The letters 'npm'.

Notes on the JavaScript package manager npm. How to update packages. How to audit packages.

Last Tended
Planted
StatusSeed
The letter 'A' in upper and lower case.

Definition

npm is a package manager for JavaScript.

The letters 'v1.0.1'.

SemVer

This note requires knowledge of SemVer (Semantic Versioning Specification). The purpose of SemVer is to help communicate what changed when a new version of a package is released. It splits software version numbers into 3 integers (seperated by points). A release is categorised as 1 of the following:

Old Version New Version Category Description
v1.0.0 v1.0.1 PATCH Bug fixes were added in a backwards compatible manner.
v1.0.0 v1.1.0 MINOR Functionality was added in a backwards compatible manner.
v1.0.0 v2.0.0 MAJOR Incompatiable API changes were made.
Source
A penny-farthing bicycle.

Outdated Packages

To list outdated packages within a project, in the terminal, enter:

> npm outdated_
A table of package names & versions.

For each package, this will display:

  • Current: the current version of a package within the project.
  • Wanted: the maximum version of the package that satisfies the SemVer range specified in package.json. For example:
    • ~1.0.1 tells npm to install 1.0.1 or the latest PATCH version of a package.
    • ^1.0.1 tells npm to install 1.0.1 or the latest PATCH version or the latest MINOR version of a package.
  • Latest: the version of the package tagged as latest in the npm registry (publishers running npm publish with no special configuration will publish the package with a dist-tag of latest).
A man connected to computer through a cable comming from the back of his head.

Update Packages

To update all packages, in the terminal, enter:

> npm update --dd_

This will update packages to the latest MINOR version. If a publisher has done a MAJOR release since you installed it, npm update will still only update to the lastest MINOR version. This is to encourage doing major package upgrades 1 package at a time, manually. There is a chance that a MAJOR upgrade will break your project. Doing them 1 at a time makes it eaiser to identify & fix any resulting bugs. The --dd flag will provide error message if npm update doesn’t work.

An desert airfield with empty silos organised into rows & columns.

Audit Packages

When installing packages, npm install, you sometimes see this message:

A message in the terminal.

This displays packages in your project that have released a new version that fixes vulnerabilities. This means your codebase will contain vulnerabilities until you upgrade certain packages. To fix this, in the terminal, run:

> npm audit fix_

This will upgrade packages to a version that includes the vulnerability fixes. Vulnerabilities can also be displayed in the terminal by entering the command: npm audit.