14 DAY TRIAL // The administrators of npm (Node.js Package Manager), the service and the command-line tool so essential to so many developers around the globe, have taken special steps to boost their tool's security by adding full HTTPS support.
Starting with April 1, the npm service has begun answering all data requests with content via HTTPS. Prior to this update, content, if requested via HTTP, was also delivered via HTTP.
In the following weeks, the service's CDN will use a 301 redirect message for all user requests coming via HTTP, redirecting them to their corresponding HTTPS version.
This redirect will also introduce a small lag, which the service says that users will be able to avoid if making their initial request via HTTPS.
npm management stresses the fact that this change was not done because they suspected anything malicious, since the local npm CLI client which most people use, also employs a shashum validation procedure for all data sent to the user.
Last week, news broke about a new type of attack on the npm registry using a quick-spreading worm. This npm update doesn't protect against that attack, but it's a welcomed change that will add an extra boost of security to the service.
The worst affected by this change are probably companies that replicate npm's package repository inside their local development environments.