Table of Contents


NPM is an acronym for the node package manager. It is the largest software registry in the world. It has three roles, to install packages or modules, to host, and to run tasks.


All of the modules are stored in the registry the largest public database in the world. You interact with the registry through the CLI or through the website. You can use the website for exploring packages, sharing, or collaboration with other people. Let’s explore the cowsay package by following this cowsay npm registry link.


As the CLI tool, it installs the packages defined in package.json and package-lock.json into the node_modules folder. Due to the dependencies being already declared in the two files, is a good practice to commit both of them to the source control.

Committing the node_modules folder to the source control is a bad practice. You can always use the npm tool to install all the modules from scratch. The folder is very large too so you might have limits on the source control server. The folder should be added to .gitignore file.


There are two types of dependencies in package.json files: dependencies and devDependencies. As their name implies both of them are dependencies but devDependencies are used in the development phase of the project.

Tools like linters, bundlers, or compilers usually fit the devDependency category.

npm install --save-dev webpack // devDependency
npm install express // runtime dependency

NPM CLI has some neat shorthand for common commands like installing.

npm i -D webpack // devDependency
npm i -S express // runtime dependency

Sometimes you would want just the production

Task runner

Another useful feature is that you can declare tasks inside the package.json file, under scripts and the npm CLI can run it for you. It comes in handy for preparing your project, testing, deploying, building, or running it.

All tasks all called via ‘npm run …’ with the task name except ‘start’ and ‘test’ (npm start and npm test). These special tasks can be customized too and do not require ‘run’.

You can combine other CLI’s or npm tasks via && or ||. Use && for concurrent running and || for parallel runs of tasks.

Building on top the task runner is the npx command, this lets you:

npx cowsay mooo

Using npx this way means that you want to install the package and run it with the commands specified.


Some packages may have known security issues. NPM registry also tracks vulnerability issues and can replace the dependencies with secure compatible updates.

Running the ‘audit’ command will check the dependencies for vulnerabilities, update the ‘node_modules’ folder with compatible updates, and commit the changes to the ‘package-lock.json’ file. You have to have a package-lock.json file for the ‘audit’ command to work.

The auditing feature works because of semantic versioning, applying only the compatible updates and notifying you if the vulnerability issue requires a breaking change.

npm audit

For more tips and tricks check out: npm tricks @ freecodecamp

About us

Bytes Route is a digital adoption tool designed for non-technical people to create no-code product tours for web applications.

Recent Posts

Follow Us

Weekly Tutorial

Create code-free product tours for user onboarding on your web application