npm (Node Package Manager) is the default package manager for Node.js. It installs libraries and manages project configuration via package.json.

package.json Essentials 

  {
  "name": "my-app",
  "version": "1.0.0",
  "description": "My Node.js application",
  "main": "index.js",
  "type": "module",
  "scripts": {
    "start": "node src/index.js",
    "dev": "node --watch src/index.js",
    "test": "node --test"
  },
  "dependencies": {
    "express": "^4.18.2"
  },
  "devDependencies": {
    "nodemon": "^3.0.0"
  },
  "engines": {
    "node": ">=18.0.0"
  }
}

Installing Packages 

  # Production dependency
npm install express

# Development dependency
npm install --save-dev nodemon

# Global CLI tool
npm install -g nodemon

# Install all dependencies from package.json
npm install

Semantic Versioning

Symbol Meaning Example
^4.18.2 Compatible with 4.x (minor/patch updates) 4.18.2 → 4.19.0 OK
~4.18.2 Patch updates only 4.18.2 → 4.18.3 OK
4.18.2 Exact version Always 4.18.2

npm Scripts

Run scripts defined in package.json:

  npm start
npm run dev
npm test
npm run build

Custom scripts can chain commands:

  {
  "scripts": {
    "dev": "node --watch src/index.js",
    "lint": "eslint src/",
    "lint:fix": "eslint src/ --fix"
  }
}

npx

Run packages without global install:

  npx create-express-app my-api
npx eslint src/

package-lock.json

Automatically generated — locks exact dependency versions for reproducible installs. Commit this file to version control.

Useful Commands 

  npm list              # List installed packages
npm outdated          # Check for updates
npm update            # Update packages
npm uninstall express # Remove a package
npm audit             # Security vulnerability scan
npm audit fix         # Auto-fix vulnerabilities

.npmrc

Project-level npm configuration:

  save-exact=true
engine-strict=true

Alternatives

  • yarn — Fast, reliable package manager
  • pnpm — Disk-efficient, strict dependency resolution

All use the same npm registry.

package-lock.json

Always commit package-lock.json to version control. It locks exact dependency versions so every developer and CI pipeline installs identical packages:

  npm ci          # install from lock file (CI/CD)
npm install     # update lock file when adding packages

Never run npm install in production — use npm ci for reproducible builds.

Semantic Versioning 

  {
  "dependencies": {
    "express": "^4.18.0",   // compatible with 4.x (minor/patch updates)
    "lodash": "~4.17.21",   // patch updates only
    "react": "18.2.0"       // exact version pinned
  }
}

Run npm outdated to check for available updates. Use npm audit fix cautiously — review breaking changes.

npm Scripts for Automation 

  {
  "scripts": {
    "dev": "node --watch src/index.js",
    "build": "tsc",
    "start": "node dist/index.js",
    "test": "node --test",
    "lint": "eslint src/",
    "prepublishOnly": "npm test && npm run build"
  }
}

Lifecycle hooks (pre*, post*) automate tasks around script execution.

Private Packages and Scopes 

  npm login --registry=https://npm.pkg.github.com
npm publish --access restricted

Scoped packages (@myorg/utils) namespace internal libraries. Configure .npmrc for private registry authentication.