Top

NCM Desktop

What is NCM?

NodeSource Certified Modules (NCM) is NodeSource's package monitoring tool for quality, compliance, and security assurance that helps you take advantage of third-party Node.js modules. By utilizing a set of strict certification criteria for public Node.js modules, NCM provides an added layer of trust and risk mitigation for your Node.js projects.

The NCM Desktop application, supported for macOS, Linux, and Windows, continuously monitors your local npm installs and can flag or prevent the installation of packages that do not meet critical trust criteria for your organization. This helps your team identify security vulnerabilities, manage module licenses, and operationalize Node.js package management, with the added benefit of a developer-friendly desktop application.

NCM was made with the user in mind. By participating in the NCM Desktop Beta, you will help refine and improve the overall experience for your team and many other Node.js users.

Feature Overview

NCM Desktop contains a potent combination of security tools and application management options. Below is a brief overview of each feature.

Detailed npm Installation Logs

A rich user interface makes it intuitive to dig deeper into a module's certification score and inspect its vulnerability status, license information, and overall quality. Installs may be sorted by score, vulnerability status, or compliance level.

Whitelists

Depending on your project's risk profile and use case, you may wish to use a module which does not meet our certification threshold. In these cases, you can add a trusted module to your whitelist. This allows you to continue your workflow and make the module choices that are right for you without sacrificing overall security.

Strict Mode

NCM Desktop can be configured to preemptively block the installation of modules that do not meet your security policy criteria. By enabling Strict Mode, you and your team will be prevented from installing any module with a certification score below the NCM quality threshold of 85.

Custom Registry Support

NCM Desktop can be configured to work with your current private or alternative npm registry.

Yarn Support

NCM Desktop now supports Yarn as a first-class package manager, in addition to the npm cli application.

The Basics:

If you've already installed and used NCM 1.x, you can still try out the NCM Desktop Beta without making any irreversible changes to your current installation.

To migrate a project from NCM 1 to the Desktop Beta, you'll need to delete that project's current .npmrc file. You can find this file in your app's working directory. NCM 1 - Migrate

After deleting the file, continue with the installation steps below.

Installation

You can download and install NCM Desktop Beta on your macOS, Linux, or Windows machine using one of the provided build links below:

macOS

Linux

Windows

Sign Up

Authentication and access for NCM Desktop is managed via the NodeSource Accounts service. A new account may be created by visiting the Sign Up page on accounts.nodesource.com. You can sign up using an email address, Google Account, or GitHub Account to authenticate. Sign Up

Sign In

While you will be required to create your NodeSource account on accounts.nodesource.com you can sign in to NCM Desktop without exiting the application. To do so, select the specific sign in method used during sign up. Sign In

Reset Password

Your account password may be reset by selecting Reset Password on the Login page. You will be redirected to accounts.nodesource.com to reset your password. Sign In Reset Reset Password

Add your project

The Install List makes up the central hub for NCM Desktop. To add your first project to NCM Desktop, select the Add a Project button and continue to select the source of your project. Additional projects may be added by selecting the + icon, located in the title bar.

Once a project is linked to NCM Desktop, any npm install activity will be tracked. This allows NCM Desktop to show you all packages and dependencies installed in a given project, as well as the license information, security details, and overall quality of packages installed. To obtain more information about a specific install, select it from the Installs List. Each installation displays the project it is associated with. Projects -Installs Projects - Installs List

Install Detail

By drilling down into the details of a specific install, NCM Desktop reveals additional information about each and every package installed for your project. Each installed package is listed along with its certification score located on the left hand side; the current version is also displayed alongside the package name.

Located on the far right hand side of the list, tags are displayed which correspond to the package license status and any known security vulnerabilities introduced by the package. Selecting the package will display the Module Detail view, providing further information.

Install Details

The top menu bar contains three additional features to help you navigate:

Install details toolbar

Sorting: On the left hand side, the Sort section enables the sorting of modules by Name, Issue, and Score.

Filtering: The Show section in the centre enables you to select whether to show vulnerable, noncompliant, or whitelisted modules, or to display all installed.

