with a big answer by sindresorhus
How to use NPM to package a deployment? - stackoverflow.com - 20150221
For your question "Shouldn't I output the production files as part of the build process, and publish these as a versioned artifact with NPM": you could, but this is not what most people do. As long as your build process is repeatable, there is no reason to package and publish the built version of your app. I am assuming here that your are building an application and not a reusable library in which case it would be a different story.
What’s npm’s mascot? a wombat
What does “npm” stand for? Nothing! The original ‘npm’ software was used for Node.js package management
How many people does npm employ? npm, Inc. employs 34 people, distributed worldwide
What is the largest number of packages that have been downloaded from npm’s Registry in one week? From May 10th to May 17th of 2018, npm users downloaded 5.2 billion packages from the npm Registry, setting a new record.
How big is the npm Registry? The registry is approximately 8TB in size, with 25M total package-versions.
Features list
package.json when installing a package is reversed (saved by default, flag needed to not save)package-lock.json generated by default (behavior regarding to the registry is different then shrinkwrap)npm cache clean is must be run before using npm 5. new command npm cache verify, new options to tweak cache behavior (--prefer-offline, --prefer-online and --offline), concurrent access support.v5.0.0 - blog.npmjs.org - 20170526
Here’s what you need to know about npm 5 - blog.pusher.com - 20170613
Tout savoir sur la nouvelle version de npm : npm 5 - maxlab.fr - 20170528
npm@5 — Yarn killer? - medium.com - 20170615
npm ls shows all deps even missing onesnpm-package.lock syncs when running npm install <package-name>npm run-script command. Associated with the new node package, you can run a package against a specific node version.lots of npx fixes
npx fixes for Windows platformpackage-lock.json without running npm installnpm install will automatically resolve git merge conflicts in package-lock.json and npm-shrinwrap.json files. cf docnpm ci command. Install from lock file only and so report errors when a dep is not fixed. node_modules are always rewritten to achieve that.LF by default)NO_COLOR standard support through var envNO_PROXY support through CLI with --no-proxy.npmrc (cf PR)JSON parse error and EPERM/EACCESnpm ci fix and perf worksemver to manage scopes in package.json
<major>.<minor>.<patch>Warning semver interpretation for breaking changes can be slightly different from a package to another. The semver spec says that any breaking change must be traduced in a ++ on the major version number. But libs like angularjs (or protractor) introduce breaking changes in minor update. Consequences : ^ (caret) in package.json should allow automatic feature update without breaking changes but in fact it depends a lot on the package owner management.
npm-scripts How npm handles the "scripts" field - docs.npmjs.com
npm supports the "scripts" property of the package.json file, for the following scripts:
prepublish: Run BEFORE the package is packed and published, as well as on local npm install without any arguments. (See below)prepare: Run both BEFORE the package is packed and published, on local npm install without any arguments, and when installing git dependencies (See below). This is run AFTER prepublish, but BEFORE prepublishOnly.prepublishOnly: Run BEFORE the package is prepared and packed, ONLY on npm publish. (See below.)prepack: run BEFORE a tarball is packed (on npm pack, npm publish, and when installing git dependencies)postpack: Run AFTER the tarball has been generated and moved to its final destination.publish, postpublish: Run AFTER the package is published.preinstall: Run BEFORE the package is installedinstall, postinstall: Run AFTER the package is installed.preuninstall, uninstall: Run BEFORE the package is uninstalled.postuninstall: Run AFTER the package is uninstalled.preversion: Run BEFORE bumping the package version.version: Run AFTER bumping the package version, but BEFORE commit.postversion: Run AFTER bumping the package version, and AFTER commit.pretest, test, posttest: Run by the npm test command.prestop, stop, poststop: Run by the npm stop command.prestart, start, poststart: Run by the npm start command.prerestart, restart, postrestart: Run by the npm restart command. Note: npm restart will run the stop and start scripts if no restart script is provided.preshrinkwrap, shrinkwrap, postshrinkwrap: Run by the npm shrinkwrap command.Additionally, arbitrary scripts can be executed by running npm run-script <stage>. Pre and post commands with matching names will be run for those as well (e.g. premyscript, myscript, postmyscript). Scripts from dependencies can be run with npm explore <pkg> -- npm run <stage>.
# list globally installed package by name
npm -list -g <package_name>
# or for all packages
npm list -g -depth=0
# to get tree deps
npm list -g -depth=1
# list locally installed package by name
npm -list <package_name>
# view version on repository
npm view <package_name> version
# display npm config
npm config list -ls
11 Simple npm Tricks That Will Knock Your Wombat Socks Off - 20160826
Introducing hooks: get notifications of npm registry and package changes as they happen - 20160601
npm init + create-* packages
npm initcan now be used to invoke custom scaffolding tools. You can now do things likenpm init react-appornpm init esmto scaffold an npm package by runningcreate-react-appandcreate-esm, respectively.
