npm

Package Managers

Node Package Manager - the default package manager for Node.js, consisting of a command line client and an online database of public and paid-for private packages

Usage

npm <command> [options]

Options

install, i

Install packages

Type: command

uninstall, un

Uninstall packages

Type: command

update, up

Update packages

Type: command

run

Run scripts defined in package.json

Type: command

init

Create a new package.json file

Type: command

list, ls

List installed packages

Type: command

search

Search for packages

Type: command

version

Show npm version

Type: command

access

Set access level on published packages

Type: command

adduser

Add a registry user account

Type: command

audit

Run a security audit

Type: command

bugs

Bugs for a package in a web browser

Type: command

cache

Manipulates packages cache

Type: command

ci

Install a project with a clean slate

Type: command

completion

Tab completion for npm

Type: command

config

Manage the npm configuration files

Type: command

dedupe

Reduce duplication

Type: command

deprecate

Deprecate a version of a package

Type: command

diff

The registry diff command

Type: command

dist-tag

Modify package distribution tags

Type: command

docs

Docs for a package in a web browser

Type: command

doctor

Check your environments

Type: command

edit

Edit an installed package

Type: command

exec

Run a command from an npm package

Type: command

explain

Explain installed packages

Type: command

explore

Browse an installed package

Type: command

find-dupes

Find duplication in the package tree

Type: command

fund

Retrieve funding information

Type: command

help

Search npm help documentation

Type: command

help-search

Get help on npm

Type: command

install-ci-test

Install a project with a clean slate and run tests

Type: command

install-test

Install package(s) and run tests

Type: command

link

Symlink a package folder

Type: command

login

Login to a registry user account

Type: command

logout

Log out of the registry

Type: command

org

Manage orgs

Type: command

outdated

Check for outdated packages

Type: command

owner

Manage package owners

Type: command

pack

Create a tarball from a package

Type: command

ping

Ping npm registry

Type: command

pkg

Manages your package.json

Type: command

prefix

Display prefix

Type: command

profile

Change settings on your registry profile

Type: command

prune

Remove extraneous packages

Type: command

publish

Publish a package

Type: command

query

Retrieve a filtered list of packages

Type: command

rebuild

Rebuild a package

Type: command

repo

Open package repository page in the browser

Type: command

restart

Restart a package

Type: command

root

Display npm root

Type: command

sbom

Generate a Software Bill of Materials (SBOM)

Type: command

shrinkwrap

Lock down dependency versions for publication

Type: command

star

Mark your favorite packages

Type: command

stars

View packages marked as favorites

Type: command

start

Start a package

Type: command

stop

Stop a package

Type: command

team

Manage organization teams and team memberships

Type: command

test

Test a package

Type: command

token

Manage your authentication tokens

Type: command

undeprecate

Undeprecate a version of a package

Type: command

unpublish

Remove a package from the registry

Type: command

unstar

Remove an item from your favorite packages

Type: command

version

Bump a package version

Type: command

--save

Save package as dependency

Type: option

--save-dev, -D

Save package as dev dependency

Type: option

--global, -g

Install package globally

Type: option

--version

Show version number

Type: option

--help, -h

Show help

Type: option

Examples

Install a package

npm install lodash

Install a package as dev dependency

npm install --save-dev jest

Install package globally

npm install -g create-react-app

Update all packages

npm update

Run a script

npm run build

Check npm version

npm --version

Run security audit

npm audit

Initialize a new project

npm init

Search for packages

npm search react

Language

JavaScript

History

npm (originally short for Node Package Manager) was created in 2010 by Isaac Z. Schlueter as a response to existing module packaging systems in the JavaScript ecosystem, which he considered to be inadequate. Schlueter was influenced by earlier tools such as PEAR for PHP and CPAN for Perl, and aimed to develop a lightweight, community-oriented package manager designed for the Node.js runtime.

npm was introduced as a more capable alternative to an earlier shell script-based tool named pm, which had limited features for managing Node.js packages. The first version of npm was released on January 12, 2010.

Over time, npm was increasingly adopted within the Node.js developer community. Its ease of use, speed, and ability to distribute reusable code contributed to its widespread usage as a package manager. It played a significant role in the development of the JavaScript ecosystem by enabling efficient dependency management and sharing of open-source libraries.

In 2014, the company npm, Inc. was established in Oakland, California by Schlueter and Laurie Voss to oversee the maintenance of the npm registry and to provide related services.

In March 2020, npm, Inc. was acquired by GitHub, a subsidiary of Microsoft. The acquisition was presented as a step toward improving the infrastructure of the npm registry and strengthening integration with GitHub's developer tools.

As of 2025, npm remains one of the most widely used software package registries, hosting a substantial number of open-source packages and serving billions of downloads on a regular basis.

Characteristics

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.

In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version.

npm also provides the package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.

The npx command, which is an acronym for Node Package eXecuter, executes packages without installing them.

npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry. In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.

Registry

Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format. Over 3.1 million packages are available in the main npm registry.

The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.

npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. Internally npm relies on the NoSQL CouchDB to manage publicly available data.

Package Controversies

left-pad incident (2016): A package called left-pad was unpublished as the result of a naming dispute. The package was immensely popular, being depended on by thousands of projects including Babel and Webpack, causing widespread disruption.

flatmap-stream (2018): A malicious package was added as a dependency to the popular event-stream package, containing encrypted payload that stole bitcoins.

pac-resolver (2021): An npm package with over 3 million weekly downloads had a remote code execution vulnerability.

colors and faker (2022): The maintainer of popular packages pushed changes that broke them, including printing garbage text in an infinite loop.

peacenotwar (2022): A package that overwrites hard drives with heart emojis for users from certain countries was added as a dependency to protest the Russian invasion of Ukraine.

Supply chain attacks (2025): Multiple incidents including compromised packages with malware that intercepts cryptocurrency transactions, self-replicating worms, and token farming campaigns affecting hundreds of packages.