JPKCom DB

npm — The Node.js Package Manager

Practical guide to npm — install packages, manage package.json and lockfiles, run scripts and update dependencies safely.

npm is the default package manager for Node.js, and it ships with every Node installation. It reads your project's package.json, resolves dependencies and pins them reproducibly in the package-lock.json – pulling the actual packages from the central npm registry. Beyond installing, npm runs the scripts defined in your package.json, so building, testing and starting a project each come down to a single command. This guide walks you through the commands you reach for daily, from your first npm init to publishing a package of your own.

Package Management

npm init — Create a new package.json file interactively.

npm init -y — Create a package.json with default values without prompts.

npm install — Install all dependencies listed in package.json.

npm install <package> — Install a package and add it to dependencies.

npm install express

npm install -D <package> — Install a package as a dev dependency.

npm install -D jest

npm install -g <package> — Install a package globally on your system.

npm install -g typescript

npm install <package>@<version> — Install a specific version of a package.

npm install react@18.2.0

npm uninstall <package> — Remove a package and update package.json.

npm uninstall express

npm update — Update all packages to the latest version matching the semver range.

npm update <package> — Update a specific package.

npm update express

Information & Listing

npm list — Show installed packages as a dependency tree.

npm list --depth=0 — Show only top-level installed packages.

npm list -g --depth=0 — Show globally installed packages.

npm outdated — Check which packages have newer versions available.

npm view <package> — Show detailed info about a package from the registry.

npm view express

npm view <package> versions — List all available versions of a package.

npm view express versions

npm search <keyword> — Search the npm registry for packages.

npm search markdown parser

Scripts

npm run <script> — Run a script defined in package.json.

npm run build

npm start — Run the start script (shorthand for npm run start).

npm test — Run the test script (shorthand for npm run test).

npm run — List all available scripts in the current package.

Configuration

npm config list — Show all npm configuration settings.

npm config set <key> <value> — Set a config value.

npm config set registry https://registry.npmjs.org/

npm config get <key> — Get a config value.

npm config get registry

npm config delete <key> — Delete a config value.

npm config delete proxy

Cache & Cleanup

npm cache clean --force — Clear the npm cache. Useful when packages fail to install.

npm cache verify — Verify the integrity of the cache.

npm prune — Remove extraneous packages not listed in package.json.

npm dedupe — Reduce duplication by moving dependencies higher in the tree.

npx

npx <command> — Execute a package binary without installing it globally.

npx create-react-app my-app

npx <package>@<version> <command> — Run a specific version of a package.

npx typescript@5.0 tsc --init

npx -p <package> <command> — Install a package temporarily and run a command from it.

npx -p typescript tsc --version

Audit & Security

npm audit — Check installed packages for known security vulnerabilities.

npm audit fix — Automatically fix vulnerable dependencies where possible.

npm audit fix --force — Fix vulnerabilities, allowing major version updates.

npm audit --json — Output audit results as JSON for programmatic processing.

Publishing

npm login — Authenticate with the npm registry.

npm publish — Publish the current package to the npm registry.

npm publish --access public — Publish a scoped package as public.

npm publish --access public

npm version <type> — Bump the package version (patch, minor, or major).

npm version patch

npm unpublish <package>@<version> — Remove a specific version from the registry.

npm unpublish my-package@1.0.0

npm pack — Create a tarball of the package for local testing.

Conclusion

npm is already present on every Node.js system and covers the entire lifecycle of a JavaScript project – from the first dependency to a published package. Security deserves attention, because the supply chain is a favourite attack target: npm install runs the install scripts of third-party packages, so pass --ignore-scripts for sources you don't trust. For reproducible builds in CI and deployment, prefer npm ci over npm install – it installs exactly what the package-lock.json records. Check dependencies regularly with npm audit, pin versions where reproducibility matters, and avoid installing global packages with sudo – a Node version manager keeps permissions and your PATH cleaner.

Further Reading

  • npm Docs – official documentation for the npm CLI, package.json and registry
  • npmjs.com – the public npm registry for searching and publishing packages
  • Node.js – the runtime that ships with npm
  • apk – package manager for Alpine Linux
  • apt – high-level package management for Debian and Ubuntu
  • apt-get – classic package tool for Debian and Ubuntu