If you’ve dabbled in some Javascript or NodeJS, you’ve likely come across npm. npm, or ‘node package manager’, is both a registry for open source software and a command line client allowing developers to interact with npm. A package manager is a piece of software that allows you to download and install software. You could compare this to Google Play Store or Apple App Store where you can download and manage your applications. npm allows developers all around the world to use, create, and share reusable code for their projects.
How to use npm
npm comes packaged with NodeJS, so if you have NodeJS downloaded, you should have npm as well. To check if you have either, type in your terminal node -v and npm -v and expect a return of their version number. If nothing returns, follow these steps:
- Download and install NodeJS. (If you already have this installed, you can run
npm install npm@latest -gto update npm to its latest version) - Create a package.json file.
This package.json file holds metadata relevant to your project and gives information to npm that allows it to identify the project and handle its dependencies.
Runnpm initand follow the prompts given.
package name:
version: (1.0.0)
description:
entry point:
test command:
git repository:
keywords:
author:
license: (ISC)3. Install npm packages
There are thousands of npm packages and you can browse them here.
Run npm install -- save module-name. --save will adds the dependency to your package.json file.
4. (NodeJS) Require module in file
Follow documentation and add the correct requirements.
For example, according to the lodash documentation, they suggest adding var _ = require(‘lodash’); to your .js file to load the full lodash library.
Top 10 most depended upon npm packages
- Lodash — Javscript library of methods great for iterating arrays, objects, strings; manipulating and testing values; creating composite functions
- React — Javascript library for creating user interfaces
- Chalk — terminal string styling
- Request — simplified HTTP client, supports HTTPS and follows redirects by default
- Commander — the complete solution for node.js command-line interfaces, inspired by Ruby’s commander.
- Moment — Javascript date library for parsing, validating, manipulating, and formatting dates
- Express — fast, unopiniated, minimalist web framework for node
- React-dom — the entry point to the DOM and server renderers for React and intended to be paired with the generic React package
- Tslib — runtime library for TypeScript that contains all of the TypeScript helper functions
- Prop-types — runtime type checking for React props and similar objects
Npm shortfalls
Malicious packages
As npm being an open registry where anyone can contribute to a repository, anyone with the npm client installed is vulnerable to malicious code. Malicious code could cause security breaches and destructive commands via attack scripts, viruses, etc.
You could easily install a malicious package by an accidental typo. For example, you would like to install npm install -- save react-dom but instead accidentally type npm install -- save react.dom. This is called typosquatting.
Luckily, npm has acknowledged this issue and has released new rules where, “If you are publishing a new package — that is, a package that has not been in the registry before — we remove punctuation from its name and compare it to existing package names. If the names are identical without punctuation, we do not allow the package to be created.” Nonetheless, be aware when installing npm packages.
Disk space
When there are thousands of available packages, you may find yourself accumulating more and more npm modules, and therefore more disk space used on your device.
Well, there’s a package for that! pnpm is a fast, disk space efficient package manager. But, the question now, is this adding to the issue or mitigating it?
Resources:
References:
About npm. (n.d.). Retrieved July 26, 2020, from https://docs.npmjs.com/about-npm/
Node.js. (n.d.). What is npm? Retrieved July 27, 2020, from https://nodejs.org/en/knowledge/getting-started/npm/what-is-npm/
Node.js. (n.d.). What is the file `package.json`? Retrieved July 27, 2020, from https://nodejs.org/en/knowledge/getting-started/npm/what-is-the-file-package-json/
Npmjs. (2017, August 02). `crossenv` malware on the npm registry. Retrieved July 27, 2020, from
Npmjs. (2017, December 27). New Package Moniker rules. Retrieved July 27, 2020, from https://blog.npmjs.org/post/168978377570/new-package-moniker-rules
Typosquatting. (2020, June 17). Retrieved July 27, 2020, from https://en.wikipedia.org/wiki/Typosquatting
