Recommended protections disabled - npm

I see a lot of questions around "recommended protections disabled", but I haven't been able to find anything about "recommended protections" in the NPM documentation. Does anyone have a source what recommended protections are or how to enable them?

Related

Is it a good idea to use NPM to upload some packages of a commercial project on it?

I am following a Microservices course that creates a free NMP account and pushes a package he writes through the course into it and imports this package in other related files of the application like a common NPM module/package.
He also mentions there are other options like using Github or some local Git/version controller, etc.
As I am trying to make a commercial project for my own startup, I am curious to know what is a good/affordable option for a startup company in this situation? Is is still a good idea to use NPM free public account to push some packages and use it through our application?
I think that if you are creating a module that can be useful to the community or part of it, NPM is an interesting option to keep your packages.
If you're uploading not usable packages, but your whole application to npm, then that's messed up, NPM is a package registry. Github, Gitlab, and tools alike should be a more suitable option since those are general-purpose code repositories, not package registries.
Also, be aware that the packages you upload on a free npm account are available to any NPM user. see: NPM Private Packages
From my previous experience, both GitLab and Github offer good free small professional accounts that may be suitable for your case.

SonarLint plugin misses some (SonarCloud's) rules locally

TL;DR -> Force code smells to apear as SonarCloud issues on IDE
I got SonarLint plugin (vscode) installed locally and configured with external SonarCloud rules (by my organization's project).
The thing is even though it is well configured, some issues fail to count as an acttual issue locally on my IDE and only apears online (e.g. github integration).
I have not yet realized what is common between those slippery sonarcloud issues, might be code smells.
I have seen some StackOverflow questions regarding that matter, but have not yet encountered an answer which explicitly suggests a workaround or a method to configure it as I wish.
Did anyone ever manage to work it out?

NuxtJS Installation with NPM - Why so many deprecated packages?

Hi I'm creating my first NuxtJS app but while creating it I see many deprecation warnings by NPM. I know this won't stop my app from running but I'm just wondering why so many deprecated packages out-of-the-box here...
Can someone explain me what is going on? Some of the warnings are also pretty scary if you're just starting a new project such as security concerns and packages no longer maintained...

Published an npm but its nowhere to be seen on the internet

I just published an npm while following the procedure and it is found as published on https://www.npmjs.com/ also.
Like -
However, I am unable to find it on the internet when I search it.
Not all the packages you publish come to the top of google search results.
Google searches the results across a wide range of content across internet. Not just npm registry.The search results are based on the relevance of search term with content across the internet. Results from other websites may also pop up.
It can also depend on popularity(usage) of the package and other criteria which I'm not aware of. Since you have published the package recently, google won't be even aware of it. Next time when the google crawlers crawl npmjs they might see the package(May be its possible that npm registry might have custom feed pushing to google depending on package usage rather than google crawlers crawl them) .
So don't worry if it doesn't appear in google search. Your package can be searched from npmjs and is available for all to use, and can be shared with everyone. May be eventually you reach the top of google search results :)
Also you can add relevant description, keywords to your package.json that so that people can find it easily in npm registry search. Right now it shows up only if its an exact package name match.

node-sass vulnerability and npm audit

I have projects to maintain that use node-sass npm module.
Since node 10.x, there is a tool (called npm audit) that is run every time we do a npm install. This seems to be a good tool for preventing vulnerability issues.
My problem is that the node-sass module has vulnerabilities. I saw that the maintainers of the project do not want to fix the issues with bad reasons.
https://github.com/sass/node-sass/issues/2262
People maintaining popular module like node-sass should correct as soon as possible the vulnerability issues, but unfortunately they don't.
I am not an expert in Security, so I prefer to rely on what indicates npm and not use anymore dependencies that print messages that let you think your software is crap.
But I like so much SASS for coding CSS that I would like to give it a chance to keep it.
Any idea for removing these vulnerability messages while keeping the project safe and not reducing developer experience ?
This security issue is mainly irrelevant to node-sass since it never sees any exposure to your live code.
node-sass runs on hosts normally used for development and usually are not visible in a public network.
You normally will use node-sass to pre-compile SCSS into CSS and vulnerabilities will not impact the resulting CSS code.
These warnings are relevant if you run the node.js server as a backend which is normally not the case. (or never the case)
One option is to use dart-sass. It has no vulnerability issues.
https://sass-lang.com/dart-sass
https://github.com/webpack-contrib/sass-loader