NodeSource’s Certified Modules service, intended to ensure the safety of NPM modules, becomes generally available on Thursday.
The company is curating all NPM packages in the registry, including different versions of these packages, and will let users know which are OK to use. Users can whitelist modules that do not meet certification criteria, such as not having a permissive license requirements.
NodeSource offers a scoring algorithm for its certification process, checking aspects like licenses, security vulnerabilities, and code quality. Factors like packages being unnecessarily large or having weak document would weaken a score, and a known security vulnerability or a nonpermissive license would prevent certification. Certified Modules will be a fee-based service, with the price starting at $1,000 per month for up to 50 users. Accessing the service requires changing a line in the user’s NPM configuration. Users get their own registry of modules, which will automatically be checked going forward.