed sometimes NPM is a little faster sometimes yarn is a little faster but it's never so much faster that you'd notice anymore but being faster is probably the least exciting thing to happen in NPM recently the biggest change is that NPM six locks by default that was one of the big features people liked about yarn and it is a good idea because you all have trees that have an average of a thousand modules each in them and so the semver drift in a thousand modules is pretty huge so you want to lock it down and make sure that what you've got on your development environment is exactly what gets deployed to production and that is what package lock does and it just happens by default and you don't need to think about it another small change but a nice one is that you don't have to type - - save anymore if you just npm install something it's automatically saved into your projects because you were installing it you probably wanted to keep it if you didn't want it you can uninstall it I don't know that wasn't the default the whole done NPM six also introduces something called NPM CI this is an alternative way of calling NPM install that works particularly well in continuous integration environments continuous integration environments have some specific features that meant that we could throw out a bunch of logic that existed in normal NPM installs and the result is that NPM CI is twice as fast as a normal NPM installed so if you were using you know if you're upgrading from NPM four and you're using NPM six and you run NPM CI it was twenty times faster and then it got twice as fast again so it's 40 times faster so you should really be getting on that it's what I'm saying so as NPM has got bigger security has become an even bigger concern for us earlier this year NPM acquired lift security that was new we've never acquired anybody before that felt like a grown up a grown up company thing to be doing and the first thing that we did was incorporate the node security platform directly into NPM itself and the result has been a bunch of new features that we're super happy with the first of our security features is to factor off two-factor authentication you can set it so that could be published with 2fa and only with to efface so that you know that even if somebody steals your credentials nobody can pretend to be you and publish a malicious package while pretending to be you which we're gonna talk about more later because you're thinking of a specific package right now in May we launched quick audits when you download and run and when you run NPM install and you download a bunch of packages these days you will automatically get a bunch of messages on your console that will tell you whether or not the packages that you are installing are secure at the moment we decided that we're not going to stop use installing insecure packages because there's some sort of line to be drawn between convenience and security but eventually we should probably do that right like if we know you're installing something that's broken we probably should stop you this works in nearly every version of NPM but an NPM six the security warnings are going to be more detailed and more useful these quick audits obviously because they're happening by default they're happening a lot and they're turning out to be super popular we do about three and a half million quick audits every week the stats around these audits are not great right now eleven percent of the scans that we run reveal that somebody is installing packages that have a critical vulnerability in them that is the kind where you were supposed to drop everything and fix it immediately and 37 percent of them have a high vulnerability we don't necessarily know if you're installing a package with a high vulnerability that your code is vulnerable so don't run it to Twitter and go like oh seven percent of web apps are vulnerable now 37 percent of web apps are using a package that has a high vulnerability in it they might not be using it in an insecure way but if they're using ones with the critical vulnerability in them it's hard to use them in a non dangerous way those 11 percent those people are probably in trouble and we should talk to them but fortunately fixing all of that stuff just got a lot easier because running NPM audit will give you a detailed report about your web app of the vulnerabilities that exist in your app and how severe they are and often what to do about them and often the answer when you when you need to tell somebody how to fix their insecure web app is you just tell them you should upgrade from this insecure version that you're using to the secure version because generally by the time that somebody has reported an insecure version of a package that's because they found out about it and so they fix it so nearly all insecure packages have a secure version that you can upgrade to and the way that you do that is run NPM so if NPM is the thing telling you to run NPM why does an NPM just run itself and fix it for you that's exactly what it does now NPM audit fix not only will it download and install all your packages for you and tell you if they're insecure you will fix them for you if it turns out that they are insecure it will just magically get that right it's amazing I don't know when we turned from being like a thing that downloads stuff and puts it on your hard drive - for you - a thing that fixes your software for you but you're welcome by default it will only prank bring in semver compatible changes so it will bring in stuff that it thinks doesn't break your software but you shouldn't trust us you should be running your tests anyway but if there are breaking changes that come in you can force it to bring in the breaking changes as well with - - force then you should definitely be running your tests because it is definitely going to break you but it's better to be secure than broken right another big change in MPM recently is that we shut down our github tracker NPM is one of the world's largest open source projects and what we love github the issue tracker was just not scaling to meet our needs it was becoming kind of a vortex of sadness where people would throw issues and we couldn't find them because there were 10,000 of those bastards and there's nothing we could do so now