# npm — The Node.js Package Manager

> Practical guide to npm — install packages, manage package.json and lockfiles, run scripts and update dependencies safely.

Source: https://www.jpkc.com/db/en/cheatsheets/package-managers/npm/

<!-- PROSE:intro -->
npm is the default package manager for Node.js, and it ships with every Node installation. It reads your project's `package.json`, resolves dependencies and pins them reproducibly in the `package-lock.json` – pulling the actual packages from the central npm registry. Beyond installing, npm runs the scripts defined in your `package.json`, so building, testing and starting a project each come down to a single command. This guide walks you through the commands you reach for daily, from your first `npm init` to publishing a package of your own.
<!-- PROSE:intro:end -->

## Package Management

`npm init` — Create a new package.json file interactively.

`npm init -y` — Create a package.json with default values without prompts.

`npm install` — Install all dependencies listed in package.json.

`npm install <package>` — Install a package and add it to dependencies.

```bash
npm install express
```

`npm install -D <package>` — Install a package as a dev dependency.

```bash
npm install -D jest
```

`npm install -g <package>` — Install a package globally on your system.

```bash
npm install -g typescript
```

`npm install <package>@<version>` — Install a specific version of a package.

```bash
npm install react@18.2.0
```

`npm uninstall <package>` — Remove a package and update package.json.

```bash
npm uninstall express
```

`npm update` — Update all packages to the latest version matching the semver range.

`npm update <package>` — Update a specific package.

```bash
npm update express
```

## Information & Listing

`npm list` — Show installed packages as a dependency tree.

`npm list --depth=0` — Show only top-level installed packages.

`npm list -g --depth=0` — Show globally installed packages.

`npm outdated` — Check which packages have newer versions available.

`npm view <package>` — Show detailed info about a package from the registry.

```bash
npm view express
```

`npm view <package> versions` — List all available versions of a package.

```bash
npm view express versions
```

`npm search <keyword>` — Search the npm registry for packages.

```bash
npm search markdown parser
```

## Scripts

`npm run <script>` — Run a script defined in package.json.

```bash
npm run build
```

`npm start` — Run the start script (shorthand for npm run start).

`npm test` — Run the test script (shorthand for npm run test).

`npm run` — List all available scripts in the current package.

## Configuration

`npm config list` — Show all npm configuration settings.

`npm config set <key> <value>` — Set a config value.

```bash
npm config set registry https://registry.npmjs.org/
```

`npm config get <key>` — Get a config value.

```bash
npm config get registry
```

`npm config delete <key>` — Delete a config value.

```bash
npm config delete proxy
```

## Cache & Cleanup

`npm cache clean --force` — Clear the npm cache. Useful when packages fail to install.

`npm cache verify` — Verify the integrity of the cache.

`npm prune` — Remove extraneous packages not listed in package.json.

`npm dedupe` — Reduce duplication by moving dependencies higher in the tree.

## npx

`npx <command>` — Execute a package binary without installing it globally.

```bash
npx create-react-app my-app
```

`npx <package>@<version> <command>` — Run a specific version of a package.

```bash
npx typescript@5.0 tsc --init
```

`npx -p <package> <command>` — Install a package temporarily and run a command from it.

```bash
npx -p typescript tsc --version
```

## Audit & Security

`npm audit` — Check installed packages for known security vulnerabilities.

`npm audit fix` — Automatically fix vulnerable dependencies where possible.

`npm audit fix --force` — Fix vulnerabilities, allowing major version updates.

`npm audit --json` — Output audit results as JSON for programmatic processing.

## Publishing

`npm login` — Authenticate with the npm registry.

`npm publish` — Publish the current package to the npm registry.

`npm publish --access public` — Publish a scoped package as public.

```bash
npm publish --access public
```

`npm version <type>` — Bump the package version (patch, minor, or major).

```bash
npm version patch
```

`npm unpublish <package>@<version>` — Remove a specific version from the registry.

```bash
npm unpublish my-package@1.0.0
```

`npm pack` — Create a tarball of the package for local testing.

<!-- PROSE:outro -->
## Conclusion

npm is already present on every Node.js system and covers the entire lifecycle of a JavaScript project – from the first dependency to a published package. Security deserves attention, because the supply chain is a favourite attack target: `npm install` runs the install scripts of third-party packages, so pass `--ignore-scripts` for sources you don't trust. For reproducible builds in CI and deployment, prefer `npm ci` over `npm install` – it installs exactly what the `package-lock.json` records. Check dependencies regularly with `npm audit`, pin versions where reproducibility matters, and avoid installing global packages with `sudo` – a Node version manager keeps permissions and your PATH cleaner.

## Further Reading

- [npm Docs](https://docs.npmjs.com/) – official documentation for the npm CLI, package.json and registry
- [npmjs.com](https://www.npmjs.com/) – the public npm registry for searching and publishing packages
- [Node.js](https://nodejs.org/) – the runtime that ships with npm
<!-- PROSE:outro:end -->

## Related Commands

- [apk](https://www.jpkc.com/db/en/cheatsheets/package-managers/apk/) – package manager for Alpine Linux
- [apt](https://www.jpkc.com/db/en/cheatsheets/package-managers/apt/) – high-level package management for Debian and Ubuntu
- [apt-get](https://www.jpkc.com/db/en/cheatsheets/package-managers/apt-get/) – classic package tool for Debian and Ubuntu