Skip to content

Instantly share code, notes, and snippets.

@levaleks

levaleks/Node Package Manager.md

Last active January 7, 2022 10:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save levaleks/b6245da41ba21ba596aadaa824dda6ed to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save levaleks/b6245da41ba21ba596aadaa824dda6ed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Node Package Manager.md

NPM

Useful commands

  1. List globally installed NPM packages and versions: npm list -g --depth=0

  2. Get directory where global modules are located: npm root -g

Update rules

Semver (Semantic Versioning) – set of rules and requirements that dictate how version numbers are assigned and incremented. Version 1.2.3 shows that 1 – major version (Major changes, Breaks the API), 2 – minor version (New features, Does not break API), 3 – patch (Bug fixes).

Symbols to manage updading of dependencies:

  • no symbol – it will always stick with this exact version
"dependencies": {
  "dependency": "1.2.3"
}
  • ~ (tilda) – it means "keep this minor version and only update patch version" 1.2.3
"dependencies": {
  "dependency": "~1.2.3"
}
  • ^ (caret) – when someone runs npm install then it's going to install the latest minor version 1.2.3
"dependencies": {
  "dependency": "^1.2.3"
}
  • * (asterisk) – install the latest version
"dependencies": {
  "dependency": "*"
}

npm install VS npm update

The difference between npm install and npm update handling of package versions specified in package.json:

{
  "name":          "my-project",
  "version":       "1.0",                             // install   update
  "dependencies":  {                                  // ------------------
    "already-installed-versionless-module":  "*",     // ignores   "1.0" -> "1.1"
    "already-installed-semver-module":       "^1.4.3" // ignores   "1.4.3" -> "1.5.2"
    "already-installed-versioned-module":    "3.4.1"  // ignores   ignores
    "not-yet-installed-versionless-module":  "*",     // installs  installs
    "not-yet-installed-semver-module":       "^4.2.1" // installs  installs
    "not-yet-installed-versioned-module":    "2.7.8"  // installs  installs
  }
}

Summary: The only big difference is that an already installed module with fuzzy versioning:

  • gets ignored by npm install;
  • gets updated by npm update.

Additionally: install and update by default handle devDependencies differently:

  • npm install will install/update devDependencies unless --production flag is added;
  • npm update will ignore devDependencies unless --dev flag is added.

Why use npm install at all? Because npm install does more when you look besides handling your dependencies in package.json. As you can see in npm install you can:

  • manually install node-modules;
  • set them as global (which puts them in the shell's PATH) using npm install -g ;
  • install certain versions described by git tags;
  • install from a git url;
  • force a reinstall with --force.

npm ci

Advised to use npm ci instead of npm install in order to provide consistent dependency tree. Make sure package-lock.json is provided in the repository, otherwise, errors will be thrown while installing dependencies.

Workspaces

  1. Add "workspaces": ["workspaces-folder/*"] property to the root package.json
  2. In case you need to add some dependencies or run command in the project root just do it, as usual, e.g. npm i react in the root directory.
  3. If you need to run a command against a specific workspace use -w flag, e. g. npm i react -w workspace-package-name – adds react only to workspace-package-name.
  4. When you need to run a command against all the workspaces use -ws flag, e. g. npm i react -ws – adds react to all workspaces inside the workspaces-folder.

Resources

TODO

  • Security (snyk, npm audit)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment