Introduction to npm
Why It Matters
npm is both a package registry and a command line tool. The registry hosts reusable JavaScript packages. The CLI installs packages, runs scripts, manages versions, and helps audit dependencies.
Most Node.js projects depend on npm concepts even if they use pnpm or Yarn instead of the npm CLI.
Core Concepts
package
A package is a directory with a package.json file. It may be an application, a library, a CLI, or an internal workspace package.
registry
The default npm registry is a public package host. Companies may also use private registries for internal packages.
node_modules
Installed packages are placed in node_modules for Node.js and tooling to resolve. You normally do not edit this directory or commit it to Git.
package-lock.json
The lockfile records exact resolved dependency versions. It makes installs more repeatable.
Syntax and Examples
Initialize a package:
npm init
npm init -yInstall a runtime dependency:
npm install expressInstall a development dependency:
npm install --save-dev vitestRun a package binary without installing globally:
npx cowsay "Hello npm"In modern npm, npm exec is the clearer command:
npm exec cowsay "Hello npm"Use Cases
npm helps with:
- Installing libraries
- Sharing packages
- Running project scripts
- Managing dependency versions
- Auditing known vulnerabilities
- Publishing CLIs and libraries
Tradeoffs
The npm ecosystem is powerful because reuse is easy. That same convenience creates risks:
- Too many dependencies increase attack surface.
- Package updates can introduce breaking changes.
- Transitive dependencies can be hard to inspect.
- Similar package names can be confusing.
Good Node.js developers treat dependencies as code they are choosing to run.
Common Mistakes
- Installing packages globally when a project dependency is better.
- Committing
node_modules. - Ignoring the lockfile in applications.
- Adding a package for a tiny task that built-in modules already solve.
- Running unknown package binaries without checking what they do.
Practical Challenge
Create a new folder, run npm init -y, install one runtime dependency and one dev dependency, then inspect how package.json, package-lock.json, and node_modules changed.
Recap
npm provides package installation, script execution, and registry access. It is central to Node.js development, but every dependency should be chosen intentionally and locked repeatably.