Verified Modules Initiative Logo

What is the Verified Modules Initiative (working title)?

Verification
The evaluation of whether or not a product, service, or system complies with a regulation, requirement, specification, or imposed condition.

It's 2016 - we need to build large-scale reliable systems on Nodejs, but the current module registries are a wild west. Anything goes!

Well not here. We aim to start holding ourselves to a higher standard. We know what best practices look like, but we don't always practice them like we should. Why? It's not convenient enough. None of the tools for writing quality modules comes with Node core by default.

Writing quality modules needs to be simpler.

The goal is to establish a set of specs that node modules should meet, and provide the tools and CI services to programmatically enforce these standards. Modules meeting these specs will be featured on a website dedicated to this purpose, and be eligible for a badge to proudly display. Collectively it will be the very model of a modern major registry, where APIs are always documented, dependencies are always up to date, security fixes are applied instantaneously to everyone's modules (assuming the change doesn't break anyone's tests in CI).

Even if we do not achieve our goal, hopefully our ambition will spark a conversation in the Nodejs community about what qualities we really want modules to have, how to ensure our software is secure and maintained, and how module authors can better cooperate to develop the shared community codebase together.

What's involved?

I've been bookmarking modules for a little over a year now that I think would make sense to apply broadly, either as default modules, npm prepublish scripts, or to run in bot form like greenkeeper.io. This part is very much a work in progress, and is more of a idea list than a fixed plan.

V&V

semantic-release (boennemann)

fully automated semver compliant package publishing

dont-break (bahmutov)

Checks if the current version of your package would break dependent projects

next-update (bahmutov)

Tests if module's dependencies can be updated to the newer version without breaking the tests

depcheck (lijunle)

Depcheck is a tool for analyzing the dependencies in a project to see: how each dependency is used, which dependencies are useless, and which dependencies are missing from package.json.

Security

snyk (remy)

Snyk helps you find, fix and monitor for known vulnerabilities in Node.js npm packages, both ad hoc and as part of your CI (Build) system.

retire (eoftedal)

Retire is a tool for detecting use of vulnerable libraries

nsp (nlf)

The Node Security (nodesecurity.io) command line interface

auditjs (kenduck)

Audit dependencies to identify known vulnerabilities and maintenance problems

Safety

What can we do about malicious packages? Can we free people from the potential that a postinstall script might run rm -rf / (or otherwise tamper with the system)?

Tests

We need a way to verify that a module has good test coverage. Can we do something similar to npms.io and use img.shields.io JSON API for that?

Style

standard (feross)

JavaScript Standard Style

Is that controversial? Too limiting?

Docs

README candidates - Lets start by mandating a README exists, and then build from there with something like

projectz (balupton)

Stop wasting time syncing and updating your project's README and Package Files!

package-json-to-readme (zeke)

Generate a README.md from package.json contents

standard-readme (richardlitt)

Readme Standard Style

mos (zkochan)

A pluggable module that injects content into your markdown files via hidden JavaScript snippets

Misc

LICENSE candidates - Let's start by mandating a LICENSE exists, and then maybe we can automatically check for license compatibility (or at least guarantee every dep HAS a license, maybe handle simple cases where all the licenses are MIT / BSD)

license-checker (davglass)

Check license info for a package

licensecheck (marcello3d)

A quick way to see the licenses of modules you depend on—recursively.

david-dm

Runtime dependencies?
All of the above are simply devDependencies, so they add zero weight to the finished module. Quality modules can be written using only the Node core, so what can we say about runtime modules? I don't know. But let's list some anyway - no idea is being discarded at this point, we're still brainstorming.

update-notifier (sboudrias)

Update notifications for your CLI app

pretty-error (ariaminaei)

See nodejs errors with less clutter

How you can help

Prototype

I've started assembling a proof-of-concept module called exemplar that tries to do all the things. Check it out and open a pull request if you're into that kind of thing.