Node.js NPM: Complete Basic to Advanced Tutorial
Master package management, scripts, security, and publishing workflows
Beginner to Advanced
Real-world Workflows
Interview Ready
Table of Contents
What is NPM?
NPM (Node Package Manager) is the default package manager for Node.js and the largest software registry in the world.
| Metric | Value |
|---|---|
| Total Packages | 2+ million |
| Weekly Downloads | 50+ billion |
| Daily New Packages | 1,000+ |
| Monthly Users | 12+ million |
| Created | 2010 by Isaac Schlueter |
NPM responsibilities:
- Package installation
- Version management
- Dependency resolution
- Script running
- Package publishing
- Registry hostingNPM Basics
Installation & Setup
npm --version
npm install -g npm@latest
npm config listStart a New Project
mkdir my-project
cd my-project
npm init
npm init -yBasic Commands
npm install lodash
npm i -D nodemon jest
npm uninstall lodash
npm update
npm list --depth=0
npm outdated
npm view expressPackage.json Deep Dive
package.json is the core configuration file for metadata, scripts, dependencies, compatibility, and publishing settings.
Complete Example
{
"name": "my-awesome-app",
"version": "1.0.0",
"main": "index.js",
"scripts": {
"start": "node index.js",
"dev": "nodemon index.js",
"test": "jest"
},
"dependencies": { "express": "^4.18.2" },
"devDependencies": { "nodemon": "^3.0.1", "jest": "^29.7.0" },
"engines": { "node": ">=18.0.0", "npm": ">=9.0.0" },
"private": true
}| Field | Purpose | Required |
|---|---|---|
| name | Package name | Yes |
| version | Semver version | Yes |
| scripts | Custom commands | No |
| dependencies | Production dependencies | No |
| devDependencies | Development dependencies | No |
| engines | Node/npm compatibility | No |
Installing Packages
# Local
npm install express
# Global
npm install -g nodemon
# Dev dependency
npm install -D jest
# Production only
npm install --production
# Exact version
npm install -E express
# Specific version/tag
npm install express@4.18.2
npm install express@latestInstall Patterns
npm install
npm ci
npm install --dry-run
npm install --forceManaging Dependencies
Dependency Types
{
"dependencies": {},
"devDependencies": {},
"peerDependencies": {},
"optionalDependencies": {}
}Commands
npm list --depth=0
npm outdated
npm update
npm uninstall express
npm dedupe
npm ciNPM Scripts
{
"scripts": {
"start": "node index.js",
"dev": "nodemon index.js",
"test": "jest",
"build": "webpack --mode production",
"lint": "eslint src/"
}
}npm start
npm run dev
npm run test -- --coverageHooks
{
"scripts": {
"pretest": "npm run lint",
"test": "jest",
"posttest": "npm run coverage"
}
}Semantic Versioning
MAJOR.MINOR.PATCH
4.18.2
| | +-- patch fixes
| +----- minor features (backward compatible)
+------- major breaking changes| Syntax | Meaning | Matches |
|---|---|---|
| 1.2.3 | Exact | Only 1.2.3 |
| ^1.2.3 | Compatible major | 1.x.x |
| ~1.2.3 | Compatible minor | 1.2.x |
| 1.2.x | Patch wildcard | 1.2.0+ |
npm version patch
npm version minor
npm version major
npm view express versionAdvanced NPM Features
Workspaces
{
"private": true,
"workspaces": ["packages/*"]
}npm install --workspace=packages/api
npm run test --workspacesLink, Cache, Config, Audit
npm link
npm cache verify
npm config list
npm audit
npm audit fixCreating and Publishing Packages
Workflow
mkdir my-awesome-package
cd my-awesome-package
npm init
npm test
npm login
npm pack
npm publishVersion and release
npm version patch
npm publish --tag beta
npm deprecate my-package@"<1.2.0" "Security issues"NPM Security
npm audit
npm audit fix
npm audit signatures
npm profile enable-2fa auth-and-writesCI/CD secure npmrc
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
registry=https://registry.npmjs.org/
always-auth=trueNPM Performance Optimization
npm ci
npm config set progress false
npm install --prefer-offline --no-audit --no-fund
