Back to roadmaps nodejs Course
Table of Contents (19 guides)

NPM Ecosystem and package.json

Node Package Manager (NPM) is the largest software registry in the world. It plays a key role in dependency tracking and automation. Let us look at its core concepts.

1. Understanding package.json Fields

Every Node.js project or module starts with a package.json file at its root. This defines metadata, direct dependencies, and scripts:

{
  "name": "my-backend-app",
  "version": "1.0.0",
  "type": "module",
  "scripts": {
    "start": "node dist/index.js",
    "dev": "nodemon src/index.js",
    "test": "node --test"
  },
  "dependencies": {
    "express": "^4.19.2"
  },
  "devDependencies": {
    "nodemon": "^3.1.0"
  }
}

Direct vs Development Dependencies

  • dependencies: Required to run the application in production (e.g., database drivers, web frameworks).
  • devDependencies: Required only during development and build compilation (e.g., test tools, TypeScript compiler, bundlers).

2. Deciphering Semantic Versioning (SemVer)

NPM uses Semantic Versioning to determine which dependency updates can be safely installed. The version structure is MAJOR.MINOR.PATCH (e.g., 4.19.2):

  • MAJOR: Breaking changes that require updates to your code.
  • MINOR: New features added in a backward-compatible manner.
  • PATCH: Backward-compatible bug fixes.

Version Prefixes

  • Caret (^4.19.2): Installs compatible minor and patch updates (e.g., updates to 4.20.0 or 4.19.3, but never 5.0.0).
  • Tilde (~4.19.2): Installs compatible patch updates only (e.g., updates to 4.19.5, but never 4.20.0).
  • Exact (4.19.2): Installs only that specific version.

3. Package Lockfiles (package-lock.json)

While package.json uses prefixes to define version ranges, package-lock.json records the exact version of every dependency installed on your machine. This ensures that every developer and CI/CD server installs the exact same dependency tree.

Best Practice: Always commit package-lock.json to source control. Never edit this file manually.

4. Custom Scripts and Automation

You can run defined script targets using the run command:

# Run the dev command defined in package.json scripts
npm run dev

# Run test targets
npm run test

Pre and Post Hooks

NPM automatically detects pre and post prefixes in script names and runs them sequentially:

"scripts": {
  "prebuild": "rm -rf dist",
  "build": "tsc",
  "postbuild": "copyfiles public/**/* dist"
}

Running npm run build will execute:

  1. prebuild (cleans the build folder)
  2. build (runs the compiler)
  3. postbuild (copies assets)
Published on Last updated:
Previous Guide CORS and Cookie Management Next Guide Publishing Your NPM Package