we have a discourse there's NPM community which is also a URL because 20:18 it's sort of a combination of an issue tracker and a forum you can sort of help each other and you can also see what feature development is being done and you can track where progress is going and it's in general just like a million times better than using github missions for this kind of thing so you shall have a head over there and check it out another new NPM feature in NPM 6 is npx this is a convenient little sort of side program that lets you run any command on the registry as if it was already installed on your computer without you having to download and install it this is super useful for commands that you just use once in a while and that you would not need to that you don't want hanging around on your computer all the time so you can do like npx create react app and it will download and install create drags app that will run react app it'll create your every art app for you and then it will tidally delete itself and vanish back into the ether leaving you with only a react app and not this annoying tool hanging around npx has a ton of features I've given a whole talk that is just about the stuff that you can do with npx so you should absolutely check it out as you can tell I could go on and on and on about all the features of NPM because I work on it all day and we're super happy with it there are a few quick ones I didn't mention you can get your own scope for free you can get an open source organization for free you can use you should be using run scripts to save you time and you can use NPM in it to standardize your application setup if you're not familiar with any of those things now is the time to Google them but I'm not going to talk about them today but the one last thing I am going to talk about because people keep asking is how does that be in make money are you some kind of charity like we had a super friend came to visit us the other day and like he is a super fan like he follows us on Twitter and is constantly up in our Instagram why do we have an Instagram he's like he loves us and like one of his first questions was like wow this office is really nice how does the charity afford this and like oh come on no we're a company the registry costs millions of dollars a year just to keep up and running just the servers and bandwidth so we are a company because only a company could generate enough revenue to keep the registry going and growing the way that it is does so we we earn money by selling certain services and goods that people like private packages and security services and you should really look into them if you have this talk is not going to be about plugging them so it's time to move on to what NPM knows about you first off how do we know all of this stuff in the first place there are two big ways first every time you download stuff from NPM you hit our servers and you know you request stuff from us so we know what computer you're coming from and what operating system you are on and what version of node and one version of NPM and what packages you were downloading because that's what you were doing and we also just asked you directly we ran a survey at the end of last year we asked 16,000 people what they what they're doing with JavaScript and how they feel about NPM and a whole bunch of other stuff and they just told us because you're all nice and 16,000 responses to a survey get some very interesting data I don't know how much you care about data but I care about data getting an N equals 16,000 survey is like Christmas morning which is funny cuz it happened on Christmas morning we ran it from December through January so the results are fascinating but first I want to try a party trick and I just wrote this talk and I've never done it before so I have no idea if this is going to work so this could be cool or it could be super embarrassing I would like everyone to stand if you can so I'm gonna say some things about you and if those things aren't true you can sit down again so first stay standing if you use NPM good stay standing if you write and JavaScript in a browser you write JavaScript didn't work you're concerned that maybe the open source code you use isn't always secure you mostly taught yourself JavaScript you didn't learn it at a bootcamp or at school or anything okay that was all what I was expecting now it's gonna get tricky in addition to JavaScript you also write PHP or Java sometimes still a bunch of you standing you work at a company that doesn't really consider itself a tech company you started using NPM less than two years ago still got most to you not most of you you're using webpack and Babel you are writing a reactive using type scripts I've still got some people look at all that stuff we knew about you isn't that cool so there you go we know a bunch of stuff about you you can all sit down now that is how much stuff we know about you I could go down there a zillion other paths that I have gone down about that but that is how much stuff we know about you but I went through it all really quickly so let's go back and explore that stuff a little bit as we said earlier most people using NPM to build websites 70% are using are also writing server-side JavaScript and 81 percent of you primarily use JavaScript at work so you're not using you're not just doing it as a hobby project this is the thing we run into with investors alike ah JavaScript for hobbyists No No everyone is doing it at work none of this is gonna be a surprise to most of you the other finding is that NPM users aren't only writing JavaScript that was kind of a surprise nearly a third of you write Java and another 30% of you write PHP Python c-sharp and go are also popular days many NPM users don't really consider themselves JavaScript devs at all they use NPM to get stuff done and they write some JavaScript but they consider themselves primarily some other kind of developer and javascript is just this thing that they do because you need to build a website and how do you build a website without writing JavaScript so that was surprising but it probably shouldn't have been because we know that the programming language that you pick is determined primarily by the libraries available in that language and the reason we know that is because