HOME

TheInfoList



OR:

npm is a
package manager A package manager or package management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer in a consistent manner. A package manager deals wi ...
for the
JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...
programming language maintained by npm, Inc., a subsidiary of
GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer. It consists of a command line client, also called npm, and an
online database In computing, a database is an organized collection of Data (computing), data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, Application software, applications, and ...
of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc. Although "npm" is commonly understood to be an abbreviation of "Node Package Manager", it is officially a recursive backronymic abbreviation for "npm is not an acronym".


Characteristics

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file. In the package.json file, each dependency can specify a range of valid
versions Version may refer to: Computing * Software version, a set of numbers that identify a unique evolution of a computer program * VERSION (CONFIG.SYS directive), a configuration directive in FreeDOS Music * Cover version * Dub version * Remix * Versi ...
using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json. The ''npx'' command, which is an acronym for ''Node Package eXecuter'', executes packages without running them. npm's
command-line interface A command-line interface (CLI) is a means of interacting with software via command (computing), commands each formatted as a line of text. Command-line interfaces emerged in the mid-1960s, on computer terminals, as an interactive and more user ...
client allows users to consume and distribute JavaScript modules that are available in the registry. In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages. The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.


Registry

Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in
JSON JSON (JavaScript Object Notation, pronounced or ) is an open standard file format and electronic data interchange, data interchange format that uses Human-readable medium and data, human-readable text to store and transmit data objects consi ...
format. Over 3.1 million packages are available in the main npm registry. The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious. npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. Internally npm relies on the NoSQL Couch DB to manage publicly available data.


History

npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as
PEAR Pears are fruits produced and consumed around the world, growing on a tree and harvested in late summer into mid-autumn. The pear tree and shrub are a species of genus ''Pyrus'' , in the Family (biology), family Rosaceae, bearing the Pome, po ...
( PHP) and
CPAN The Comprehensive Perl Archive Network (CPAN) is a software repository of over 220,000 software modules and accompanying documentation for 45,500 distributions, written in the Perl programming language by over 14,500 contributors. ''CPAN'' can de ...
(
Perl Perl is a high-level, general-purpose, interpreted, dynamic programming language. Though Perl is not officially an acronym, there are various backronyms in use, including "Practical Extraction and Reporting Language". Perl was developed ...
). npm is a JavaScript replacement for pm, a
shell script A shell script is a computer program designed to be run by a Unix shell, a command-line interpreter. The various dialects of shell scripts are considered to be command languages. Typical operations performed by shell scripts include file manipu ...
. The company npm, Inc. was founded in 2014 in
Oakland, California Oakland is a city in the East Bay region of the San Francisco Bay Area in the U.S. state of California. It is the county seat and most populous city in Alameda County, California, Alameda County, with a population of 440,646 in 2020. A major We ...
, United States, with Laurie Voss as co-founder. Bryan Bogensberger joined the company as CEO in July 2018 and resigned in September 2019. Before Bogensberger's resignation, Laurie Voss resigned in July 2019. In March 2020, npm was acquired by
GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
, which is a subsidiary of
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
.


Package controversies


left-pad

In March 2016, a package called left-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik. The package was immensely popular on the platform, being depended on by thousands of projects and reaching 15 million downloads prior to its removal. Several projects critical to the JavaScript ecosystem including Babel and
Webpack Webpack is a free and open-source module bundler for JavaScript. It is made primarily for JavaScript, but it can transform front-end assets such as HTML, CSS, and images if the corresponding loaders are included. Webpack takes modules with depend ...
depended on left-pad and were rendered unusable. Although the package was republished three hours later, it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.


flatmap-stream

In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that stole
bitcoin Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...
s from certain applications.


pac-resolver

In May 2021, pac-resolver, an npm package that received over 3 million downloads per week, was discovered to have a remote code execution vulnerability. The vulnerability resulted from how the package handled config files, and was fixed in versions 5 and greater.


colors and faker

In January 2022, the maintainer of the popular package colors pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package, faker, and its package on npm, and replaced it with a README that read, "What really happened to
Aaron Swartz Aaron Hillel Swartz (; November 8, 1986January 11, 2013), also known as AaronSw, was an American computer programmer, entrepreneur, writer, political organizer, and Internet hacktivism, hacktivist. As a programmer, Swartz helped develop the we ...
?"


node-ipc and peacenotwar

In March 2022, developer Brandon Nozaki Miller, maintainer of the node-ipc package, added peacenotwar as a dependency to the package. peacenotwar recursively overwrites an affected machine's hard drive contents with the heart emoji if they have a Belarusian or Russian IP address. The package also leaves a
text file A text file (sometimes spelled textfile; an old alternative name is flat file) is a kind of computer file that is structured as a sequence of lines of electronic text. A text file exists stored as data within a computer file system. In ope ...
on the machine containing a message in protest of the
Russian invasion of Ukraine On 24 February 2022, , starting the largest and deadliest war in Europe since World War II, in a major escalation of the Russo-Ukrainian War, conflict between the two countries which began in 2014. The fighting has caused hundreds of thou ...
. Vue.js, which uses node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js had the peacenotwar package if they were using its latest version. The package was also briefly present as a dependency in version 3.1 of Unity Hub. However, a hotfix was released the same day to remove the dependency.


bignum

In May 2023, several npm packages including bignum were found to be exploited, stealing user credentials and information from affected machines. Researchers discovered that these packages had been compromised through an exploit involving
Amazon S3 Amazon Simple Storage Service (S3) is a service offered by Amazon Web Services (AWS) that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its e-commerc ...
buckets and the node-gyp command line tool.


Alternatives

There are a number of open-source alternatives to npm for installing modular JavaScript, including pnpm,
Yarn Yarn is a long continuous length of interlocked fibres, used in sewing, crocheting, knitting, weaving, embroidery, ropemaking, and the production of textiles. '' Thread'' is a type of yarn intended for sewing by hand or machine. Modern ...
, Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from npm Registry or any centralized repository and its support of npm registry is still a subject of ongoing work in progress as of January 2024. They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and
determinism Determinism is the Metaphysics, metaphysical view that all events within the universe (or multiverse) can occur only in one possible way. Deterministic theories throughout the history of philosophy have developed from diverse and sometimes ov ...
compared to the npm client.


See also

*
Software repository A software repository, or repo for short, is a storage location for Package format, software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source or version control, or rep ...
* pnpm * yarn (package manager)


References


External links

* {{Microsoft FOSS Command-line software Free package management systems Free software programmed in JavaScript JavaScript programming tools Microsoft free software Software using the Artistic license 2010 software