Chainguard Libraries for JavaScript Overview

Chainguard Libraries for JavaScript is a major ecosystem supported by Chainguard Libraries. The JavaScript ecosystem consists of thousands of open source projects from the communities around JavaScript, TypeScript, Node.js, React, Vue.js, Angular, Svelte, Next.js, Express, and many others.

Background

The main public repository for JavaScript packages is the npm Registry. Launched in 2010, the npm Registry has grown to become the largest software registry in the world, hosting over two million packages. It serves as the central hub for open source JavaScript libraries, tools, and frameworks, supporting a vibrant and rapidly evolving ecosystem. The registry is widely used by developers for both client-side and server-side JavaScript projects, and its scale and history make it a critical resource for modern application development.

It is the default repository in all commonly used build tools from the JavaScript community, including npm, pnpm, Yarn, and Yarn Berry, and uses the npm repository format. Chainguard Libraries for JavaScript covers all open source artifacts from the npm Registry.

Chainguard Libraries for JavaScript provides access to a growing collection of popular Javascript packages rebuilt from source. New releases of common packages requested by customer builds are added to the index by an automated system.

You can use Chainguard Libraries for JavaScript alongside third-party software repositories to create a single source of truth with your repository manager application.

Runtime requirements

The runtime requirements for JavaScript packages available from Chainguard Libraries for JavaScript are identical to the requirements of the original upstream project. For example, if a package retrieved from the npm Registry requires Node.JS v22 or higher, the same Node.JS v22 requirement applies to the package from Chainguard Libraries for Java. The same applies to JavaScript, Typescript, or React versions, as well as any other requirements of the original upstream project.

Technical details

The username and password retrieved with chainctl are required to access the Chainguard Libraries for Java repository. The URL for the repository is:

https://libraries.cgr.dev/javascript/

The URL does not expose a browsable directory structure.

This Chainguard Libraries for JavaScript repository uses the npm repository format and only includes release artifacts for libraries built by Chainguard from source. It also does not include all packages from the npm registry.

Specifically, the following components are not included:

• Packages without any source code available, including malicious packages and proprietary packages.
• Packages that use post-install scripts.
• Packages that are flagged as malware during our build process.

As a result, you must configure the repository as the first point of contact for all package retrievals. This setup directs requests to Chainguard, ensuring that all available libraries are used. If a request fails, Chainguard flags it and runs backfill processes where possible.

At the same time, you might need to continue to use other repositories that fills the needs for libraries that are not available from the Chainguard Libraries repository, including your own private or scoped packages from the npm Registry or another private registry.

Typically the access is configured globally on a repository manager for your organization. This approach is strongly recommended.

Alternatively, you can use the token for direct access from a build tool as discussed in Build configuration.