somebody did an academic study about it and he like is it you know why do people pick programming languages it lizard-like the language features is it performance is it the language that they're already familiar with is it you know the thing that their office picks for them know the primary predictor of what programming language you use is is there a library in this language that will help me do the specific thing that I'm trying to get done because we're lazy it turns out that laziness is our primary predictor it turns out that we will do whatever do we what whatever we had can to not have to write some code as programmers and that's exactly what the data says people are picking JavaScript because the libraries in NPM get help them get stuff and there are 750,000 libraries in the NPM registry now and so that is an enormous number of things that can help you get stuff done so you would expect that 750,000 libraries would have people bending over backwards to be able to use them and that's exactly what we're seeing right there's this huge pile of tooling and these annoying frameworks you have to put up with and you are putting up with them because delicious delicious libraries are just sitting there waiting to be incorporated so you don't have to write anything my favorite part of this is there's a sad 15 percent of people who say they don't use what program they use those people are mostly Ruby developers it turns out another important finding is how big how big a concern security is to most users in the registry 77% of said it was and even more concerning ly 52% of people said that the existing tools for testing whether or not the open source libraries they were using were secure were not adequate v half of people are like not only does this suck I can't do anything about it that was bad news for us so that's why we've been adding all of these all of these security features because you know the data said that we should so now would be a good time to mention NPM Enterprise I promise this is the only other plug in the talk if you were a big company and you were worried about the security of your JavaScript's first off good idea it is scary out there and secondly we can help you with that NPM enterprise service will give you your own registry on your own domain you can point everybody at and suddenly you know exactly where all of your code is coming from and you can keep the nasties out and you can get reports about what nasties did get in plus a bunch of other great security features but like I said I'm not really here to plug NPM another thing we learned is that 45% of NPM users also use yarn and the also there is important nearly everybody who uses yarn also uses NPM sometimes very very few people only use yarn and that's okay like I said yarn with some excellent open-source work we collaborate with them it's fantastic and I used to say as long as you're using the NPM registry and the yarn uses the NPM registry I don't care which tool do you use I don't say that anymore the thing that people really like to yarn for was the speed 71 percent of people who use yarn said that the speed was the thing that brought them to you and now they are the same speed but what NPM has is to factor off and it has security audits and it's safer that's what we've been putting all of our energy into this year and so I can say with my hand on my heart I'm not just you know I am biased but I'm not just because I'm biased like NPM is a safer tool to use the new yarn and 77% of you say that you care about that so you should probably be using you should probably be using NPM these links are a blog post about a company that moved from NPM to yarn and stayed in yarn for like 12 months and then decided that they hated yarn and moved back to NPM and they wrote that tool at the bottom which lets you migrate a yarn project back to NPM that's what you want to do you can get these slides you can get that link and you can check it out there are a few more interesting demographic facts about NPM users one is that NPM users are mostly very new I did that in the intros I was like if you've been using it for less than two years about half of people who use NPM have been using it for less than two years which is interesting because only about a quarter of people have been using javascript for less than two years it's a bunch of people have been using javascript and are still only just finding out about NPM NPM is still inhaling this huge wave of people who are embracing modern JavaScript we also looked at whether NPM users tend to work at a particular size of company or in any particular industry we got a negative result but if you're a statistician negative results are also interesting about half of NPM users work at companies less than 50 people and that sounds big but actually that's just the distribution of companies most companies are under 50 people half of companies in the US are less than 50 people and that's where you work we've got a similar negative result with the industry forty five percent of our users say that they work in tech and the other 55% say that they don't but what is a line for a tech company is Google a tech company because if you're asking people at Google what industry they work in Google people work at in advertising and they also work in media and you know some of them work at a car company so what is a tech company anyway the results they were strange so that's who we are that's all of the information did the demographic stuff that I got about you but what I promised you is information to help you make technical choices and for that we need to look at the tools that you use and we have a great deal of information about what tools that you use but before I get into that I should I should say that that one of the things about developers is they get really passionate they're tools passionate in a sort of good and bad way if I tell people that their tool is unpopular and they really like that tool they tend to get really defensive and angry at me and I'm like I'm just reading numbers this just stats on the screen don't yell at me I don't have a dog in this fight I'm not saying your framework is bad I'm just talking about relative popularity if you want me to tell you that your framework is bad that is what the after-party is for so before I show you these angry making graphs let's put this in context this is how the registry furrows I showed you this graph already I want to show it to you again I want you to bake it into your mind because this these numbers are going to be weird to look at if you're not thinking about the context of registry that grows 10% month on month for everything the registry has grown 11,000 percent in the last four years so the fact that the registry is growing means that new users are constantly showing up there is just a firehose of new users all the time which means that every package in the registry grows month on month in absolute terms even the shittiest packages are constantly getting new users because there's just so many new users and they're all just bumping into the walls I'm like oh this thing deletes my files that's great I want one of those like every package in the registry is just growing out of control see that line at the top that's Express wait yeah that line at the top that's Express Express is bedrock to NPM practically everything that people build with node and involves Express this is a graph of express using the metric that I'm about to show you we call this metric the share of registry it is not how absolutely popular Express is right expresses absolute popularity goes like that but expresses relative popularity relative to all the other packages in the registry is going like that because there's so many other packages in the registry right now and read and Express is a really old package Express used to be 1.5 percent of all NPM downloads all by itself and now it is 0.1% 0.1% sounds like not very much but it is 4.8 million downloads a week 0.1 percent of of NPM downloads is winning the lottery if you are a package author so it is just relatively less popular and all of our metrics are going to use this graph it shows how the packages are growing relative to each other not relative to absolute number of users so first let's take a look at some front-end frameworks starting with the oldest which is backbone as you can see back in 2013 backbone was the everybody was using it but basically nobody uses backbone now and by basically nobody I mean 250,000 people a week right weeds collapsed in popularity but NPM is like this and so 250,000 people a week are still using backbone despite the fact that nobody uses backbone anymore the thing that you can see here more than anywhere else is a pattern of how a framework dies very few people switch frameworks especially within the life of a project they keep all the frameworks around and they build new stuff in the new frameworks and then they slowly retire the old software so frameworks they don't fall off a cliff they just have a half-life they slowly decay getting smaller and smaller and smaller that is how packages become unpopular so nobody's writing new software and backbone wrote lots of people are maintaining existing backbone projects hands up if you are maintaining an existing backbone project there you go you're all of the back sorry about that so now let's look at react react is goddamn running away with the web right now 60% of respondents to our survey said they were using 60 we're using react 60% of NPM users and there are a lot of you say that you're using react that is some huge usage and some impressive growth but it's not runaway growth that's the interesting thing about this graph right it's not going like that come on like this what's up with that why just react seem to be slowing down a little bit is that temporary is it gonna pick back up next year let's look a little bit further one obvious thing to check is whether Reax growth is being slowed by people adopting pre act instead pre actors our drop-in replacement for react which has all the same features but is much much faster because they dropped support for slightly older browsers is pre act sucking up reacts users is that's what is that what's going on it's certainly growing superfast you can see that in the in the first graph but relative you know it is the red line at the bottom of the second graph it's not actually going to be that big in absolute terms so we should probably appeal to where angular is an extremely popular framework back in January about 40 percent of users said that they use react this is where my math gets hazy because about two-thirds as many like 60% said reacts 40% said angular that should be about two-thirds as many but our graph doesn't say that our graph says about half as many people are using angular so who's lying is my graph lying or the numbers lying there's probably some haziness here lots of people who use angular use it in enterprise environments and they have like internal registries and or something that might be why angular appears to underreport itself the angular community certainly came up with a bunch of reasons they were not happy with me telling them that their problem that their framework was not popular so I am NOT gonna say that certainly not in public ever again I don't actually have enough data to be sure of that because all I have is this graph of downloads and that's not reliable what I do have is one data point of asking people and next year I can ask people again so next year I will know for sure because either more or less people will tell me that they're using angular but right now all I can say is that downloads peaked in 2017 and are beginning a slow decline ember is an unusual story Enver was pretty popular in 2015 and then it had sort of a rough patch but in 2017 and 2018 it's making a comeback and that's unusual I've never seen a framework do that before I've never seen a framework turn around to the decline that's strange it's unusual but it seems some really healthy growth now in January about 4% of NPM users reported using ember but now you can expect that number to be about doubled at about 8% roughly as popular as ember right now is view but view has a very different growth story view is just taking off so if I had to guess why is react growth slowing down I'd say it looks like it's going to view I think that's probably where the Worthen the newbies are going I don't have a perfect picture there are zillion other frameworks that could be doing this but this is what it looks like to me now does