You will need npm, the Node package manager, installed on your local machine. The nodejs package contains the nodejs binary as well as npm, but the version of the latter can be a little behind the latest available. It is considered good practice to install the most recent npm version separately. To see whether you already meet those prerequisites, run in your command line:
If they are not present, run:
Shall you need to, check out other resources for more detailed information and alternative options to install
npm on Ubuntu.
Manage npm modules
|If you are using a framework, check out its documentation to see where the package.json file should be stored.|
In this example, we are managing assets in a
Spring Boot application and this framework uses the
static directory to store all static resources. Go to it’s location:
package.json file. In case you want to specify some information about your project, just run the command without the
--yes flag, so you can answer questions from the questionnaire:
You can find an explanation to every attribute in the npm documentation.
An example file structure:
Libraries required during the development process can be included with, those needed on a production environment are installed simply by typing .
Use SemVer notation to control versions consciously
This notation separates changes in a library lifetime into three categories: major, minor and bug fixes. By suffixing a required version with
~ you can regulate which improvements will be part of your project dependencies with every
You can specify allowed versions in the
package.json file with:
- – the update will install the newest release of the major version (4.*.*), which will introduce patches and new features but hold the backwards compatibility;
- – the update will install the newest release of the minor version (4.5.*), which will introduce just bug fixes;
- using npm range calcucator.
You can read more about SemVer in its documentation.
Commit only the files you need
package.json as well as
package-lock.json files should be commited. The latter can be created by running the following command in the directory which already contains the package.json file:
It contains information about specific version, location as well as requirements for every dependency given in the
In contrast, there is one directory you have to exclude from tracking, namely node_modules. It is created during either:
– if there are no dependencies in the
– if there are already defined dependencies in the
The directory contains all libraries specified in the
package.json file and additional modules required by npm itself. Each developer will have this folder downloaded locally by npm, so add it to your .gitignore file:
Now you can commit your changes:
Update or remove a package
A package is identified by its name and version. When you want to change a package version to a newer one (allowed by a
~ suffix), run
. Remember that calling
updates all packages in accordance with given ranges.
To remove a package from your project dependencies, execute .
Unify dependencies across all machines
Now every developer working on the project can have the same dependencies installed on his or her local machine by simply running the following command:
This will result in installing all required libraries in their given versions. The packages will be placed in the
Technically, all libraries can be downloaded manually and placed in the correct directories. However, it is time-consuming and can lead to confusion among the project contributors and errors during collaboration. I think that keeping your node_modules organized with npm makes sharing the project much more effortless.
Automatic security check
in a directory with the
package-lock.json file and examine the outcome. Some of the found vulnerabilities can be fixed automatically by running:
|You can find countless useful features of npm by browsing its blog.|