NCM Desktop contains a potent combination of security tools and application management options. Below is a brief overview of each feature.
Detailed npm Installation Logs
A rich user interface makes it intuitive to dig deeper into a module's certification score and inspect its vulnerability status, license information, and overall quality. Installs may be sorted by score, vulnerability status, or compliance level.
Depending on your project's risk profile and use case, you may wish to use a module which does not meet our certification threshold. In these cases, you can add a trusted module to your whitelist. This allows you to continue your workflow and make the module choices that are right for you without sacrificing overall security.
NCM Desktop can be configured to preemptively block the installation of modules that do not meet your security policy criteria. By enabling Strict Mode, you and your team will be prevented from installing any module with a certification score below the NCM quality threshold of 85.
Custom Registry Support
NCM Desktop can be configured to work with your current private or alternative npm registry.
NCM Desktop now supports Yarn as a first-class package manager, in addition to the npm cli application.
If you've already installed and used NCM 1.x, you can still try out the NCM Desktop Beta without making any irreversible changes to your current installation.
To migrate a project from NCM 1 to the Desktop Beta, you'll need to delete that project's current
.npmrc file. You can find this file in your app's working directory.
After deleting the file, continue with the installation steps below.
You can download and install NCM Desktop Beta on your macOS, Linux, or Windows machine using one of the provided build links below:
Authentication and access for NCM Desktop is managed via the NodeSource Accounts service. A new account may be created by visiting the Sign Up page on accounts.nodesource.com. You can sign up using an email address, Google Account, or GitHub Account to authenticate.
While you will be required to create your NodeSource account on accounts.nodesource.com you can sign in to NCM Desktop without exiting the application. To do so, select the specific sign in method used during sign up.
Your account password may be reset by selecting Reset Password on the Login page. You will be redirected to accounts.nodesource.com to reset your password.
Add your project
The Install List makes up the central hub for NCM Desktop. To add your first project to NCM Desktop, select the Add a Project button and continue to select the source of your project. Additional projects may be added by selecting the + icon, located in the title bar.
Once a project is linked to NCM Desktop, any
npm install activity will be tracked. This allows NCM Desktop to show you all packages and dependencies installed in a given project, as well as the license information, security details, and overall quality of packages installed. To obtain more information about a specific install, select it from the Installs List. Each installation displays the project it is associated with.
By drilling down into the details of a specific install, NCM Desktop reveals additional information about each and every package installed for your project. Each installed package is listed along with its certification score located on the left hand side; the current version is also displayed alongside the package name.
Located on the far right hand side of the list, tags are displayed which correspond to the package license status and any known security vulnerabilities introduced by the package. Selecting the package will display the Module Detail view, providing further information.
The top menu bar contains three additional features to help you navigate:
Sorting: On the left hand side, the Sort section enables the sorting of modules by Name, Issue, and Score.
Filtering: The Show section in the centre enables you to select whether to show vulnerable, noncompliant, or whitelisted modules, or to display all installed.
Keyword Search: On the right hand side, the search section will let you filter modules by name using text input.
The most granular details are available on the Module Details page, which can be accessed by selecting a package from the Installs List. The Module Details page provides a comprehensive status for a specific installed package. Any security vulnerabilities, license compliance, or quality issues will be shown in this view, alongside upgrade suggestions for both security and compliance categories. The package's README file is also available; just select View README on the right hand side of the Module Details pane. By selecting Whitelist, located on the right hand side of the view, you may add or remove a specific package from your organization's whitelist through the Add/Remove from whitelist action in the sidebar. Whitelisting is available on the Professional and Enterprise tier of NCM Desktop only.
In addition, by selecting More Details, the NCM Web Module Detail page will open in your browser, allowing for further insight into your installed packages.
The Settings view is available by selecting the gear icon in the upper right hand corner of any page. The settings view is divided into three segments, all viewable near the top of the application.
The Preferences tab handles local preference settings for NCM Desktop. Strict Mode toggles the ability to block the download and installation of modules that do not meet your security or compliance policy criteria. By default, Strict Mode is disabled. Clicking the Clear Cache button clears the cache of packages managed by npm. Periodic clearing of the cache will free up disk space and help avoid module version issues.
Organizations allow the collaborative use of NCM Desktop across your team or company. Installs may be filtered by Organization using the organization selector dropdown, located on the right hand side of the title bar. You are able to switch between organization accounts and your personal NodeSource account through this menu, as well as return to the Install List from anywhere in the app.
When your team's trial period ends, you will be met with the Inactive Organization page. From here, you may create another organization, or receive your team owner's email in order to contact them directly regarding your inactive organization. Users can continue to use NCM Desktop with Developer tier entitlements selecting the Personal option from the drop down selector located in the top right corner.
Simultaneously, your Organization Admin will be notified next time they intend to log in. By selecting the Upgrade button, admins may upgrade their organization to the Professional or Enterprise Tier via accounts.nodesource.com. Individual members of your organization will still be able to use NCM Desktop but will not be able to do so collaboratively as part of an Organization until your account has been upgraded.
From the application menu, you are able to manage application settings. The menu allows for the toggling of Strict Mode, clearing of the npm cache, and ability to enable or disable Launch at Login. Additionally, you can log out or quit the application from this menu.
Mitigating Issues with Package Manger Lockfiles
At present, there is a known issue around generated
yarn.lock files in which the local NCM Desktop registry proxy is locked as the source registry in each of these files.
This can cause issues for anyone without NCM Desktop installed and running who tries to
npm install or
yarn install, as the registries outlined in
yarn.lock won't be accessible and the modules will fail to install.
As a local fix during the NCM Desktop Beta, you have a few options for each type of file:
Local fixes for
- Globally disable
package-lock.json with this command:
npm config set package-lock false
package-lock.json to your
package-lock.json before deploying or committing
Local fixes for
npm-shrinkwrap.json to your
npm-shrinkwrap.json to an
npm-shrinkwrap.json before deploying or committing
Local fixes for
yarn.lock to your
yarn.lock to an
yarn.lock before deploying or committing
NCM Desktop is still beta software and as such has one known issue: Once one of your projects has been added to NCM Desktop, and the new
.npmrc file committed, you will need to add a custom command to your CI set up in order to continue operation:
npm set registry https://registry.npmjs.org
This is necessary because the
.npmrc file currently tells npm to talk to NCM Desktop in order to resolve node modules, which isn't yet available on CI systems. Stay tuned for updates to this!