npm and Packages

npm (Node Package Manager) is both a command-line tool and an online registry that comes bundled with Node.js. It lets you install, manage, and publish reusable JavaScript packages.

Initialising a Project

Every Node.js project has a package.json file that describes the project and its dependencies. Create one with:

npm init

Answer the prompts, or use the -y flag to accept all defaults:

npm init -y

A minimal package.json looks like this:

{
  "name": "my-app",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "start": "node index.js"
  },
  "dependencies": {}
}

Installing Packages

Install a package and save it as a dependency:

npm install express

Install a development-only tool (not needed in production):

npm install --save-dev nodemon

Install a package globally (available system-wide as a CLI tool):

npm install -g typescript

Dependencies vs devDependencies

Section	Purpose	Example
dependencies	Required at runtime	express, lodash
devDependencies	Required during development	nodemon, jest, eslint

The node_modules Folder and package-lock.json

When you install packages, npm downloads them into node_modules/. You should add this folder to .gitignore — it can be regenerated at any time from package.json by running:

npm install

The package-lock.json file records exact version numbers of every installed package, ensuring reproducible installs across environments. Commit this file to version control.

npm Scripts

The scripts section in package.json lets you define shortcut commands:

"scripts": {
  "start": "node index.js",
  "dev": "nodemon index.js",
  "test": "jest"
}

Run them with npm run:

npm run dev
npm run test
npm start

Useful npm Commands

npm list            # list installed packages
npm outdated        # show outdated packages
npm update          # update packages within semver range
npm uninstall lodash   # remove a package
npm audit           # check for security vulnerabilities

Semantic Versioning

npm uses semantic versioning (semver): MAJOR.MINOR.PATCH. In package.json:

• ^1.2.3 — compatible with 1.x.x (allow minor and patch updates)
• ~1.2.3 — approximately equivalent to 1.2.x (allow patch updates only)
• 1.2.3 — exact version only

Understanding npm is essential for every Node.js developer. Nearly every project you work on will rely on third-party packages, and knowing how to manage them confidently keeps your projects healthy and secure.