Package Managers
Node Package Manager - the default package manager for Node.js, consisting of a command line client and an online database of public and paid-for private packages
npm <command> [options]install, iInstall packages
Type: command
uninstall, unUninstall packages
Type: command
update, upUpdate packages
Type: command
runRun scripts defined in package.json
Type: command
initCreate a new package.json file
Type: command
list, lsList installed packages
Type: command
searchSearch for packages
Type: command
versionShow npm version
Type: command
accessSet access level on published packages
Type: command
adduserAdd a registry user account
Type: command
auditRun a security audit
Type: command
bugsBugs for a package in a web browser
Type: command
cacheManipulates packages cache
Type: command
ciInstall a project with a clean slate
Type: command
completionTab completion for npm
Type: command
configManage the npm configuration files
Type: command
dedupeReduce duplication
Type: command
deprecateDeprecate a version of a package
Type: command
diffThe registry diff command
Type: command
dist-tagModify package distribution tags
Type: command
docsDocs for a package in a web browser
Type: command
doctorCheck your environments
Type: command
editEdit an installed package
Type: command
execRun a command from an npm package
Type: command
explainExplain installed packages
Type: command
exploreBrowse an installed package
Type: command
find-dupesFind duplication in the package tree
Type: command
fundRetrieve funding information
Type: command
helpSearch npm help documentation
Type: command
help-searchGet help on npm
Type: command
install-ci-testInstall a project with a clean slate and run tests
Type: command
install-testInstall package(s) and run tests
Type: command
linkSymlink a package folder
Type: command
loginLogin to a registry user account
Type: command
logoutLog out of the registry
Type: command
orgManage orgs
Type: command
outdatedCheck for outdated packages
Type: command
ownerManage package owners
Type: command
packCreate a tarball from a package
Type: command
pingPing npm registry
Type: command
pkgManages your package.json
Type: command
prefixDisplay prefix
Type: command
profileChange settings on your registry profile
Type: command
pruneRemove extraneous packages
Type: command
publishPublish a package
Type: command
queryRetrieve a filtered list of packages
Type: command
rebuildRebuild a package
Type: command
repoOpen package repository page in the browser
Type: command
restartRestart a package
Type: command
rootDisplay npm root
Type: command
sbomGenerate a Software Bill of Materials (SBOM)
Type: command
shrinkwrapLock down dependency versions for publication
Type: command
starMark your favorite packages
Type: command
starsView packages marked as favorites
Type: command
startStart a package
Type: command
stopStop a package
Type: command
teamManage organization teams and team memberships
Type: command
testTest a package
Type: command
tokenManage your authentication tokens
Type: command
undeprecateUndeprecate a version of a package
Type: command
unpublishRemove a package from the registry
Type: command
unstarRemove an item from your favorite packages
Type: command
versionBump a package version
Type: command
--saveSave package as dependency
Type: option
--save-dev, -DSave package as dev dependency
Type: option
--global, -gInstall package globally
Type: option
--versionShow version number
Type: option
--help, -hShow help
Type: option
Install a package
npm install lodashInstall a package as dev dependency
npm install --save-dev jestInstall package globally
npm install -g create-react-appUpdate all packages
npm updateRun a script
npm run buildCheck npm version
npm --versionRun security audit
npm auditInitialize a new project
npm initSearch for packages
npm search reactJavaScript
npm (originally short for Node Package Manager) was created in 2010 by Isaac Z. Schlueter as a response to existing module packaging systems in the JavaScript ecosystem, which he considered to be inadequate. Schlueter was influenced by earlier tools such as PEAR for PHP and CPAN for Perl, and aimed to develop a lightweight, community-oriented package manager designed for the Node.js runtime.
npm was introduced as a more capable alternative to an earlier shell script-based tool named pm, which had limited features for managing Node.js packages. The first version of npm was released on January 12, 2010.
Over time, npm was increasingly adopted within the Node.js developer community. Its ease of use, speed, and ability to distribute reusable code contributed to its widespread usage as a package manager. It played a significant role in the development of the JavaScript ecosystem by enabling efficient dependency management and sharing of open-source libraries.
In 2014, the company npm, Inc. was established in Oakland, California by Schlueter and Laurie Voss to oversee the maintenance of the npm registry and to provide related services.
In March 2020, npm, Inc. was acquired by GitHub, a subsidiary of Microsoft. The acquisition was presented as a step toward improving the infrastructure of the npm registry and strengthening integration with GitHub's developer tools.
As of 2025, npm remains one of the most widely used software package registries, hosting a substantial number of open-source packages and serving billions of downloads on a regular basis.
npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.
In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version.
npm also provides the package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.
The npx command, which is an acronym for Node Package eXecuter, executes packages without installing them.
npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry. In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.
Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format. Over 3.1 million packages are available in the main npm registry.
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.
npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. Internally npm relies on the NoSQL CouchDB to manage publicly available data.
left-pad incident (2016): A package called left-pad was unpublished as the result of a naming dispute. The package was immensely popular, being depended on by thousands of projects including Babel and Webpack, causing widespread disruption.
flatmap-stream (2018): A malicious package was added as a dependency to the popular event-stream package, containing encrypted payload that stole bitcoins.
pac-resolver (2021): An npm package with over 3 million weekly downloads had a remote code execution vulnerability.
colors and faker (2022): The maintainer of popular packages pushed changes that broke them, including printing garbage text in an infinite loop.
peacenotwar (2022): A package that overwrites hard drives with heart emojis for users from certain countries was added as a dependency to protest the Russian invasion of Ukraine.
Supply chain attacks (2025): Multiple incidents including compromised packages with malware that intercepts cryptocurrency transactions, self-replicating worms, and token farming campaigns affecting hundreds of packages.