NodeJSIntroduction to npm

Introduction to npm

npm is the default package manager for Node.js — and the largest software registry in the world, hosting over two million packages. It is three things at once: a registry (the online store of packages), a CLI (the npm command you run), and a format (the package.json manifest that describes a project). Mastering it is non-negotiable for real Node work.

Three meanings of "npm"

"npm" as…

What it is

Registry

The hosted database at registry.npmjs.org packages download from

CLI

The npm command installed alongside Node

Manifest format

The package.json schema every package uses

It ships with Node
Installing Node installs npm automatically — no separate download. Check both with `node -v` and `npm -v`. npm updates on its own release cadence, so its version differs from Node's.
Starting a project

npm init creates the package.json manifest that turns a folder into a real project. The -y flag accepts all defaults:

Bash
mkdir my-app && cd my-app
npm init -y        # creates package.json with defaults
npm init           # interactive — prompts for name, version, etc.
Wrote to /my-app/package.json:

{
  "name": "my-app",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": { "test": "echo \"Error: no test specified\" && exit 1" },
  "license": "ISC"
}

Every field is explained in package.json Explained.

Installing packages

Bash
npm install express          # add a runtime dependency
npm install --save-dev jest   # add a dev-only dependency (-D for short)
npm install                   # install everything in package.json

This creates two things: the node_modules folder (the actual code) and package-lock.json (the exact resolved versions). The difference between dependency types is covered in dependencies vs devDependencies.

What gets created

Artifact

Role

Commit to git?

package.json

Your declared dependencies & metadata

Yes

package-lock.json

The exact resolved dependency tree

Yes

node_modules/

The downloaded package code

No — gitignore it

Never commit node_modules
It can hold tens of thousands of files, is platform-specific for packages with native builds, and is fully reproducible from `package.json` + the lockfile. Add `node_modules` to `.gitignore` and let `npm install` rebuild it.
The most-used commands

Command

What it does

npm install <pkg>

Add and install a package

npm install

Install everything from package.json

npm ci

Clean, lockfile-exact install (for CI/production)

npm uninstall <pkg>

Remove a package

npm update

Update packages within their allowed ranges

npm run <script>

Run a script defined in package.json

npm audit

Report known vulnerabilities in the tree

npm ls

Print the installed dependency tree

The ecosystem mindset

npm's vast registry is its greatest strength and its biggest risk. Every package you install runs with your program's privileges, and pulls in its dependencies too — a small app can easily have hundreds of transitive packages:

  • Lean on it — do not rebuild battle-tested solutions (web frameworks, date math, validation).

  • But vet it — check maintenance, downloads, and known issues before adding a dependency.

  • Pin it — commit the lockfile so every machine and deploy gets identical code.

  • Audit it — run npm audit and keep dependencies current. See Dependency & Secret Security.

Next
Open up the manifest at the centre of it all: [package.json Explained](/nodejs/package-json).