Npm

{{Primary sources section

| date = April 2025

}}

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools.{{cite web |last1=Ellingwood |first1=Justin |title=How To Use npm to Manage Node.js Packages on a Linux Server |url=https://www.digitalocean.com/community/tutorials/how-to-use-npm-to-manage-node-js-packages-on-a-linux-server |access-date=22 October 2016 |website=DigitalOcean}} When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file.{{cite web |title=npm-install |url=https://docs.npmjs.com/cli/install |access-date=22 October 2016 |website=docs.npmjs}} In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.{{cite web |title=semver |url=https://docs.npmjs.com/misc/semver |url-status=dead |archive-url=https://web.archive.org/web/20161203095427/https://docs.npmjs.com/misc/semver |archive-date=3 December 2016 |access-date=22 October 2016 |website=docs.npmjs}} npm also provides version-bumping tools for developers to tag their packages with a particular version.{{cite web |title=npm-version |url=https://docs.npmjs.com/cli/version |access-date=29 October 2016 |website=docs.npm}} npm also provides the package-lock.json{{Cite web |last=Koirala |first=Shivprasad |date=21 August 2017 |title=What is the need of package-lock.json in Node? |url=https://www.codeproject.com/Articles/1202361/What-is-package-lock-json-file-in-Node-NPM |website=codeproject}} file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json.

The npx command, which is an acronym for Node Package eXecuter,{{Cite web |last=Turbak |first=Lyn |date=2024 |title=Developing and Collaborating on React JS Apps |url=https://cs.wellesley.edu/~cs317/slide-pdfs/s24-12_react_development_4up.pdf |publisher=Wellesley College}} executes packages without running them.{{Citation |last=Duldulao |first=Devlin Basilan |title=Getting Started with React Function Components and TypeScript |date=2021 |work=Practical Enterprise React |pages=21–38 |url=https://link.springer.com/10.1007/978-1-4842-6975-6_3 |access-date=2025-03-04 |place=Berkeley, CA |publisher=Apress |language=en |doi=10.1007/978-1-4842-6975-6_3 |isbn=978-1-4842-6974-9 |last2=Cabagnot |first2=Ruby Jane Leyva}}{{Rp|page=22}}

npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry.{{cite web |last1=Ampersand.js |title=Ampersand.js – Learn |url=https://ampersandjs.com/learn/npm-browserify-and-modules/ |access-date=22 July 2016 |website=ampersandjs.com}} In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.{{cite web |last1=npm |title='npm audit': identify and fix insecure dependencies |url=https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure |access-date=14 August 2018 |website=The npm Blog}} The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.{{cite web |last1=npm |title=The Node Security Platform service is shutting down 9/30 |url=https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting |access-date=14 August 2018 |website=The npm Blog}}

Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format.{{cite book |last1=Ojamaa |first1=Andres |title=2012 International Conference for Internet Technology and Secured Transactions |last2=Duuna |first2=Karl |date=2012 |publisher=IEEE |isbn=978-1-4673-5325-0 |chapter=Assessing the Security of Node.js Platform |access-date=22 July 2016 |chapter-url=https://ieeexplore.ieee.org/document/6470829}} Over 3.1 million packages are available in the main npm registry.{{Cite web |title=npm {{!}} Home |url=https://www.npmjs.com |access-date=2024-06-27 |website=npmjs.com}} The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.{{cite web |title=npm Code of Conduct: acceptable package content |url=https://docs.npmjs.com/policies/conduct#acceptable-package-content |access-date=9 May 2017}} npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.{{cite web |last=Vorbach |first=Paul |title=npm-stat: download statistics for NPM packages |url=https://npm-stat.com/ |url-status=dead |archive-url=https://web.archive.org/web/20160811014953/https://npm-stat.com/ |archive-date=11 August 2016 |access-date=9 August 2016 |website=npm-stat.com}} Internally npm relies on the NoSQL Couch DB to manage publicly available data.{{Cite web |title=registry {{!}} npm Docs |url=https://docs.npmjs.com/cli/v7/using-npm/registry/ |access-date=2021-05-10 |website=docs.npmjs.com}}

{{Needs expansion|date=April 2025}}

npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl).{{cite web|last1=Schlueter|first1=Isaac Z.|title=Forget CommonJS. It's dead. **We are server side JavaScript.**|url=https://github.com/joyent/node/issues/5132#issuecomment-15432598|website=GitHub|date=25 March 2013}} npm is a JavaScript replacement for pm, a shell script.{{cite web | url=https://github.com/npm/cli#is-npm-an-acronym-for-node-package-manager | title=NPM/Cli | website=GitHub }}

The company npm, Inc. was founded in 2014 in Oakland, California, United States, with Laurie Voss as co-founder. Bryan Bogensberger joined the company as CEO in July 2018 and resigned in September 2019.{{Cite web|url=https://www.businessinsider.com/npm-ceo-bryan-bogensberger-resigns-2019-9|title=Bryan Bogensberger, CEO of JavaScript Package Startup NPM, Resigns|last=Chan|first=Rosalie|website=Business Insider|agency=Business Insider|access-date=2021-06-30}} Before Bogensberger's resignation, Laurie Voss resigned in July 2019.{{Cite web|url=https://www.businessinsider.com/npm-cofounder-laurie-voss-resigns-2019-6|title=NPM Co-Founder and Chief Data Officer Laurie Voss Resigns|last=Chan|first=Rosalie|website=Business Insider|agency=Business Insider|access-date=2021-06-30}}

In March 2020, npm was acquired by GitHub, which is a subsidiary of Microsoft.

{{See also|Npm left-pad incident}}

In March 2016, a package called left-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik.{{cite news |last1=Williams |first1=Chris |title=How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript |url=https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ |access-date=17 April 2016 |work=The Register}}{{Cite web |last=Collins |first=Keith |date=27 March 2016 |title=How one programmer broke the internet by deleting a tiny piece of code |url=https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ |access-date=2020-12-23 |website=Quartz |language=en}} The package was immensely popular on the platform, being depended on by thousands of projects and reaching 15 million downloads prior to its removal.{{cite web |last1=Sharma |first1=Ax |date=27 July 2022 |title=Protestware on the rise: Why developers are sabotaging their own code |url=https://techcrunch.com/2022/07/27/protestware-code-sabotage/ |access-date=11 May 2024 |website=TechCrunch}} Several projects critical to the JavaScript ecosystem including Babel and Webpack depended on left-pad and were rendered unusable.{{cite web |date=24 March 2016 |title=How 17 Lines of Code Took Down Silicon Valley's Hottest Startups |url=https://www.huffpost.com/entry/how-17-lines-of-code-took_b_9532846 |access-date=11 May 2024 |website=HuffPost |language=en}} Although the package was republished three hours later,{{cite web |title=kik, left-pad, and npm |url=http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm |access-date=9 May 2017}} it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.{{cite web |title=changes to unpublish policy |url=http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy |access-date=23 January 2022 |publisher=npm Blog (Archive)}}

In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream.{{cite web |last1=Goodin |first1=Dan |date=26 November 2018 |title=Widely used open source software contained bitcoin-stealing backdoor |url=https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/ |access-date=11 May 2024 |website=Ars Technica |language=en-us}} The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications.{{cite web |last1=Claburn |first1=Thomas |title=Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week) |url=https://www.theregister.com/2018/11/26/npm_repo_bitcoin_stealer/ |access-date=11 May 2024 |website=www.theregister.com |language=en}}