this data suggest some technical choices for you I think it probably does but I'm not gonna get into them right now instead I'm gonna go into some more data and we're going to do the predictions all at the end so let's talk about the react ecosystem react is a way of making components that share state there are a lot of applications that do that kind of stuff and we use react to do it there's like mobile apps and desktop apps and rich web apps but rich web apps have an additional requirement which is that they need to map URLs to specific pieces of functionality if you're building a mobile app and react you don't need to do that if you're building a web app you do so react router is a separate package that lets you do the routing and much like Reax itself reacted or grew quickly and has now leveled off but the interesting thing there is that react router has about half as many users as react itself because the two are decoupled and it is one of the triumphs of reactor they managed to successfully decouple those functions one of the reasons react is so popular is because the makers of react decided we are going to solve one problem only we're gonna make a really great component library about state and we are not going to bother with all of the other stuff that the other frameworks deal with and that means that the choices that they made when they were good got to succeed on their own merits and the choices that they made that they were that were bad failed on their own merits and they all failed and succeeded separately so Reax is more than twice as popular as react router because there are lots of react apps that don't need a router and speaking of react decoupled model let's look at flux flux was released by Facebook and roughly the same time that react was flux was how Facebook thought that you were going to use data in a react app it's how Facebook uses data in a react app and it turns out that nobody likes it it turns out that the very second that there was something that could compete with flux people abandoned flux on mass and that thing is Riddick's Redux as you can see as soon as Redux started taking off flux started collapsing because it turns out people like Redux better it's a way of managing state in your application that's more ergonomic Redux and reactor outer track each other because they're a very popular combination they almost go up and down when they each go up and down mob ex is a competitor to redux that had a promising start and nobody seems to care about it anymore and then there's our XJS i confess i do not know what is going on here our ex jeaious is another state management system it competes with flux and redux it is growing it bewildering speed it is currently more popular than react itself and how is that possible how can a thing that works would react be more popular than react it's because it doesn't only react it works with other things as well the angular CLI uses rxjs to manage state within the angular CLI so all of angular's users are also using rxjs but this growth is weird this growth is so fast for such a packet of packages it's so big that there has to be something else going on so I'm probably gonna have to do more research here I mentioned graph QL earlier graph QL like RCS started in react land and expanded it is red hot right now there are two big libraries you for using graph QL they are Apollo and relay but as you can see apollo is taking the cake apollo is the one that is taking off and relay is just sort of doing okay so far i spent a lot of time focused on front-end things because like I said 93% of you but 70% of you were also doing back in things let's talk about backend things for a little bit over in backend frameworks there's really just one thing happening which is express everybody's using express all of the other ones don't even show up relative to Express it's just tremendously popular what if we took Express out of the picture what does everybody else look like in blue you can see qooco is a sort of spiritual successor to express written by the same people who have sort of mature as developers and changed their preferences about things it's Anna bouncing along it's not getting a lot more popular in relative terms but remember not getting more popular in relative terms means it's in absolute terms Co is growing like this right anything that's looking flat on this graph is actually going like that in absolute terms so Co is doing very very well [Music] sales as the name suggests is a straight up court of Ruby on Rails to node as bass suggests this seemed like a good idea at the time as people get more comfortable with server side dais they are looking for frameworks that are more sort of idiomatically javascript e and that seems to be weighing on sales people are not using sales as much anymore because they have once stuff that is more Java Script e happy is a framework that NPM used to use we recently switched to react for our own website and in the blog post about that switch we made the tremendous mistake of mentioning that one of the reasons we switched is we didn't like happy very much or rather we didn't like some of the design choices made by happy and that made the designer of happy very angry he sent me some vicious emails oh my goodness so I'm never gonna say that in public again as you can see Happy's growth is relatively flat which means that in absolute terms it's doing very well and then there's a bit of an oddity which is next yes from the makers of site next yes is a sort of kitchen sink framework for react so if you you know if you like reacts but you wanted something that does everything for you like angular or ember does you can try out next I said it'll set up the router and the build chain and all of the pain-in-the-ass tooling for you and I really like this idea so why does the graph make it look like it's not taking off it is taking off the reason it looks strange is because next the package used to be a different package they adopted it from somebody else whose package is in decline so if you only look at it since the zeitgeist oook it over you can see the next it's actually growing really really nicely so how is everybody doing so far I've just been throwing numbers and graphs at you for 20 minutes now is everyone doing ok excellent