Tuesday, 25 September 2018

Introduction to Node Package Manager (npm)

What is npm?

  • package manager
  • task runner that can serve as a replacement for Gulp

How to install npm?

Upon installation user variable Path (in environment variables) gets a new entry:

How to see command line arguments?

How to check its version?

How to update npm?

To verify it:


See here a complete definition of the package.

Node applications usually use (or depend on) multiple packages. There are three types of packages and each of them is listed within the object with the same name in packages.json:

  • regular (dependencies) - used in development in production
  • development (devDependencies) - packages are used only during application development and testing; we don't want to include them in the production and make users of our app unnecessarily download and build them 
  • optional (optionalDependencies) - dependencies which are used optionally - if they are found; their absence does not make application to fail


npm gets its config settings from:

  • command line
  • environment variables
  • npmrc files
  • package.json file (in some cases)


Global (per machine) 

Location: C:\Users\user\AppData\Roaming\npm\etc\npmrc

To find its location use:

>npm config get globalconfig


Location:  %USERPROFILE%\.npmrc

To find its location use:

>npm config get userconfig

Local (per project) 

Location: in project's root directory.

It defines where can npm look for and fetch packages - package registries by listing their URLs:

# use npmjs registry by default

# use xyz registry for packages in @xyz scope

After we change registry URL in .npmrc we need to do the following to force setting resolved field for all packages in packages-lock.json to this new domain:

  • delete node_modules
  • delete package-lock.json
  • run npm cache clean -f
  • run npm install


It lets npm know what the name of your package is as well as what dependencies it uses.

It is created and initialized via npm init command. This can be done retroactively - npm init can be executed for the already existing project...it will only add to it package.json file.

It is a manifest of your project that includes the packages and applications it depends on, information about its unique source control, and specific metadata like the project's name, description, and author. [source]

The biggest reason for using package.json to specify a project’s dependencies is portability. For example, when you clone someone else’s code, all you have to do is run npm i in the project root and npm will resolve and fetch all of the necessary packages for you to run the app. [source]

All modules from package.json are installed to ./node_modules/. [source] This is npm install's default behavior. [source]

npm opens and reads package.json from the current directory. If it can't find it, it issues an error like:

Working with package.json
package.json - Specifics of npm's package.json handling
Semantic Versioning
What's the difference between tilde(~) and caret(^) in package.json?



If within the project we have some tool we want to call frequently e.g. after every code change we don't want to type it every time but want to automate the process by adding a command within scripts object. See Babel example.

-w instructs npm to watch for changes in the src folder. Every time you make a change to a file in src, this command is automatically executed.


Specifies alternative files to load in case bundling is done for the browser.

It is provided by a module author as a hint to javascript bundlers or component tools when packaging modules for client side use. [source]


"browser": {
 "vue": "vue/dist/vue.min.js"


package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. [package-lock.json - A manifestation of the manifest]

Is there a way to force npm to generate package-lock.json?
Shall package-lock.json be added to version control?

CLI commands

alias: login

>npm login
Username: bojan
Email: (this IS public) bojan@example.com

Logged in as bojan on https://registry.npmjs.org/.

If logging for the first time and if %USERPROFILE%/.npmrc does not already exist, it will be created with the content similar to this one:


Used to add, list, or clean the npm cache folder.[npm-cache]
Try clearing the npm cache

cache clean

Cleans the npm cache.  Deletes all data out of the cache folder.

used to update and edit the contents of the user and global npmrc files.
config get

Creates package.json. It is used when creating/initializing a package (not when installing it).

Installs in the local node_modules folder all dependencies listed in package.json.

install --production
npm will not install modules listed in devDependencies. Same applies when --production is omitted but the NODE_ENV environment variable is set to production.

install -g npm
Updates npm package itself.

install --save-dev package1 package2...
Installs packages locally (in  project's devDependencies)

Lists all packages installed locally (for the current project) and also their dependencies.

list --depth=0
Lists all packages installed locally but without their dependencies.


list -g
Lists all packages installed globally and also full path to the installation directory.
On Windows, that directory is: C:\Users\user\AppData\Roaming\npm.


list -g --depth=0
Lists globally installed packages but not their dependencies.


see adduser

run script_name
run-script script_name
Runs an arbitrary command (script) from a package's scripts key (scripts object in package.json). Optional argument: command. If no command is provided, it will list the available scripts (all properties of "scripts" object). [npm-run-script]

npm run allows you to pass arguments to the script you run by putting them after a double dash:
npm run script_name -- --arg1 --arg2

search search_terms...
Searches the registry for packages matching the search terms. [npm-search]

(short for run start)
npm runs the start script which is a command defined under scripts key in packages.json. This command usually starts the application with special configuration options (all listed in packages.json).

uninstalls a package, completely removing everything npm installed on its behalf.
-S, --save: Package will be removed from your dependencies.
-D, --save-dev: Package will be removed from your devDependencies.
-O, --save-optional: Package will be removed from your optionalDependencies.

If all packages are uninstalled package.json contains empty dependency list:

"dependencies": {}

uninstall -g package_name
uninstall --global package_name
Uninstalls globally installed package

Updates local packages to their latest versions allowed by the version specified with syntax ^ ("compatible with") or ~ ("reasonably close to") (see here for explanation in detail)  in package.json. Installs missing packages. Changes package.json and package-lock.json.
npm install vs. update - what's the difference?
How do I update devDependencies in NPM?

update -g 
Updates global packages.

view package_name
Shows data about a package. This can be used to check if some package actually exists as if package doesn't exist a message "404 Not found : package_name" is printed out. [npm-view]


    Products (tools, apps) used to come with a single package which contained both the core functionality and CLI.  Nowadays products are moving away from coupling the CLI and library together. The CLI now usually lives in the xxx-cli package.

    Installing package locally vs globally

    Sometimes it is better to install a package locally (project by project) then globally. There are couple of reasons for this:
    • Different projects on the same machine can depend on different versions of the package allowing you to update them individually.
    • Not having an implicit dependency on the environment you are working in makes your project far more portable and easier to setup.

    Where to install development dependencies?

    Shall development dependencies (e.g. Rollup, Webpack, Browserify, Gulp...) be installed globally or locally? Looking at reasons listed in the previous paragraph it makes more sense to install them locally. Benefits:
    • if required, different versions of these tools can be used in different projects 
    • all required dependencies can be installed in one go with npm install. There is no need for extra steps for installing packages globally (which, in turn, might also require root or admin privileges opening potential security holes...)

    How to run locally installed packages?

    • use npx to run their binaries directly (usually for some quick demonstrations, not in the real-world projects)
    • add them to scripts section of package.json and call them via npm run
    • add them to gulpfile and then Gulp takes care of executing them

    How to find quickly the version of some package installed on the local machine?

    >npm list dtrace-provider
    my-app@0.1.0 C:\dev\my-app
    `-- web-ext@2.9.1
    `-- bunyan@1.8.12
    `-- dtrace-provider@0.8.7

    Use -g to look for package installed globally on the machine.

    Find the version of an installed npm package

    How to move installed package from production to dev?

    Move a module from devDependencies to dependencies in npm package.json

    npm install <module_name> --save-prod
    npm install <module_name> --save-dev


    Common npm mistakes

    No comments: