What is Node Package Manager?

February 27,2021 - 8 min read
What is Node Package Manager?

Launched in 2009, Nodejs has become very popular amongst software developers as several systems have been built using Node.js. It would not be wrong to say that Nodejs has become the favourite choice for software engineers and technocrats across the globe.

There are a lot of reasons behind the success of Javascript and its related technology, however, a major factor of Nodejs’ success is Node Package Manager, popularly known as NPM. It is a package manager that allows JavaScript developers to quickly and easily share useful packages. It has facilitated the publication of millions of packages which is a quite a figure for any software tool. In this blog, we would dwell deep into the concept of the node package manager and hence understand what is NPM? Let’s begin.

What is NPM?

NPM is the default package manager for Node.js and consists of two main parts, a command line interface (CLI) and an online repository. CLI tool is used for publishing as well as downloading packages, on the other hand, an online repository hosts JavaScript packages. Let’s understand the concept of CLI and repositories in a more detailed and comprehensive manner.

Repository is like a fulfilment centre that receives different packages from authors and distributes these packages to the users of npm package. This process is facilitated by npm CLI and is assigned as personal assistants to each customer.

So, dependencies are delivered to JavaScript developers with the help of ‘npm install’ command. This command is used by the developers to install dependencies from the website and on the other hand, the process of publishing a Javascript package for the community uses the command ‘npm publish’.

Now we would extensively look at how Javascript developers can use different JavaScript packages in their projects and how passionate technocrats publish some cool libraries for the whole community to use and make interesting projects with the help of these packages and libraries.

One important point to consider is package.json. Every project in Javascript is basically an npm package with its own package information and its package.json job which describes the project. Package.json are like stamped labels that will be generated when npm init is run in order to initialise a JavaScript or Node.js project. Package.json has basic information or metadata provided by developers, for example, the name of the JavaScript library or project along with the version (useful when deploying an application), description and license of the project.

Along with this, scripts property is also supported by package.json. The scripts property is used to run command-line tools that are installed in the project's local context. The scripts part of an NPM projects consists of eslint, prettier, ncc, jest and other executables which are not global but installed local to your project in the node_modules/.bin/. npx allows the node_modeules command to run just like a globally installed program. The syntax includes prefixing the npx command.

The next important point to consider is that of dependencies and devDependencies. Both of them are in the form of key-value objects. The names of npm libraries are the keys and the semantic-formatted versions of these npm libraries are the values. You can look at an example of a TypeScript Action template to understand dependencies and devDependencies.

The npm install command with --save and --save-dev flags are used to install dependencies and devDependencies respectively. Dependencies are mainly used for production and devDependencies are used for development or test environments. In this blog, we will also look at the installation of these packages.

It is also important to understand some commands that come before the semantic versions. For example, ^ describes the latest minor release and ~ refers to the latest patch release. These versions of the package are documented in a package-lock.json file. The package-lock.json file describes the exact versions of the dependencies used in a particular npm JavaScript project. The package.json is like a generic file but the package-lock.json is a more descriptive and detailed label and just like every descriptive and detailed files, package-lock.json is not meant to be read line-by-line by Javascript developers until and unless somebody really wants to know about the complex issues of the working of a machine. The package-lock.json file is generated by the npm install command, more often than not. It is read by the NPM CLI tool in order to ensure the reproduction of build environments.

Using NPM

In this segment, we will discuss how one can effectively use NPM commands NPM in order to make the most of out of this technology. As mentioned earlier, there are millions of published packages and billions of downloads and hence it’s interesting to learn more about how learners, developers and technocrats can wield this powerful tool.

The first, probably the most important and the most commonly used command is ‘npm install’. The basic syntax of this command is npm install. This will invariably install the latest version of the particular package with the ^ version sign. This command within the particular npm project will download the required packages inside the project's node_modules folder.

Also, a global flag ‘-g’ can be specified if you want to install a package in global context and hence, they can be used globally across the machine. The NPM command has made the process of installing Javascript packages extensively easy and as a result, it is often used incorrectly too. This is where the --production flag is useful. We have earlier discussed the concept and usage of dependencies and devDependencies in production and development or test environment respectively, one important thing to remember is that developers should never bring devDependencies to production environment. The -production flag is integral in how the differences in node_modules are made as it greatly reduces the size of node_modules. The size is reduced by attaching the –production flag with the npm install command. The size becomes equal to what is necessary for the applications to be up and running.

Another crucial command is the npm ci which is optimal for local development as well as testing setup. We learned earlier that package-lock.json is generated whenever the command ‘npm install’ is called and does not exists invariably, similarly, npm ci downloads the exact version of each individual package depending on the project and hence the context of the project stays exactly the same across different machines. It’s the same whether it is developer’s local laptops used for development or Continuous Integration build environments, for example Github Actions.

The npm audit is another very useful command in the whole npm ecosystem. There are a very large number of npm packages that are published and installed and hence they are susceptible to bad authors with malicious intentions. The npm.js organisation realised that there is an issue in the ecosystem and hence came up with the npm audit. The npm audit command maintains a list of loopholes. This list can help developers as they can audit their dependencies against those loopholes using the npm audit command.

This command helps the developers to get all the information about the different types of vulnerabilities and whether there are versions with remediations to upgrade to. For example, if the remedy of the vulnerabilities is present in the next upgrade, npm audit helps in fixing the issue by automatically upgrading the version of the dependencies that are affected by vulnerabilities.

Now that we have extensively looked at NPM from a perspective of a user of NPM packages and libraries. In other words, we have studied NPM as a developer making Javascript projects. In the next segment, we will see how one can effectively use NPM command as a seller or a publisher of npm packages and libraries. Let’s start!

NPM for Sellers

In this segment, we will go through how to wield the NPM CLI tool as an author and how to use it effectively in order to potentially become an open source wizard someday.

We read about the command, npm install when discussing the npm commands for developers. When talking about NPM for authors, the command ‘npm publish’ is probably the most important. With npm publish, it is easy to send packages to the nmpjs.com fulfilment centre as only the command needs to be run.

However, how to determine the version of the package is not specific to npm package authors. One probable solution to this and a trick to remember is that when making incompatible API changes, use a Major version, a minor one, when adding functionality in a backward compatible manner, and a Patch version when fixing backwards compatible bugs. It’s important for authors to follow this rule when publishing their packages in order to ensure someone’s code is not affected negatively as the default version matching in npm is only the next minor version.

The blog was written with the intention to explain the concept of node package manager and its use and importance for both Javascript developers and authors across the world. We hope the concept is clear and you are excited to start your journey with Nodejs and Node Package Manager.

Also, if you wish to become a proficient web developer and grab a job as a web developer in your dream company, we suggest you take a professional web development course. A course will inculcate the right professional and technical skills in you that will help you start your journey in technology.

One course that might benefit you the most is Konfinity’s Web Development Course The course is well-researched and is one of the most beneficial training courses out there. It is developed by experts from IIT DELHI in collaboration with tech companies like Google, Amazon and Microsoft. It is trusted by students and graduates from IIT, DTU, NIT, Amity, DU and more.

We encourage technocrats like you to join the course to master the art of creating web applications by learning the latest technologies, right from basic HTML to advanced and dynamic websites, in just a span of a few months.

Konfinity is a great platform for launching a lucrative tech career. We will get you started by helping you get placed in a high paying job. One amazing thing about our course is that no prior coding experience is required to take up our courses. Start your free trial here.