npm (software)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Original author(s) Isaac Z. Schlueter
Developer(s) Rebecca Turner, Kat Marchán, others
Initial release January 12, 2010; 7 years ago (2010-01-12)[1]
Stable release
4.6.1 / 21 April 2017; 61 days ago (2017-04-21)[2]
Preview release
5.0.0 / 26 May 2017; 26 days ago (2017-05-26)[3]
Written in JavaScript
License Artistic License 2.0

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website.


npm is written entirely in JavaScript and was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from the shortcomings of other similar projects such as PEAR (PHP) and CPAN (Perl).[4]


npm is automatically included when Node.js is installed.[5] npm consists of a command line client that interacts with a remote registry. It allows users to consume and distribute JavaScript modules that are available on the registry.[6] Packages on the registry are in CommonJS format and include a metadata file in JSON format.[7] Over 477,000 packages are available on the main npm registry.[8] The registry has no vetting process for submission, which means that packages found there can be low quality, insecure, or malicious.[7] Instead, npm relies on user reports to take down packages if they violate policies by being insecure, malicious or low quality.[9] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.[10]

In March 2016, npm attracted press attention[11] after a package called left-pad, which was depended upon by many popular JavaScript packages, was unpublished as the result of a dispute.[12] Although the package was re-published 3 hours later,[13] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.[14]


npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools.[15] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.[16] In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.[17] npm also provides version-bumping tools for developers to tag their packages with a particular version.[18]


There are a number of open-source alternatives to npm for installing modular JavaScript, including [ied, pnpm, npm-install, npmd, and Yarn, the last of which was released by Facebook in October 2016.[19] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.[20]

See also[edit]


  1. ^ "Earliest releases of npm". GitHub. Retrieved 27 July 2016. 
  2. ^ "npm/ at latest". GitHub. 2017-04-21. Archived from the original on 2017-04-21. Retrieved 2017-05-31. 
  3. ^ "npm/ at latest". GitHub. 2017-05-26. Archived from the original on 2017-05-26. Retrieved 2017-05-31. 
  4. ^ Schlueter, Isaac Z. (25 March 2013). "Forget CommonJS. It's dead. **We are server side JavaScript.**". GitHub. 
  5. ^ Dierx, Peter (30 March 2016). "A Beginner's Guide to npm — the Node Package Manager". sitepoint. Retrieved 22 July 2016. 
  6. ^ Ampersand.js. "Ampersand.js - Learn". Retrieved 22 July 2016. 
  7. ^ a b Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". IEEE Xplore. Retrieved 22 July 2016. 
  8. ^ Kennedy, Hugh; DeVay, Paul. "Understanding npm". Nsight. Retrieved 22 July 2016. 
  9. ^ "npm Code of Conduct: acceptable package content". Retrieved 9 May 2017. 
  10. ^
  11. ^ Yegulalp, Serdar (23 March 2016). "How one yanked JavaScript package wreaked havoc". InfoWorld. Retrieved 22 July 2016. 
  12. ^ Williams, Chris. "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript". The Register. Retrieved 17 April 2016. 
  13. ^ "kik, left-pad, and npm". Retrieved 9 May 2017. 
  14. ^ "changes to unpublish policy". Retrieved 9 May 2017. 
  15. ^ Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016. 
  16. ^ "npm-install". docs.npmjs. Retrieved 22 October 2016. 
  17. ^ "semver". docs.npmjs. Retrieved 22 October 2016. 
  18. ^ "npm-version". docs.npm. Retrieved 29 October 2016. 
  19. ^ "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016. 
  20. ^ Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". Retrieved 17 December 2016. 

External links[edit]