Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

npm Updates Search Experience with New Objective Sorting Options

npm has a revamped search experience with new, more transparent sorting options—Relevance, Downloads, Dependents, and Publish Date.

npm Updates Search Experience with New Objective Sorting Options

Sarah Gooding

December 5, 2024


npm has introduced a revamped search experience on npmjs.com, aiming to improve package discovery for developers. The registry is eliminating less specific criteria which it previously used, including popularity, quality, and maintenance, in favor of more objective and quantifiable sorting options:

  • Relevance (based on word match)
  • Downloads (weekly and monthly)
  • Most dependents
  • Last published date

This is a major change as previously the Popularity ranking was done by download count. Quality was an indicator of a collection of considerations like the presence of a README file, stability, tests, up-to-date dependencies, a custom website, and code complexity. The Maintenance ranking was based on how frequently package were maintained. Optimal combined the other three criteria into one score.

How npm Search Works: Keyword Matching and Neutral Ranking#

npm's search is powered by the open source OpenSearch project. The documentation for searching packages explains the criteria used for performing searches:

Search results are displayed based on keyword matching from the package's title, description, readme, and keywords. No subjective ranking criteria are applied, except for a minimal boost to deprioritize spammy or entirely new packages, aiming to maintain a neutral stance towards all other packages.

Search results display an approximate count of the packages available for that query and users can then further filter the results using the dropdown menu with the updated sorting options.

Two weeks ago, npm piloted the new search with select GitHub Stars and high-impact npm users. As of this week, the feature is now accessible to all users. Developers are encouraged to provide feedback through the GitHub discussion thread to assist in refining the search functionality, and so far the changes have received mixed reviews.

In one comment on the changes, open source developer Gustavo Rodrigues highlighted that while the new npm search is more transparent and objective, it lacks flexibility for nuanced use cases. Users may miss features like combined scoring (e.g., popularity and recency) and more contextual filtering options (e.g., module types, package sizes):

The current filters are more clear, sure, but I don't think it made looking for a package easier. Example: if I want a modern library (e.g. I want something using ES modules) I could look for the most recent updated, but since it's a strict filter (it sorts by updated date and nothing else) it returns anything which is new, while I would prefer something popular (so well tested by other people) and new. If I only check the most downloaded filters it will return a lot of well-tested libraries, but they might be 5 years old libraries using CommonJS and proto.

npm product manager Leo Balter responded, thanking Rodrigues for the suggestions and acknowledged the complexity of balancing transparency with usability, noting that while additional filters could enhance the search experience, factors like maintenance are nuanced.

“Yes, we have just a few other filters like keyword: and maintainer: - I might need to publicly document those - but I'm internally thinking ways to improve how we see and what we should know about the packages,” Balter said. “Filters could definitely play a nice part here.

“On the other hand, maintenance (or the lack of) is a bit more complex. Some packages are self resolved / evergreen and might not need changes for years, so time without a new version does not necessarily reflect missing maintenance.”

Several npm package authors have reported that their packages are not visible in search results. Balter responded that npm is working on a fix to support more from the newly published packages being featured in the search results.

“It takes a bit of a time for newly published packages to be indexed for search,” Balter said. “Saying that, we've been noticing our results are aggressively filtering out those recent and/or without much content (on the description and readme). We should have a patch landing soon supporting more packages to be featured on the results.”

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc