npmx Weekly #20
This week's digest highlights significant developments in the npm ecosystem, focusing on the adoption of modern JavaScript standards, enhanced security practices, and the ongoing efforts to foster trust within the community through verification initiatives.
“The only way to do great work is to love what you do.”
— Steve Jobs
Updates from Missing Control
As the npm community evolves, several key topics have emerged that reflect the growing enthusiasm for modern development practices and the importance of security and trust in open-source projects.
ESM vs CJS Growth
'%20d='M69.364%2019.146c36.687%2027.806%2076.147%2084.186%2090.636%20114.439%2014.489-30.253%2053.948-86.633%2090.636-114.439C277.107-.917%20320-16.44%20320%2032.957c0%209.865-5.603%2082.875-8.889%2094.729-11.423%2041.208-53.045%2051.719-90.071%2045.357%2064.719%2011.12%2081.182%2047.953%2045.627%2084.785-80%2082.874-106.667-44.333-106.667-44.333s-26.667%20127.207-106.667%2044.333c-35.555-36.832-19.092-73.665%2045.627-84.785-37.026%206.362-78.648-4.149-90.071-45.357C5.603%20115.832%200%2042.822%200%2032.957%200-16.44%2042.893-.917%2069.364%2019.147Z'/%3e%3c/svg%3e)
Hello friends and welcome to another “how’s ESM vs CJS doing?!” A big win this time, at a year of `require(esm)` available! 38.0% of the popular npm packages now have ESM, up from 33.4% half a year ago. ESM-only is up from 12.6% to 16.0%. Particularly this non-dual, “vanilla” growth is very big!
The rise of ECMAScript Modules (ESM) is notable, with 38.0% of popular npm packages now supporting ESM, a significant increase from 33.4% six months ago. This shift indicates a move towards modern JavaScript module standards, with ESM-only packages also seeing growth from 12.6% to 16.0%.
Security Incidents in Dependency Management
Turns out "let me just npm install real quick" was a security incident the whole time v12 is making dependency install scripts opt-in. I helped build it. You're welcome/I'm sorry. github.blog/changelog/20...
github.blog
Upcoming breaking changes for npm v12 - GitHub Changelog
Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available behind warnings in npm today on 11.16.0 or newer, so you can…
Recent discussions have surfaced regarding the security risks associated with the common practice of running 'npm install'. The introduction of opt-in dependency install scripts in version 12 represents a move towards safer package management practices.
npmx Verification Initiative
NPMX TO VERIFY NPM MAINTAINERS AND PROJECTS, BIG WIN FOR SOCIAL CODING
npmx@npmx.dev
Given the feedback, we decided to move forward and start verifying maintainers and projects in the npm ecosystem. Later on, large ecosystem projects could also become verifiers for their communities. Reach out if you're interested in these conversations! Here are the first 100+ verifications 🩷
atproto.at
npmx is launching a significant verification initiative aimed at NPM maintainers and projects. This initiative is designed to enhance trust and transparency within the open-source community, reflecting ongoing efforts to strengthen social coding.
Verification of Maintainers
We've started by verifying npmx maintainers. Log in to mu.social to see the verified badges! We'd like to discuss the best strategy for our communities with OSS maintainers. Should all large enough OSS projects be verifiers? Or would it be better for a few orgs/foundations to take on the task?
Eurosky Social@eurosky.social
We're delighted to launch with multiple trusted verifiers: @france-atmosphe.re @npmx.dev and @medsky.network. Trusted organizations, businesses and professional networks can become verifiers and verify their people and accounts - reach out at verification@mu.social
The verification of maintainers on the new mu.social platform has begun, aiming to build trust within the community through verified badges. This initiative is prompting discussions on effective strategies for verification in open-source projects.
JavaScript/TypeScript Enthusiasm
@npmx.dev makes me want to write more JS/TS. Most of my job doesn't involve these but when I need to look at a package it becomes so easy to use.
June 9, 2026 at 7:01 PM UTCA user expressed excitement about using JavaScript and TypeScript, inspired by @npmx.dev, indicating a growing interest in modern web development tools despite their primary job focus not being on these languages.
Feedback-Driven Verification Process
Given the feedback, we decided to move forward and start verifying maintainers and projects in the npm ecosystem. Later on, large ecosystem projects could also become verifiers for their communities. Reach out if you're interested in these conversations! Here are the first 100+ verifications 🩷
atproto.at
app.bsky.graph.verification - @npmx.dev
Browse @npmx.dev's app.bsky.graph.verification collection on Taproot
npmx@npmx.dev
We've started by verifying npmx maintainers. Log in to mu.social to see the verified badges! We'd like to discuss the best strategy for our communities with OSS maintainers. Should all large enough OSS projects be verifiers? Or would it be better for a few orgs/foundations to take on the task?
In response to community feedback, npmx is moving forward with the verification of maintainers and projects within the npm ecosystem. This initiative invites larger projects to become verifiers, enhancing community engagement.
Development of Open Source Lexicons
We've been working on lexicons to represent open source project roles that may be a better fit than flat verifications for each project to surface information about their governance and community. If you'd like to work with us, look for the #projects channel at build.npmx.dev
June 12, 2026 at 6:43 AM UTCnpmx is actively developing lexicons to better represent roles within open-source projects. This initiative aims to provide more nuanced information regarding project governance and community involvement, going beyond simple verifications.
Positive Expressions
A wave of positive interactions, including posts filled with emojis like hearts and thumbs up, has fostered a supportive community atmosphere among users, reflecting the collaborative spirit of the npm ecosystem.
Thanks for tuning in to this week’s updates! We’re so glad to have you on this journey with us.
Stay curious, keep building, and we’ll see you right back here next week! ✨