Anything NPM – Girl Code @ Adyen
Post written by: Marijke van den Berge
More pictures at: meetup.com/girlcode
When I career-changed to software/frontend-development in 2019, Girl Code was the first meetup I ever attended (the one at Adidas), and since then, I’ve been a regular at meetups all over the Randstad and especially enjoy the Girl Code meetups.
It’s so nice to learn more about all kinds of (IT) subjects and sharing experiences with other women and it pleases me to contribute a little by writing this blog post.
On 28 November, Adyen was host to the last Girl Code meetup of 2018.
At the entrance Girl Code’s host Zinat Farhang welcomed everyone and took us all the way to the top floor where Miss Girl Code Ineke Scheffers and Adyen’s Floor Disselhorst received us with food and drinks. After unwinding from our work days, having a chat will fellow Girl Coders and enjoying pizzas, it was time to officially kick-off the evening.
Ineke started with a word of welcome, an intro to Girl Code and shared a cringeworthy experience she had just had that day. While part of a hiring committee conducting a job interview, she was completely ignored by the male interviewee. Girl Code meetups are a great way to be able to share these experiences with fellow women and feel supported!
Martine de Visscher, VP of Product Mid-Market at Adyen, continued by introducing Adyen and explaining that 30% of the employees are women and the company is actively working on diversity and getting more women in. If the name Adyen doesn’t ring a bell, you’ve probably all used the company’s services without realizing it. Adyen’s software makes payments happen, wherever you are and whatever payment method you are using. Sometimes in life you might think ‘what if I could start all over again?’ At least, I think that sometimes. So, I liked hearing that that question actually formed the basis of Adyen! Adyen builds everything in house by its own people, no rules, just one: they maintain a ‘no-blush-policy’; if you start blushing you know you are doing something wrong!
After hearing from the two organizers it was time for the girl coders to share their experiences with NPM.
First up was ‘Create and Deploy an NPM Package’ by Mirellys Arteta Davila who works as an iOS engineer/ full stack developer at ANWB.
Then Adyen’s own Kat Chilton took the microphone to dive into ‘Enterprise Level NPM Security (and other dependency management tools)’
But there is risk involved. As Ani DiFranco says, every tool is a weapon if you hold it right.
NPM is potentially the scene of a crime!
NPM installs a tree of dependencies. That is, every package installed gets its own set of dependencies. That means loads of potential danger! She gives us some examples of NPM gone wrong like how bitcoins got robbed and explains us that massive dependency trees make you and everyone that uses your product vulnerable. She shows how easy it is to inject malware into an NPM patch and how you can just sit back and relax while the infection spreads. She further demonstrates her point by showing one dependency node which grows and grows until we see a screen full of tiny dependency dots. Summarizing, NPM makes work easier, but can make it very unsafe easily!
Fortunately, there are some steps you can take to be a responsible NPM-user. Use smaller libraries with fewer dependencies, be critical, take the time to look; and, let the right one in! At the NPM-database you can see a list of dependencies of the package you want to install, but unfortunately you can’t see the dependencies of those dependencies. So best thing to do is not to jump immediately on any new js-libary bandwagon we see. It isn’t secure! So, what should you look at while investigating packages? Kat talked us through what we should pay attention to while browsing for packages. Check how old it is, how mature is the latest update? Is there a read-me? Are there any known vulnerabilities in the library? Does it have a SPDX compliant license? Is it free for commercial use? Is there a link to source code? And, if you’re always prone to update as soon as a new update comes out, think again. To avoid being a victim of a zero-day exploit attack, don’t grab updates immediately fresh off the presses. If you update as soon as it comes out, you could be victim of a vulnerability that we don’t know exists yet. She ended her whirlwind talk by advising us to stand on the shoulders of giants and to check out the Open Web Application Security Project (OWASP) and to never put our full trust in NPM as, after all, they’re in the business to make money.
Follow Kat here:
Check out her slides:
And read her blogpost about Skantek (NPM security project):
The last presentation of the evening was ‘Working with NPM Packages in Monorepos’ by Admira Husić, Fullstack engineer at Harver.
Like the previous talks, this one introduced me to new concepts. If you had any misconceptions on working with monorepos (a software development strategy where code for many projects are stored in the same repository) she debunks them one by one. On her first day at Harver she was assigned a buddy who told her to clone a repository to set up her work environment, that was it! She was confused; how do so many developers work on one repository?! But working for Harver she slowly learned the perks of this strategy.
To work with different teams on a monorepo means that we have separate packages that separate teams are working on, but they are stored in one git repository. When you can use code in a monorepo for several applications you don’t have to adjust every single project (like when all applications would have their own repo), but it works directly for all applications which means they are all up to date continuously.
She explained that there are tools to manage your multiple packages like lerna and ended her presentation using a magical forest and magical creatures to show how it all works.
Follow Admira Husić here:
This last GirlCode Meetup of 2019 gave me lots of new insights and the opportunity to catch up with fellow Girl Coders.
As Ineke is taking a well-deserved break a new meetup isn’t planned yet but be sure to keep an eye on meetup.com/girlcode for when the next one will be announced. She and all other contributors wish you a splendid 2020 with lots of Girl Coding Power!
For this meetup the Girl Code team was formed by:
Ineke Scheffers – Organizer and host https://www.linkedin.com/in/ineke-scheffers/
Marijke van den Berge – Blogger https://www.linkedin.com/in/marijkevdb/
Zinat Farhang – Host https://www.linkedin.com/in/zinatfarhang
Dominique Kersten – Host / Photographer https://www.linkedin.com/in/dominiquekersten