Node Package Manager (NPM) is basically a command line tool as well as a registry of third party libraries that we can add to our Node applications.
It allows developers to easily manage and install external libraries, modules, and tools (called packages or modules) that extend the functionality of Node.js applications. NPM is the default package manager for Node.js and is included with the Node.js installation.
Key features and functionalities of NPM include:
Feature
Description
Package Installation
NPM allows developers to install packages from the official npm registry or from private registries. The installation process automatically handles the resolution of dependencies, ensuring that all required modules are downloaded and accessible.
Version Management
NPM provides version management for packages. Developers can specify the desired version of a package in the package.json file or use version ranges to allow updates within specific constraints.
Package Publishing
Developers can publish their own packages to the npm registry, making them available to others to use and contribute to. This fosters collaboration and code sharing within the Node.js community.
Dependency Management
NPM tracks dependencies and devDependencies of a project in the package.json file. This enables automated installation and management of all required modules by running a single command (npm install).
Script Execution
NPM allows developers to define custom scripts in the package.json file, which can be executed using the npm run command. This feature is commonly used for automation, running tests, and other development tasks.
Scopes
NPM introduced scopes, allowing developers to organize packages under specific namespaces to avoid naming conflicts.
package.json is basically a json file that includes some basic information about our application or our project, such as it's name, it's version, it's authors, the address of its git repository, its dependencies and so on. It's basically a bunch of metadata about our application. And all Node applications by standard have this package.json file.
To use NPM in a Node.js project, we need to initialize a package.json file using the npm init command, which will prompt us for some basic information about our project and its dependencies.
1
npminit
After fill some basic information, we would have a package.json file that contains some basic information about our node application as below.
package.json
1 2 3 4 5 6 7 8 91011
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC"}
After that, we can use npm install <package-name> to install latest packages from npm registry and npm install to install all dependencies specified in the package.json file.
For example, in our project npm-demo we will install package underscore to our node application.
1
npminstallundersorce
After execute the command above in npm-demo project, then we can see in the package.json the dependency underscore added with the version.
package.json
1 2 3 4 5 6 7 8 91011121314
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"underscore":"^1.13.6"}}
Moreover, you can also see there is folder node_modules inside our npm-demo application which contains the package underscore and inside it we will also see the package.json
So it means every npm dependency is a node application like our npm-demo application and it is stored in the a folder called node_modules.
Now, we will be confused that where does npm download this dependency from? The answer is that by default after installing the nodejs , the dependencies will be download from the default registry https://registry.npmjs.org/ of NPM. We can use the command below to check which registry that we are using.
12
npmgetregistry
https://registry.npmjs.org/
Finally, if we want to find a public dependency or just view the information about the dependency that we are using. We can go to npmjs.com to search and review.
To use a dependency package, we just need to include it like we load a module by using the require keyword.
12345
const_=require('underscore');//Core module//File or Foler//node_modules
So with the require require. Firstly, it will assume that the module name that we supply is the core module. However, in Nodejs we don't have this module so the require function thinks that maybe it is a file or a folder in this project. However, to reference a file we have to use the ./ in the argument and then the require function will assume that there is a underscore.js file in the same folder or there is an index.js file in the folder underscore (underscore/index.js). Finally, the require function move to the third step and assume that the supply module exists inside the node_modules folder. So this is how the require function worked.
Now, let's take an example with underscore dependency. Let's create a file index.js and add the example code as below.
Every time we install a package with npm install the dependencies in package.json will be updated.
1
npminstallmongoose
package.json
1 2 3 4 5 6 7 8 9101112131415
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"mongoose":"^7.4.1","underscore":"^1.13.6"}}
Then if we look at the node_modules folder there are many child folder added although we only installed mongoose package. These are other node packages that the mongoose is dependent on.
Okay, at this point maybe we will have some questions, so we knew that a dependency package is like a node application but why do dependency packages inside the node_modules do not contain a folder node_modules like our npm-demo application that we are working on?
The answer is if every dependency package contains a node_modules then there is a case a dependency will create a very deeply nested structure and on Windows Os specifically there is a limitation on the number of characters that we can have in a path.