See 'feat: add npm init
See also npm init official documentation.
npxExecutes
<command>either from a localnode_modules/.bin, or from a central cache, installing any packages needed in order for<command>to run.By default, npx will check whether
exists in $PATH, or in the local project binaries, and execute that. If is not found, it will be installed prior to execution. Unless a
--packageoption is specified,npxwill try to guess the name of the binary to invoke depending on the specifier provided. All package specifiers understood bynpmmay be used withnpx, including git specifiers, remote tarballs, local directories, or scoped packages.If a full specifier is included, or if
--packageis used, npx will always use a freshly-installed, temporary version of the package. This can also be forced with the--ignore-existingflag.
npx added, used to replace npm run-script command.
yarn equivalent of npx ? - yarnpkg/yarn on github - 20170715
zkat (npx maintainer) comment
I'm working on library-ifying npx. It's not a huge task to grab the existing npx code and just replace the npm-related guts with the yarn-equivalent commands.
I won't add that directly to npx itself, since it's meant to be agnostic: npx performs no operations which clash with people using other package managers. It doesn't even require npm to be on the system, so you can
npm rm -g npmand npx will work just fine. So you could say npx isypx, unless you feel really strongly about cache-sharing, which is a pretty thing.(in re inspiration: npx is primarily inspired by this long-standing feature request: npm/npm#6053. Most of its functionality centers around fulfilling this need. The auto-install feature was added post-yarn-create, and is definitely intended to be an actual generalized solution to that particular thing -- but it does way more than that)
Node.js — How to test your new NPM module without publishing it every 5 minutes - updated 201804
Testing NPM alpha / beta / rc packages - 20180508
3 options to require a your package in your hosting project :
npm linkIt will symlink your project in the global node_modules directory.
So it pollutes the global npm namespace.
No preinstall/postinstall hooks will be triggered so if you need to tests them it's not a good choice.
npm link <dep-name> will not alter the package.json file of the hosting project.
In your dependency directory :
$ npm link # create a global symlink to the local "dependency-name" project
In your hosting project :
$ npm link dependency-name # create a symlink locally to global dependency-name
npm install /absolute/local/pathIt works as if your package was is the npm registry. But it will write the absolute directory path to reach the dependency
in the package.json of your hosting project :
$ npm install /absolute/path/to/dependency-name
yields this in our package.json :
"dependencies": {
"dependency-name": "file:../../projects/dependency-name",
},
"dependencies": {
"viking": "file:../../oresoftware/viking",
},
npm packThe npm pack command create the tarball that will be pushed in the registry.
So we can build the payload and test against it before pushing it to the registry.
Theses kind of tests are named smoke-tests (cf discussion on stackoverflow).
Don't forget to use a .npmignore file (cf npm doc) to avoid putting editor config files (.idea/ for ex) in the tarball.
Notice that npm publish run npm pack so ignore .tgz files to avoid adding it to the uploaded package.
In your dependency directory :
$ npm pack # create the tarball in the root dep project directory
In your hosting project you can now install it like a regular package, there is no difference instead that :
package.json filenpmc testing @next npm versionnpm versions tagued @next can be tested without upgrading your current npm version with the npmc package.
c is for canary.
TLDR :
./node_modules of the current package root.-g): puts stuff in /usr/local or wherever node is installed.require() it.npm link.# list all the installed dependencies in stdout in a tree format
npm ls
# list all the installed dependencies in stdout in a tree format limited to the first level
# it must matches deps listed in package.json
npm ls --depth=0
# same as above but with the deps of deps in the tree
npm ls --depth=1
# print extended informations
npm ll
npm la
# check the registry to see if any (or, specific) installed packages are currently outdated
npm outdated
Since npm v5, the lockfile standard is no more shrinkwrap, it is now the package-lock.json file.
The big difference is that this file is generated automatically by npm when running the install command.
There is also big behavior differences regarding to the registry publication for packages.
npm-shrinkwrap.json is backwards-compatible with npm versions 2, 3, and 4, whereas package-lock.json is only recognized by npm 5+
docs.npmjs.com - package.json - peerdependencies
you want to express the compatibility of your package with a host tool or library, while not necessarily doing a
requireof this host
{
"name": "tea-latte",
"version": "1.3.5",
"peerDependencies": {
"tea": "2.x"
}
}
This ensures your package tea-latte can be installed along with the second major version of the host package tea only.
This leads to
├── [email protected]
└── [email protected]
instead of
├── [email protected]
└── [email protected]
since npm@3, npm is not installing automatically peerDeps. You need to add it explicitly in your package.json.
peerDeps usage
Mostly for a package to be used as a deps for another. No usage for an end project (like a frontend or a backend).
peerDeps tools
nathanhleung/install-peerdeps - github.com
A command-line interface to install an NPM package and its peer dependencies automatically.
Check for outdated, incorrect, and unused dependencies.
Find newer versions of dependencies than what your package.json or bower.json allows
Examine a package's dependency graph before you install it