In May 2021, pac-resolver, an npm package that received over 3 million downloads per week, was discovered to have a remote code execution vulnerability.{{cite web |last1=Sharma |first1=Ax |date=2 September 2021 |title=NPM package with 3 million weekly downloads had a severe vulnerability |url=https://arstechnica.com/information-technology/2021/09/npm-package-with-3-million-weekly-downloads-had-a-severe-vulnerability/ |access-date=11 May 2024 |website=Ars Technica |language=en-us}} The vulnerability resulted from how the package handled config files, and was fixed in versions 5 and greater.{{cite web |last1=Claburn |first1=Thomas |title=JavaScript library downloaded 3m times a week exposes apps to hijacking via evil proxy configs |url=https://www.theregister.com/2021/09/03/pac_patch_npm/ |access-date=11 May 2024 |website=www.theregister.com |language=en}}

In January 2022, the maintainer of the popular package colors pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package, faker, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?"{{cite web |title=Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps |url=https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ |access-date=9 January 2022 |work=Bleeping Computer}}

{{See also|peacenotwar}}

In March 2022, developer Brandon Nozaki Miller, maintainer of the node-ipc package, added peacenotwar as a dependency to the package. peacenotwar recursively overwrites an affected machine's hard drive contents with the heart emoji if they have a Belarusian or Russian IP address. The package also leaves a text file on the machine containing a message in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js had the peacenotwar package if they were using its latest version.{{cite web |title=BIG sabotage: Famous npm package deletes files to protest Ukraine war |url=https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ |access-date=17 March 2022 |work=Bleeping Computer}}{{cite web |author=Juha Saarinen |date=March 17, 2022 |title='Protestware' npm package dependency labelled supply-chain attack |url=https://www.itnews.com.au/news/protestware-npm-package-dependency-labelled-supply-chain-attack-577488 |website=IT News |publisher=nextmedia}} The package was also briefly present as a dependency in version 3.1 of Unity Hub. However, a hotfix was released the same day to remove the dependency.{{cite web |last1=Proven |first1=Liam |date=18 March 2022 |title=JavaScript library updated to wipe files from Russian computers |url=https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ |url-status=live |archive-url=https://web.archive.org/web/20220318130958/https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ |archive-date=18 March 2022 |access-date=18 March 2022 |website=The Register |publisher=Situation Publishing}}

In May 2023, several npm packages including bignum were found to be exploited, stealing user credentials and information from affected machines. Researchers discovered that these packages had been compromised through an exploit involving Amazon S3 buckets and the node-gyp command line tool.{{cite web |last1=Burt |first1=Jeff |title=Hijacked S3 buckets used in attacks on npm packages |url=https://www.theregister.com/2023/06/19/npm_s3_buckets_malware/ |access-date=11 May 2024 |website=www.theregister.com |language=en}}

There are a number of open-source alternatives to npm for installing modular JavaScript, including pnpm, Yarn,{{cite web|url=https://blog.npmjs.org/post/151660845210/hello-yarn|title=Hello, Yarn!|date=11 October 2016|website=The npm Blog|access-date=17 December 2016}} Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from npm Registry or any centralized repository{{cite web|url=https://docs.deno.com/runtime/tutorials/manage_dependencies|title=Managing Dependencies|website=Deno Docs|access-date=6 Jan 2024}} and its support of npm registry is still a subject of ongoing work in progress as of January 2024.{{Cite web |title=Node and npm modules {{!}} Deno Docs |url=https://docs.deno.com/runtime/manual/node/ |access-date=2024-01-16 |website=docs.deno.com |language=en}} They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.{{cite web|url=http://yehudakatz.com/2016/10/11/im-excited-to-work-on-yarn-the-new-js-package-manager-2/|title=Why I'm working on Yarn|date=11 October 2016|access-date=17 December 2016|last1=Katz|first1=Yehuda}}

{{Portal|Free and open-source software}}

• Software repository
• pnpm
• yarn (package manager)

{{refs}}

• {{official|https://www.npmjs.com/}}

{{NodeJs}}

{{JavaScript}}

{{Microsoft FOSS}}

Category:Command-line software

Category:Free package management systems

Category:Free software programmed in JavaScript

Category:JavaScript programming tools

Category:Microsoft free software

Category:Software using the Artistic license

Category:2010 software