jvinhit//lab

Search posts

Type to search across journal entries.

navigate open esc close

Series · 12 parts

Node Package Managers & the Supply Chain — Deep Dive

Go from "I just run npm install" to understanding the entire dependency layer like a senior. Start with the mental model every package manager shares (resolve → fetch → link, package.json, semver, the registry, lockfiles), then go deep on npm, Yarn Classic (v1), Yarn Berry (v2–v4) with Plug'n'Play, and pnpm plus Bun — what each does differently and why. Then the parts most guides skip: lockfiles and integrity hashes, lifecycle scripts and node-gyp, how native modules ship prebuilt binaries, and the dependency supply chain — real-world attacks (typosquatting, dependency confusion, malicious postinstall, account takeover) and a hardened defense playbook. Ends with monorepos/workspaces and a capstone decision-and-migration guide.

  1. 01 Node Package Managers · Part 1 — The Mental Model

    What a package manager actually does under npm install — resolve, fetch, link — plus package.json, semver ranges, the registry, and why the lockfile is the most important file in your repo.

  2. 02 Node Package Managers · Part 2 — npm in Depth

    The default package manager, demystified: package-lock.json anatomy, hoisting and phantom dependencies, npm ci vs npm install, lifecycle scripts, npx, .npmrc and scoped registries.

  3. 03 Node Package Managers · Part 3 — Yarn Classic (v1)

    What Yarn v1 fixed about 2016-era npm: deterministic installs, the yarn.lock format, parallel fetching and offline cache — and why it is now frozen in maintenance mode.

  4. 04 Node Package Managers · Part 4 — Yarn Berry (v2–v4) & Plug'n'Play

    The Yarn rewrite that deletes node_modules: how Plug'n'Play resolves imports from a .pnp.cjs map, zero-installs, the node-modules linker escape hatch, and a head-to-head of Yarn v1 vs v4.

  5. 05 Node Package Managers · Part 5 — pnpm & the Content-Addressable Store (+ Bun)

    How pnpm gets strictness, speed, and near-zero extra disk per project using a single global store with hardlinks and symlinks — plus where Bun fits as the fastest installer.

  6. 06 Node Package Managers · Part 6 — Lockfiles, Determinism & Integrity

    How resolution actually picks versions, what an SRI integrity hash guarantees, why Corepack pins the package manager per repo, and how lockfile poisoning attacks work.

  7. 07 Node Package Managers · Part 7 — Lifecycle Scripts & node-gyp

    Why npm install can compile C++ on your machine: lifecycle scripts (preinstall/install/postinstall), what node-gyp does, the N-API native addon model, and why postinstall is both essential and dangerous.

  8. 08 Node Package Managers · Part 8 — Native Modules & Binary Distribution

    How packages ship prebuilt native binaries: node-pre-gyp, prebuild/prebuildify, and the modern per-platform optionalDependencies pattern used by esbuild and SWC — plus the security risk of postinstall binary downloads.

  9. 09 Node Package Managers · Part 9 — Supply-Chain Attacks

    How attackers get code into your node_modules: typosquatting, dependency confusion, malicious postinstall payloads, maintainer account takeover, and protestware — dissected through real npm incidents.

  10. 10 Node Package Managers · Part 10 — Supply-Chain Defense

    A concrete defense playbook: ignore-scripts by default, audit, npm provenance and sigstore, scoped tokens with 2FA, minimum release age, SBOMs, lockfile linting, and a hardened CI install.

  11. 11 Node Package Managers · Part 11 — Monorepos & Workspaces

    How workspaces work across npm, Yarn, pnpm and Bun: a single install for many packages, the workspace: protocol, filtered task running, hoisting trade-offs, and pairing with Turborepo or Nx.

  12. 12 Node Package Managers · Part 12 — Capstone: Choose, Migrate, Harden

    The whole series in one place: a decision guide for picking a package manager, a safe migration playbook between managers, Corepack pinning, and an end-to-end hardened install workflow.