all right I'm gonna try a thing now everybody on this side of the line is team a everybody on this side of the line is team B let me hear it from team a team B team a team B right I'm not gonna use that for anything it's just to wake you up so I talked to ton about frameworks but a big part of what people use NPM for is to help with their build chain and their tooling like everything else there's some fascinating data here and I'm gonna dig into it because you know awake again because people started shouting and you were like oh my god I should stop checking my email people are shouting the first thing to know about tooling is that everybody hates it everybody wishes there was less tooling everybody wishes there was less configuration everybody wishes the documentation was better people are kind of pissed off about having to do this tooling in the first place and the only reason you put up with it is 750000 delicious delicious libraries that's what keeps you coming back despite them having to set up all of this stuff that you hate first of all what kind of tooling do you use 85% of us use web frameworks of some kind that's compared to the 93 percent doing front-end so eight percent of you were just rolling your own good jobs 74 percent of us are using transpilers 69 percent nice are using linters 67 percent are using bundlers 58 percent are using CSS preprocessors and 58 percent are also using testing frameworks so let's break that out because that is all interesting frameworks in general not web frameworks just all frameworks expresses of course at the top then reacted in the everlasting jQuery followed by angular and then a surprise appearance by electron 24% of you are building electron apps that is much bigger than we thought it was electron is being used to build desktop apps and mobile apps and it is hugely popular hands up if you're using electron for something there you go it's about a quarter of you isn't that weird you don't think of yourself as being like this big chunk of the JavaScript community but you're a quarter of the JavaScript community these days electron is a massively popular project and then this view and Cohen backbone won't die pre-act happy next hands up if you use meteor in the room anyone using meteor in the room once okay it's still there apparently and then ember Brown and now let's look at transpilers transpose the tools to translate other languages into JavaScript the most popular one is of course Babel which is mostly translating JavaScript into other forms of JavaScript with the biggest ception which is GS x which is j sx is not part of javascript but at this point it sort of feels like it should be because everyone's using react and everyone's using it and it seems to be written in JavaScript all the time why doesn't JavaScript have JSX as a first-class feature maybe the standards body should get on top of that CoffeeScript is clinging on and Allen closure scripts in there but the big surprise is typescript 46 percent of you are using typescript that is much bigger than we thought it was going to be that was a huge surprise half of people in JavaScript aren't writing JavaScript anymore they're writing typescript what the hell is that I'm seeing two people would type script things on their on their shirt so you weren't surprised so typescript for the other half of you is it's a form of sort of built in testing it adds types which helps large teams work together by having a sort of built-in check that you're doing things correctly Microsoft launched typescript with its own package manager and the community got pissed off with them and rebelled they were like just put them in NPM we do not want to have to run to package managers this sucks so Microsoft took their advice which is very new Microsoft of them but also like new Microsoft they didn't ask first they just launched typescript 2.0 one day and said hey all of the packages are an NPM now we were like what so now in addition to its job as being the package manager the package manager for all of JavaScript NPM is the official repository of all typescript types which is not a job we asked for but thanks Microsoft it's cool we have all sorts of special logic in the registry to deal with when typescript decides that it's going to publish an update to the types package and it publishes 5,000 packages in the same second it was like okay we're gonna line you up and do you one at a time in your own special build queue so that the rest of NPM doesn't grind to a halt when that happens linters as 70% of you know our tools that will tell you if your code is nice they will check for obvious errors and they will flag they will flag or even correct coding styles for you they're super popular and by far the most popular is yes lint and you may have heard about es lint recently because there was a security incident with the eslint very very recently like a week ago eeeh slit-like most open sources maintained by a group of volunteers and those volunteers are mostly very experienced developers with professional development habits so nearly all of them had it enabled to factor off on their npm accounts but one of them had not one of them was using a simple password and even worse they had used that password on another website before that other website got compromised and somebody got that list of compromised passwords and tried it out on NPM and it works and suddenly they had access to publish es lint one of the most popular packages on the registry the thing that they did with that package is they published a version of es lint that if you downloaded and installed it it would steal your npm credentials so that the attacker could then publish stuff is you this is a nightmare scenario right because like if he can if the attacker can get your credentials then they can publish back - this is you creating more compromised packages which can then compromise more people could have created a runaway effect kind of a disaster scenario but what actually happened is that people noticed really really quickly within 30 minutes of people noticing we'd taken down the offending package an NPM security audits were warning everybody that this was happening and the result was that as far as we can tell and we are still double-checking very very seriously