Keyword Search: On the right hand side, the search section will let you filter modules by name using text input.

Module Detail

The most granular details are available on the Module Details page, which can be accessed by selecting a package from the Installs List. The Module Details page provides a comprehensive status for a specific installed package. Any security vulnerabilities, license compliance, or quality issues will be shown in this view, alongside upgrade suggestions for both security and compliance categories. The package's README file is also available; just select View README on the right hand side of the Module Details pane. By selecting Whitelist, located on the right hand side of the view, you may add or remove a specific package from your organization's whitelist through the Add/Remove from whitelist action in the sidebar. Whitelisting is available on the Professional and Enterprise tier of NCM Desktop only.

In addition, by selecting More Details, the NCM Web Module Detail page will open in your browser, allowing for further insight into your installed packages. Module Detail

Settings

The Settings view is available by selecting the gear icon in the upper right hand corner of any page. The settings view is divided into three segments, all viewable near the top of the application.

The Preferences tab handles local preference settings for NCM Desktop. Strict Mode toggles the ability to block the download and installation of modules that do not meet your security or compliance policy criteria. By default, Strict Mode is disabled. Clicking the Clear Cache button clears the cache of packages managed by npm. Periodic clearing of the cache will free up disk space and help avoid module version issues.

The Registries tab allows you to change your default registry for your JavaScript Packages. By default, it is configured to https://registry.npmjs.org. Preferences Registries

Organizations

Organizations allow the collaborative use of NCM Desktop across your team or company. Installs may be filtered by Organization using the organization selector dropdown, located on the right hand side of the title bar. You are able to switch between organization accounts and your personal NodeSource account through this menu, as well as return to the Install List from anywhere in the app.

Inactive Org

When your team's trial period ends, you will be met with the Inactive Organization page. From here, you may create another organization, or receive your team owner's email in order to contact them directly regarding your inactive organization. Users can continue to use NCM Desktop with Developer tier entitlements selecting the Personal option from the drop down selector located in the top right corner. Organization Inactive

Simultaneously, your Organization Admin will be notified next time they intend to log in. By selecting the Upgrade button, admins may upgrade their organization to the Professional or Enterprise Tier via accounts.nodesource.com. Individual members of your organization will still be able to use NCM Desktop but will not be able to do so collaboratively as part of an Organization until your account has been upgraded. Trial Over

Application Menu

From the application menu, you are able to manage application settings. The menu allows for the toggling of Strict Mode, clearing of the npm cache, and ability to enable or disable Launch at Login. Additionally, you can log out or quit the application from this menu. Tray Menu

Mitigating Issues with Package Manger Lockfiles

At present, there is a known issue around generated package-lock.json, npm-shrinkwrap.json, and yarn.lock files in which the local NCM Desktop registry proxy is locked as the source registry in each of these files.

This can cause issues for anyone without NCM Desktop installed and running who tries to npm install or yarn install, as the registries outlined in package-lock.json, npm-shrinkwrap.json, and yarn.lock won't be accessible and the modules will fail to install.

As a local fix during the NCM Desktop Beta, you have a few options for each type of file:

Local fixes for pacakge-lock.json

  • Globally disable package-lock.json with this command: npm config set package-lock false
  • Add package-lock.json to your .gitignore
  • Delete package-lock.json before deploying or committing

Local fixes for npm-shrinkwrap.json

  • Add npm-shrinkwrap.json to your .gitignore
  • Add npm-shrinkwrap.json to an .npmignore file.
  • Delete npm-shrinkwrap.json before deploying or committing

Local fixes for yarn.lock

  • Add yarn.lock to your .gitignore
  • Add yarn.lock to an .npmignore file.
  • Delete yarn.lock before deploying or committing

Continuous Integration

NCM Desktop is still beta software and as such has one known issue: Once one of your projects has been added to NCM Desktop, and the new .npmrc file committed, you will need to add a custom command to your CI set up in order to continue operation:

npm set registry https://registry.npmjs.org

This is necessary because the .npmrc file currently tells npm to talk to NCM Desktop in order to resolve node modules, which isn't yet available on CI systems. Stay tuned for updates to this!