So the behavior of the dependency package in the node_modules has changed, now all dependencies of our application as well as their dependencies are stored under node_modules
Okay, now we have another question, how can the NPM handle multi versions of an dependency?. For example, in the npm-demo we will use the package bson version 5.3.0 but in the dependency mongoose it is using the package bson version 5.4.0.
In this case, our bson package of npm-demo application will be stored in the folder node_modules with version 5.3.0. Then in the mongoose dependency a new node_modules folder will generated and store the bson with version 5.4.0. Let's see the example below.
1
npminstallbson@5.3.0
As you can see, the bson version 5.3.0 that our application npm-demo is stored in the main node_modules.
Then the bson version 5.4.0 of mongoose dependency is stored inside the node_modules folder of mongoose package.
There is a problem with the node_modules folder, if our application use a lot of node dependencies then our node_modules folder will be very heavy with hundred megabytes and when some one has to clone our source code from the repository then he have to wait for a long time for downloading.
To handle that problem the NPM will keep the information of dependencies that are used in our application in package.json field dependencies and in the case we delete the node_modules folder, we don't have to run npm install <packageName> for every dependency again, we just need to run npm install then all dependencies will be downloaded into the node_modules folder from public registry again. So now, we can exclude the folder node_modules from our source code.
Okay now, if we look into the dependencies in the package.json we may see the character ^ before the version, so what is it mean?
Before answering this question we need to understand the Semantic Versioning. So what is the Semantic Versioning?
Semantic Versioning (SemVer) is a versioning system for software packages that provides a consistent and reliable way to communicate changes between versions.
SemVer versions are made up of three numbers:
Major version: This number indicates a significant change and break existing APIs or functionality of the software.
Minor version: This number indicates a minor change but doesn't break the existing API in the software, such as adding new features.
Patch version: This number indicates a patch release, such as a bug fix or a security fix.
So the ^ tells the NPM that if there is any newer Minor or Patch version so they will be updated in node_modules as long as the Major version is not changed.
package.json
1 2 3 4 5 6 7 8 910111213141516
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"bson":"^5.3.0","mongoose":"^7.4.1","underscore":"^1.13.6"}}
For example, if we are using the bson version ^5.3.0 and using ^ then we are talking to NPM that if there is any newer Minor or Patch versions (ex: ^5.4.0) please use it when restore the package in npm install. It means when some one clone our project from the repository and run npm install. Then the bson will be installed with higher Minor or Patch versions for example ^5.4.0.
Beside the character ^ we can also use the exact Major version with x. For example: 5.x
Next, in some case we usually also see the character ~, so it means if there is any newer Patch version so they will be updated in node_modules as long as the Major and Minor versions are not changed and we also have an alternative syntax with Major, Minor and x . For example, 5.4.x.
Finally, if we want to use the exact version for dependencies we just simply put the exact version without using any ^ or ~ or version with x.
Okay as we knew before, we can access the link npmjs.com to view details about the package that we are using. However, there is another way by using the command below.
If we only use the command npm install <packageName> then we always install the latest package version. In case, we want to install a specific version of a package. We can use the command below.
Now, There is a case that we want to know newer versions of dependencies that we are using in our application to upgrade them. So firstly, we need to check the what are outdated packages and what are newer versions, we can use the command below.
As you can see the Current is our current dependency version, the Wanted is the version that we can update to, the Latest is the latest version of the dependency.
Note: the command npm update only works for upgrading Minor and patch versions as showed in the column Wanted of npm outdated command. For Major version it doesn't work.
If we want to upgrade the Major version, let's do following steps.
Install npm-check-updates to global
1
npminstall-gnpm-check-updates
Next, run the command below to check outdated packages in our npm application.
Now, if we look into the package.json, we can see the dependency version is updated.
1 2 3 4 5 6 7 8 910111213141516
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"bson":"^5.4.0","mongoose":"^7.4.1","underscore":"^1.13.6"}}
Finally, we just need to run command npm install to update the dependency.
As you can see, all dependencies that we are practicing are application dependencies like mongoose and underscore So our application needs these dependencies in order to function properly, but sometimes we use dependencies that are only used during development. For example, we have tools for running unit tests, we have tools for doing static analysis on our code, we have tools for bundling our JavaScript code and so on.
