Back to Projects
NPM Package Registry Clone — Private Enterprise Software Distribution
Built a scalable, serverless package management system with automated quality scoring across 7 metrics, using AWS Lambda, S3, DynamoDB, and presigned-URL security.
Key Highlights
- •8 REST endpoints with complete package lifecycle management (upload, download, search, update, reset)
- •Automated quality scoring across 7 metrics: ramp-up time, responsiveness, correctness, bus factor, license compliance, dependency pinning, and code review fraction
- •Serverless architecture scaling within AWS free tier with minimal operational overhead
- •Presigned-URL security for time-limited (10-minute) S3 access, avoiding Lambda 6MB payload limits
Cloud ArchitectureFull-StackSoftware EngineeringServerless
Tech Stack
TypeScriptNode.jsAWS LambdaAWS S3DynamoDBAPI GatewayGitHub ActionsJestWinston
System Architecture
The system was architected as a fully serverless application leveraging AWS managed services to minimize operational overhead while maintaining scalability and security.
Core Components:
• API Gateway: RESTful endpoint routing with CORS configuration
• AWS Lambda: 12+ serverless functions handling business logic (TypeScript/Node.js)
• S3 Buckets: Package storage with presigned URL access control
• DynamoDB: Two tables for package metadata and quality metrics
• CloudWatch: Centralized logging and monitoring
Key Features & Implementation Details
1. Package Upload with Security
Implemented a two-stage upload process using presigned S3 URLs:
• Client requests upload → Lambda generates 10-minute presigned URL
• Client uploads directly to S3 → S3 trigger invokes metadata processor
• Metadata processor updates DynamoDB with package info
This approach avoided Lambda payload size limits (6 MB) and improved security by limiting S3 access windows.
2. Automated Package Quality Scoring
Developed a rating system evaluating packages across 7 dimensions:
• Ramp-up time (README quality, documentation)
• Responsiveness (issue/PR response times via GitHub API)
• Correctness (test coverage, build status)
• Bus factor (contributor distribution)
• License compliance (SPDX validation)
• Dependency pinning (security best practices)
• Code review fraction (PR approval rates)
Packages below 0.5 average score were automatically rejected during ingestion.
3. Search & Discovery
Implemented regex-based search across package names and descriptions using DynamoDB Query with scan fallback for complex patterns.
Website frontend
Development Process & Challenges
CI/CD Pipeline:
Established GitHub Actions workflow automating:
• Jest unit tests (targeting 80%+ coverage)
• TypeScript compilation and linting
• Automated deployment to AWS (Lambda, S3, DynamoDB)
• RESTler security testing against OpenAPI spec
Major Technical Challenge: Integration Issues
Mid-project, switched from AWS Amplify to manual GitHub Actions deployment due to HTTPS/HTTP conflicts breaking frontend-backend communication. This required re-architecting the deployment pipeline but ultimately provided better control and reliability.
Team Collaboration:
Worked in a 4-person team using Agile methodology:
• Weekly sprints with Discord standups
• Git feature branching with PR reviews
• Shared AWS account with IAM role separation
• Documentation in GitHub Wiki
Security Analysis (STRIDE Model)
Conducted comprehensive threat modeling:
• Spoofing: Mitigated with API key authentication (planned X-Authorization tokens)
• Tampering: HTTPS for all communication, presigned URLs for S3
• Repudiation: CloudWatch logging for audit trails
• Information Disclosure: IAM policies restricting DynamoDB access
• DoS: API Gateway rate limiting (not fully implemented)
• Elevation of Privilege: AWS IAM with principle of least privilege
GitHub Actions CI/CD pipeline execution
WCAG Accessibility Test
Outcomes & Lessons Learned
Successfully delivered a functional package registry demonstrating:
• Serverless architecture design and implementation
• RESTful API development with proper HTTP semantics
• Cloud infrastructure management (IaC principles)
• Security-first design with threat modeling
• Team collaboration in a complex software engineering project
Key Lesson: Integration testing should be prioritized earlier in development. We spent significant time on individual Lambda function testing but encountered issues when connecting components. Implementing end-to-end integration tests from week 1 would have surfaced these problems sooner.
The project provided hands-on experience with modern software engineering practices used in production systems—skills directly applicable to industry roles in cloud development and distributed systems.
Overview
Build a scalable, secure, private package management system for enterprise use that evaluates and stores software packages with automated quality metrics, access controls, and a web-based interface—essentially creating a private alternative to the public npm registry. Designed and implemented a serverless architecture on AWS with 8 RESTful API endpoints supporting full CRUD operations for package management. Developed Lambda functions in TypeScript for package ingestion with automated quality scoring, upload/download via presigned S3 URLs, regex-based search, and cost calculation. Implemented comprehensive CI/CD pipeline using GitHub Actions for automated testing, security scanning (RESTler), and deployment. Built responsive web frontend with S3 static hosting and integrated ADA-compliant UI (WCAG 2.1 AA).
Impact & Results
- ▸8 REST endpoints with complete package lifecycle management (upload, download, search, update, reset)
- ▸Automated quality scoring across 7 metrics: ramp-up time, responsiveness, correctness, bus factor, license compliance, dependency pinning, and code review fraction
- ▸Serverless architecture scaling within AWS free tier with minimal operational overhead
- ▸Presigned-URL security for time-limited (10-minute) S3 access, avoiding Lambda 6MB payload limits
- ▸Packages below 0.5 average score automatically rejected during ingestion
- ▸Comprehensive STRIDE threat model analysis with IAM policies and CloudWatch audit trails
- ▸CI/CD pipeline with Jest unit testing (80%+ coverage), TypeScript linting, and RESTler security testing