The letters 'npm'.

Notes on the JavaScript package manager npm. How to update packages. How to audit packages.

Last Tended
The letter 'A' in upper and lower case.


npm is a package manager for JavaScript.

The letters 'v1.0.1'.


This note requires knowledge of SemVer (Semantic Versioning Specification). The purpose of SemVer is to help communicate what changed when a new version of a package is released. It splits software version numbers into 3 integers (seperated by points). A release is categorised as 1 of the following:

Old Version New Version Category Description
v1.0.0 v1.0.1 PATCH Bug fixes were added in a backwards compatible manner.
v1.0.0 v1.1.0 MINOR Functionality was added in a backwards compatible manner.
v1.0.0 v2.0.0 MAJOR Incompatiable API changes were made.
A penny-farthing bicycle.

Outdated Packages

To list outdated packages within a project, in the terminal, enter:

> npm outdated_
A table of package names & versions.

For each package, this will display:

  • Current: the current version of a package within the project.
  • Wanted: the maximum version of the package that satisfies the SemVer range specified in package.json. For example:
    • ~1.0.1 tells npm to install 1.0.1 or the latest PATCH version of a package.
    • ^1.0.1 tells npm to install 1.0.1 or the latest PATCH version or the latest MINOR version of a package.
  • Latest: the version of the package tagged as latest in the npm registry (publishers running npm publish with no special configuration will publish the package with a dist-tag of latest).
A man connected to computer through a cable comming from the back of his head.

Update Packages

To update all packages, in the terminal, enter:

> npm update --dd_

This will update packages to the latest MINOR version. If a publisher has done a MAJOR release since you installed it, npm update will still only update to the lastest MINOR version. This is to encourage doing major package upgrades 1 package at a time, manually. There is a chance that a MAJOR upgrade will break your project. Doing them 1 at a time makes it eaiser to identify & fix any resulting bugs. The --dd flag will provide error message if npm update doesn’t work.

An desert airfield with empty silos organised into rows & columns.

Audit Packages

When installing packages, npm install, you sometimes see this message:

A message in the terminal.

This displays packages in your project that have released a new version that fixes vulnerabilities. This means your codebase will contain vulnerabilities until you upgrade certain packages. To fix this, in the terminal, run:

> npm audit fix_

This will upgrade packages to a version that includes the vulnerability fixes. Vulnerabilities can also be displayed in the terminal by entering the command: npm audit.