These dependencies are development dependencies. And they should not go in a production environment where we deploy our application. In this case we can use the command below.
1
npminstall<packageName>--save-dev
1
npminstalljshint--save-dev
The jshint is a static analysis tool for JavaScript code. It basically analyzes our JavaScript code, and looks for potential problems or syntactical errors.
After execute the command above, then we can see in our package.json. The jshint dependency is stored in property devDependencies and this mean the jshint is the development dependency and it should not go in the production environment.
1 2 3 4 5 6 7 8 910111213141516171819
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"bson":"^5.4.0","mongoose":"^7.4.1","underscore":"^1.13.6"},"devDependencies":{"jshint":"^2.13.6"}}
If we look at node_modules we still see the jshint package there. So all dependencies whether they are application dependencies or development dependencies they are stored inside of the node_modules folder. They are only segregated in package.json.
To uninstall a package, we can use the command below.
1
npmuninstall<packageName>
1
npmuninstallbson
package.json
1 2 3 4 5 6 7 8 9101112131415161718
{"name":"npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"mongoose":"^7.4.1","underscore":"^1.13.6"},"devDependencies":{"jshint":"^2.13.6"}}
After executing the command then we can see in the package.json the dependency is removed as well as in the node_modules folder.
So dependencies that we are using in the package.json are particular packages in the project npm-demo but there are packages on npm registry that are not specific node packages on npm registry that are not specific to an application. These are often command line tools that you want to access from everywhere. They're not tied to a specific folder, or a specific project. npm is an example of one of these global packages. It's a command line tool, you can run it from any folder. It's not specific to a given project. Another popular command line tool isAngular CLI. We use this to create a new Angular project.
If we want to install a Node package globally we can use -g flag.
For example, to install a package to global we can add -g to npm install as below.
1
npminstall-g<packageName>
1
npminstall-gnpm@9.5.1
Or when we want to check outdated of global, we can use to npm -g outdated
To publish a node package to publish repository, firstly you should register an account at npmjs.com which is the default publish registry that we have.
Then in our project, let's login with created account by using commands below.
1
npmlogin
Then follow the instruction in the command line to login.
Next, let's make sure that the name of your package is unique, so let's check the package.json with the property name and change it to make sure it is unique.
package.json
1 2 3 4 5 6 7 8 9101112131415161718
{"name":"duc-npm-demo","version":"1.0.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"mongoose":"^7.4.1","underscore":"^1.13.6"},"devDependencies":{"jshint":"^2.13.6"}}
Finally, use command npm publish to publish our node application.
Now, let's go back to npmjs.com and search our published package, we can see it is published successfully and other project can use it as a dependency.
Okay so in the case we add some new features into our npm application and we want to publish it again. If we continue to use npm publish then you will get the error below.
It is because the duc-npm-demo already published the version 1.0.0 so we can't continue to publish this version.
To handle this issue we have to update the property version in the package.json
1 2 3 4 5 6 7 8 9101112131415161718
{"name":"duc-npm-demo","version":"1.1.0","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","dependencies":{"mongoose":"^7.4.1","underscore":"^1.13.6"},"devDependencies":{"jshint":"^2.13.6"}}
Then now, we can use command npm publish to publish our node application again.
1 2 3 4 5 6 7 8 9101112131415161718
duc@duc-MS-7E01:~/study/nodejs-backend/udemy/npm-demo$ npm publishnpmnoticenpmnotice📦duc-npm-demo@1.1.0npmnotice===TarballContents===npmnotice95Bindex.jsnpmnotice339Bpackage.jsonnpmnotice===TarballDetails===npmnoticename:duc-npm-demonpmnoticeversion:1.1.0npmnoticefilename:duc-npm-demo-1.1.0.tgznpmnoticepackagesize:379Bnpmnoticeunpackedsize:434Bnpmnoticeshasum:30c0be7feb9c51a10b0c920375b1288762e9118dnpmnoticeintegrity:sha512-xfQgeQkl44Uvt[...]FJaZAHCp9/v3A==npmnoticetotalfiles:2npmnoticenpmnoticePublishingtohttps://registry.npmjs.org/ with tag latest and default access+duc-npm-demo@1.1.0