nobody else got compromised apart from the official first official developer because the community landed on it so fast and so hard and like they took down the paste bin and they yelled at everybody like NPM as its own is his own immune system we also reset the login tokens of everyone prior to the incident because we couldn't tell which tokens had been stolen so all of the tokens prior to last week are destroyed so if your builds aren't working that's why but this is why NPM is taking security so seriously this is why I talked about all of the security features because the bigger we get the more show up and the more show up the more somebody is likely to do something evil and malicious just for kicks so now it is possible to enforce 2fa on a package you can say not only am I going to only publish this package or 2fa nobody else who has access to this package can ever publish it unless they also have 2fa enabled the eslint folks would have benefited from that feature last week but at least it exists now and you have to use the NPM 6 to do this so that's another very good reason to upgrade but back to our tooling stats bundlers are things that take your JavaScript and pack it up into a single files that it can be delivered and run on a browser they are essential to react in the other frameworks so 67% of you are using them because you know 60% of you are using react and then there's another 7% on top that are using it for other stuff except 80% of people report themselves as using webpack which means that more people then know what a bundler is are using webpack they didn't know how to answer the previous question but if we ask them if they're using webpack they're like yes yes I'm using that thing 20% of you are using browserify and 10% are using roll-up and finally in the stats let's look at testing frameworks a great deal of you are using mocha jasmine is also very popular gest is understandably popular given its ties to react and how popular react is but sitting up there at number 3 is none come on 21% of you can't be bothered to do any testing at all surely we can do better and that brings me to another interesting part of this data which not only can you do better the data says that you will do better we first noticed this effect when we started looking into security practices we noticed how we looked at how developers approached security and we split them up by how long they had been a developer and there was this really great linear progression the longer you've been doing javascript the more likely you are to care about security and we discovered that this was true for nearly everything that people would consider a best practice so this is just comparing the most experienced group with the least experienced group there was a clear line across the groups in all of these cases so bundling linting various security practices they all increase in a nice smooth linear way the longer you've been doing stuff so they all that says is that the more the more experienced you get the better you will get it as a developer the data says it the data says that this is what you do so you will get better at security the data says you're going to this was particularly evident in security only about 58% of the newest devs use security features of any kind but in the most experienced group it's 85% and you can get yourself into the yes group by just upgrading to NPM six right if you have great two NPM six you can say yes I use security scans because they happen every time I install whether I wanted to want them to or not so thank you all for being so patient we're nearly at the end I'm massively over time I think we come to the future of JavaScript this is the part where I must make the predictions that I said that I was going to make at the beginning how am i doing for time yes I'm actually over time all right this is the part where you can take pictures of me standing in front of a slide where I make a prediction that turns out to be wrong that's what these are for exactly that is what predictions are for predictions are for making me look like an idiot so the biggest prediction I can make and the month and the one most likely to be accurate is that nothing lasts forever backbone was once dominant and it is now an afterthought jQuery which gave web development so much power let's all hear it for jQuery it was wonderful jQuery has been superseded which is not a thing we ever thought would happen any framework or tool that exists today has a heyday measured in a handful of years like three to five that's about how long any if any individual framework is going to stay popular then they're gonna have this long lingering afterlife where they slowly slowly degrade so don't cling too tightly to your tools that's the first thing that you can get from this don't be the person using jQuery in 2018 because there's so much better now on the front-end frameworks I'd it would be unwise to bet against react certainly for the next few years react has a ton of users and more importantly react has a ton of modules as I said before language choice is driven by the libraries available people put up with all of this crap tooling stuff because they love the libraries in NPM and react creates reusable components of that you can use in your web app so if react gets this right if react fulfills the promise like there's a there's a module in NPM built by a friend mine called react color you just install it and you've got a color picker in your app you've got the UI and the UX and the JavaScript and everything and it just works it's amazing that is the dream of react just download and install chunks of your app so you don't have to write them if react gets that right react will create the same self-reinforcing cycle where you know react people will adopt reacts to be able to use these components that will make them rank more components which will make more people show up and react will have the same kind of runaway growth that NPM did if react gets that right react will be unstoppable I'm not going to predict that it will however it might not make it but if it does it will go forever and the reason I don't predict that it will because we've already seen react is kind of slowing down what's up with that is it view view certainly has momentum could