npm dedupe
npm prune --productionAlternative manager speed comparison
| Manager | Install Time | Disk Usage | Lock File |
|---|---|---|---|
| npm | 2-5 min | 200-500MB | package-lock.json |
| yarn | 1-3 min | 180-450MB | yarn.lock |
| pnpm | 1-2 min | 50-100MB | pnpm-lock.yaml |
| bun | 30-60 sec | 150-400MB | bun.lockb |
NPM Alternatives
Yarn
npm install -g yarn
yarn install
yarn add expresspnpm
npm install -g pnpm
pnpm install
pnpm add expressBun
curl -fsSL https://bun.sh/install | bash
bun install
bun add expressPractical Examples
1) Full setup scripts
{
"scripts": {
"setup": "npm install && npm run db:migrate && npm run db:seed",
"dev": "concurrently \"npm run dev:backend\" \"npm run dev:frontend\"",
"deploy": "npm run test && npm run build && node scripts/deploy.js"
}
}2) Custom deploy script args
// node scripts/deploy.js production 1.2.0
const args = process.argv.slice(2);
const environment = args[0] || 'staging';
const version = args[1] || 'latest';3) CI pipeline steps
npm ci
npm run lint
npm run test
npm run build
npm publishNPM Commands Reference
| Category | Command | Description |
|---|---|---|
| Init | npm init | Create package.json |
| Install | npm install / npm ci | Install dependencies |
| Manage | npm update / npm uninstall | Update/remove packages |
| Scripts | npm run <script> | Execute scripts |
| Publish | npm publish | Publish package |
| Security | npm audit | Check vulnerabilities |
| Config | npm config list | Manage npm config |
| Info | npm view / npm search | Package metadata/search |
Common Options
--save / -S
--save-dev / -D
--save-exact / -E
--global / -g
--production
--no-save
--dry-run
--force
--workspace / -w10 Interview Questions + 10 MCQs
Interview Pattern 10 Q&A1What is the difference between npm install and npm ci?easy
Answer:
npm install resolves and may update lock file; npm ci performs clean, lockfile-strict install for CI.2Why commit package-lock.json?easy
Answer: It ensures deterministic installs across environments.
3When should a package be in devDependencies?easy
Answer: When needed only during development/testing/build (e.g., jest, eslint).
4What is peerDependencies used for?medium
Answer: To declare compatible host package versions expected in consumer project.
5How do you prevent accidental package publishing?easy
Answer: Set
"private": true in package.json.6What does npm audit do?medium
Answer: Scans dependencies for known security vulnerabilities.
7Difference between ^ and ~ in semver?medium
Answer:
^ allows compatible major range; ~ allows patch updates within same minor.8When to use npm link?medium
Answer: While developing a local package and testing it in another local project.
9How do npm workspaces help monorepos?hard
Answer: They manage multiple packages with shared install, consistent scripts, and inter-package workflows.
10What is prepublishOnly script for?medium
Answer: Runs checks/build right before publish to ensure package quality.
10 NPM MCQs
1
Command to initialize package.json with defaults?
Explanation:
npm init -y accepts defaults.2
Which command is ideal for CI installs?
Explanation:
npm ci is optimized for CI with lockfile fidelity.3
Dev dependency install flag is:
Explanation: Use
-D or --save-dev.4
What does caret (^) allow?
Explanation: Caret permits updates within same major (usually).
5
Which field prevents publish?
Explanation:
"private": true blocks publishing.6
Command to check vulnerabilities?
Explanation:
npm audit checks advisories.7
Which command runs custom script?
Explanation: Use
npm run <script>.8
Command to publish a package?
Explanation: Publish via
npm publish.9
Which feature helps manage monorepos in npm?
Explanation: npm workspaces support monorepo package management.
10
Which command checks outdated dependencies?
Explanation:
npm outdated reports current/wanted/latest versions.