npm Reference

Q: How does npx differ from npm install -g?

npm install -g installs a package permanently to your global node_modules directory, adding its binaries to PATH. npx downloads and runs a package temporarily without installing it, then discards it. npx always fetches the latest version (or the specified version) from the registry, so you always get a fresh copy. Use npx for scaffolding tools like create-react-app or one-off CLI operations. Use -g for tools you run repeatedly like typescript or nodemon.

Q: What is package-lock.json and should I commit it?

package-lock.json records the exact resolved version, download URL, and integrity hash of every installed package and its transitive dependencies. It ensures that npm ci will install the exact same dependency tree on any machine. You should always commit package-lock.json for applications — it is what makes builds reproducible. For libraries published to npm, there is a community debate, but the modern guidance is to commit it in your repository even for libraries.

Q: How do I run npm audit and fix vulnerabilities?

Run npm audit to scan your installed dependencies against the npm advisory database and see a list of vulnerabilities with severity levels (critical, high, moderate, low). Run npm audit fix to automatically upgrade packages to their minimum safe version within your semver constraints. If a fix requires a breaking major version change, npm audit fix will tell you but will not apply it — use npm audit fix --force to apply major version upgrades, but review the changes carefully as they may break your code.

Q: How do pre and post script hooks work in npm?

For any script named foo, npm automatically looks for prefoo and postfoo scripts and runs them before and after foo. For example, if you define prebuild, build, and postbuild in package.json scripts, running npm run build will execute all three in sequence. This is useful for cleaning build output before a build (prebuild: "rimraf dist") and for post-processing or notifications after a build completes. The lifecycle hooks also work for the built-in npm start and npm test commands.

Q: How do I configure npm to use a private registry?

Set the registry in .npmrc: registry=https://your-registry.example.com/. For scoped packages from a private registry, use @scope:registry=https://your-registry.example.com/. You can set .npmrc at the project level (committed) for non-sensitive settings or at the user level (~/.npmrc) for credentials. For authentication tokens, add //your-registry.example.com/:_authToken=${NPM_TOKEN} in .npmrc and set NPM_TOKEN as an environment variable so the token is never hardcoded.

Free reference guide: npm Reference

25 results

About npm Reference

The npm Reference is a comprehensive cheat sheet covering the Node Package Manager commands and configuration that every JavaScript developer uses throughout their daily workflow. The Install section documents npm init and npm init -y for creating package.json, npm install (npm i) for installing all dependencies, npm i express for adding a specific package, npm i -D typescript for dev dependencies, npm install --save-exact for pinning to a precise version without a range prefix, npm install -g for global tools, npm uninstall for removing packages, and npm ci for clean lock-file-based installs in CI/CD pipelines.

The Scripts section covers how package.json scripts work in practice: npm run build/test/dev for invoking named scripts, npm start and npm test as shorthand aliases that omit the run keyword, pre/post script hooks (prebuild, postbuild) that execute automatically before and after a named script, npx for running packages without installing them globally (npx create-react-app, npx ts-node), and the scripts field structure for defining full project automation pipelines. The Packages section documents npm publish with scoped package support, npm pack for creating installable tarballs, npm link for local library development workflows, and npm info for inspecting registry metadata.

Versioning and security topics round out the reference. Semantic versioning ranges are explained with caret (^1.2.3 allows minor and patch updates), tilde (~1.2.3 allows patch-only updates), and exact version pinning. npm outdated shows which packages have newer versions available, and npm update applies allowed upgrades. Configuration is covered via .npmrc settings (registry, save-exact, engine-strict) and npm config commands. The security section explains npm audit for scanning dependency vulnerabilities and npm audit fix for automated remediation, plus the role of package-lock.json in ensuring reproducible builds. This reference is used by frontend developers, full-stack engineers, and DevOps engineers managing Node.js projects.

Key Features

npm install variants — regular, --save-exact, -D (devDeps), -g (global), and npm ci for CI
npm run scripts with pre/post hooks (prebuild, postbuild) and lifecycle automation
npx for running packages on demand without global installation
scripts field structure — dev, build, start, lint, test pipeline definition
npm publish, npm pack, npm link for package authoring and local dev workflows
Semantic versioning — caret (^), tilde (~), exact, range, and x-wildcard syntax
npm outdated, npm update, and npm info for registry metadata inspection
npm audit and npm audit fix for CVE scanning and automated vulnerability remediation

Frequently Asked Questions

What is the difference between npm install and npm ci?

npm install reads package.json and installs the latest versions matching semver ranges, updating package-lock.json if versions change. npm ci deletes node_modules first, then installs exactly what is recorded in package-lock.json without any resolution — it fails if lock and package.json are out of sync. Use npm ci in CI/CD pipelines and Docker builds for reproducible, faster installs. Use npm install locally when you want to update or add packages.

What is the difference between dependencies and devDependencies?

dependencies are packages required at runtime when your code runs in production. devDependencies are only needed during development and build — type definitions, linters, test frameworks, bundlers, and compilers. When you run npm install in production with NODE_ENV=production or use npm install --production, devDependencies are skipped. Add runtime packages with npm i package and development tools with npm i -D package.

What does the caret (^) mean in package.json versions?

The caret ^ allows updates that do not change the leftmost non-zero digit. ^1.2.3 means >=1.2.3 <2.0.0 — any minor or patch update within major version 1. ^0.2.3 means >=0.2.3 <0.3.0 because 0 is the leftmost non-zero digit. The tilde ~ is more conservative: ~1.2.3 means >=1.2.3 <1.3.0, only allowing patch updates. Use --save-exact or set save-exact=true in .npmrc to omit the caret entirely.

How does npx differ from npm install -g?

npm install -g installs a package permanently to your global node_modules directory, adding its binaries to PATH. npx downloads and runs a package temporarily without installing it, then discards it. npx always fetches the latest version (or the specified version) from the registry, so you always get a fresh copy. Use npx for scaffolding tools like create-react-app or one-off CLI operations. Use -g for tools you run repeatedly like typescript or nodemon.

What is package-lock.json and should I commit it?

package-lock.json records the exact resolved version, download URL, and integrity hash of every installed package and its transitive dependencies. It ensures that npm ci will install the exact same dependency tree on any machine. You should always commit package-lock.json for applications — it is what makes builds reproducible. For libraries published to npm, there is a community debate, but the modern guidance is to commit it in your repository even for libraries.

How do I run npm audit and fix vulnerabilities?

Run npm audit to scan your installed dependencies against the npm advisory database and see a list of vulnerabilities with severity levels (critical, high, moderate, low). Run npm audit fix to automatically upgrade packages to their minimum safe version within your semver constraints. If a fix requires a breaking major version change, npm audit fix will tell you but will not apply it — use npm audit fix --force to apply major version upgrades, but review the changes carefully as they may break your code.

How do pre and post script hooks work in npm?

For any script named foo, npm automatically looks for prefoo and postfoo scripts and runs them before and after foo. For example, if you define prebuild, build, and postbuild in package.json scripts, running npm run build will execute all three in sequence. This is useful for cleaning build output before a build (prebuild: "rimraf dist") and for post-processing or notifications after a build completes. The lifecycle hooks also work for the built-in npm start and npm test commands.

How do I configure npm to use a private registry?

Set the registry in .npmrc: registry=https://your-registry.example.com/. For scoped packages from a private registry, use @scope:registry=https://your-registry.example.com/. You can set .npmrc at the project level (committed) for non-sensitive settings or at the user level (~/.npmrc) for credentials. For authentication tokens, add //your-registry.example.com/:_authToken=${NPM_TOKEN} in .npmrc and set NPM_TOKEN as an environment variable so the token is never hardcoded.