it just be that react while very flexible is not flexible enough to cover 100% of web development news cases that might well be it it might well be that there is no single framework that is going to be good enough to build every webpage in the world in it and that react is just sort of hitting the ceiling of how popular possibly be I would certainly predict that I would certainly predict that there is no framework that is going to win we're not all going to end up writing one framework forever but in the meantime what should you do react has the users and that's a big deal when it comes to picking a framework you want to be where everybody else is because they will fix the bugs for you they will write the tutorials for you they will answer your questions on Stack Overflow if that's where everybody else is it's a safe place to be angular has the support of Google and it is popular in the enterprise especially among people running Java on the back end if Google continues to support it it's never going to go anywhere right like it's just gonna stick around forever so angular is a safer but less interesting choice than react view has the momentum it is going places it is definitely the new hotness will it have the staying power it is too early to tell I wouldn't bet on it down ember has a bit of everything ember has a fair number of users it's got good corporate support it's recently gotten some new momentum I would take a look at it and if it seems nice to you I have no problem with you using ember I would not you know recommend against you easy thing ever and keep an eye on neck j/s like I said I would bet on react and next jest is react but with all of the pain removed so I think next year's is a really good idea so if you're looking to something to get your mind around something new to learn I predict a graph QL is about to be huge there are whole startups are built around graph QL people are getting funding and built around graph QL now and it has some real advantages if you build api's you should be luke you should be investigating graph QL and finding out if graph QL is going to help you build that API faster or better when it comes to bundling transpiling and nothing I predict that you will do them because as you gain experience the data says that you're more likely to do them if you're not doing them already webpack seems likely to keep bundling for the next little while yes Lin is almost certainly going to keep it sold on lending and Babel is probably going to be the transpiler you all use but don't forget about typescript that was a shocker if you haven't looked at typescript and if you're not sure that type scripts for you 46% of people seem to think it's adding some values their lives so it's probably worth looking at these days one obvious question coming out of that prediction is what happens to NPM if people stop writing JavaScript and the answer is nothing because that already started years ago and you didn't even notice a big percentage of the modules on NPM have native code in them so you use them in your java scripts but they're actually in there you're downloading and installing a c code which is compiling itself a bunch of them are written in es6 which isn't really Java Script yet react is written in is react is written in es6 es6 doesn't run in a browser react can't run in a browser by itself it trans files itself before it runs in your browser and you didn't even notice that probably that react is written in not JavaScript and one of the most exciting developments on this not javascript front is was OMA or web assembly to the rest of us web assembly lets you write in any language like compiled languages like c and rust and trans file them into JavaScript except it's not just JavaScript it's not JavaScript like babel does java scripts not just other javascript it's a special subset of JavaScript that can run as fast as native code so the promise of wiesen is you can run rust and you can put it in a browser it will run just as fast if you were actually running rust on your desktop that is super exciting that promises to be a way to give web apps native like web performance and the best part is that it's already here watson pack is a tool from mozilla that lets you write code and rust and compile it to Azzam and then publish it to npm there are already some packages up there some of which you might already be using that are actually writing native code and running it in your browser and you're using it in your javascript without even knowing that that's what you were doing that could be where NPM ends up going everybody is still using NPM but javascript is no longer the lang there and that brings me to my other big prediction which is no matter what end what happens NPM is here to stay if JavaScript stay big stays big or if we all end up writing rust in the browser whatever happens the huge pile of delicious delicious libraries is going to keep us on npm every new system is going to be backwards compatible with the old ones and we're not gonna leave those libraries behind because they're too good there's no way we're leaving them behind so no matter what happens to JavaScript NPM will still be the way that you build the web I've been doing web development now for 22 years and it has always thrilled me and no time lesson right now the stuff that we can do on the web is amazing and wonderful and the tools that we can use to make it our ad hoc and partially finished and kind of a mess and my final prediction and biggest prediction is that's how it's always gonna be we remake the web so quickly that it's never done that's how you can tell that the web is growing and popular is that it's never stayed still long enough for us to catch up and finish writing the documentation it's always people racing ahead where the rest of us going oh god we have to use that new tool now that's why the web is exciting because it's never ending and it's never changing so I hope that you stick with it for the next twenty two years and thank you very much [Applause]

Info

Channel: Coding Tech

Views: 19,185

Rating: 4.910543 out of 5

Keywords: npm, javascript, js, es6, web development, node.js, software development

Id: Qa4dxW-Qi2s

Channel Id: undefined

Length: 55min 0sec (3300 seconds)

Published: Wed Oct 03 2018