Introduction to npm
npm is the default package manager for Node.js — and the largest software registry in the world, hosting over two million packages. It is three things at once: a registry (the online store of packages), a CLI (the npm command you run), and a format (the package.json manifest that describes a project). Mastering it is non-negotiable for real Node work.
Three meanings of "npm"
"npm" as… | What it is |
|---|---|
Registry | The hosted database at registry.npmjs.org packages download from |
CLI | The |
Manifest format | The |
Starting a project
npm init creates the package.json manifest that turns a folder into a real project. The -y flag accepts all defaults:
mkdir my-app && cd my-app npm init -y # creates package.json with defaults npm init # interactive — prompts for name, version, etc.
Wrote to /my-app/package.json:
{
"name": "my-app",
"version": "1.0.0",
"main": "index.js",
"scripts": { "test": "echo \"Error: no test specified\" && exit 1" },
"license": "ISC"
}Every field is explained in package.json Explained.
Installing packages
npm install express # add a runtime dependency npm install --save-dev jest # add a dev-only dependency (-D for short) npm install # install everything in package.json
This creates two things: the node_modules folder (the actual code) and package-lock.json (the exact resolved versions). The difference between dependency types is covered in dependencies vs devDependencies.
What gets created
Artifact | Role | Commit to git? |
|---|---|---|
| Your declared dependencies & metadata | Yes |
| The exact resolved dependency tree | Yes |
| The downloaded package code | No — gitignore it |
The most-used commands
Command | What it does |
|---|---|
| Add and install a package |
| Install everything from package.json |
| Clean, lockfile-exact install (for CI/production) |
| Remove a package |
| Update packages within their allowed ranges |
| Run a script defined in package.json |
| Report known vulnerabilities in the tree |
| Print the installed dependency tree |
The ecosystem mindset
npm's vast registry is its greatest strength and its biggest risk. Every package you install runs with your program's privileges, and pulls in its dependencies too — a small app can easily have hundreds of transitive packages:
Lean on it — do not rebuild battle-tested solutions (web frameworks, date math, validation).
But vet it — check maintenance, downloads, and known issues before adding a dependency.
Pin it — commit the lockfile so every machine and deploy gets identical code.
Audit it — run
npm auditand keep dependencies current. See Dependency & Secret Security.