Node JS: Package Management with NPM, Package.Json, and Package-Lock.Json Files

Node JS: Package Management with NPM, Package.Json, and Package-Lock.Json Files


Node JS (Node) is server-side JavaScript (JS). It has light-weight and performs well. Node is designed to excel in web applications where there are a large number of requests that don’t perform massive amounts of calculations and return small bundles of data as a result.

Applications written to be executed by Node JS can support thousands of concurrent user requests. It shines when it comes to supporting a RESTful API.

Let’s check out some applications where Node JS is a good fit.

In a game server, it uses the obtainable language of JavaScript to form business logic. It also programs a server catering to specific networking requirements without using C.

In a Content management system or blog, it makes it easy to make RESTful JSON APIs. Besides, it is a really good choice for a team with client-side JavaScript experience.

Node’s main and most amazing features are its standard library, module system, and of course npm. It has other features too, but these 3 are the major ones.
Today, we are going to discuss Nod’s npm, which is, in fact, one of Node’s strongest and most powerful features. You can find more information about NodeJs and
download it.

Npm (node package manager)

In fact, npm was created as a package management system for Node.js, but today it is also widely used when developing front-end projects in JavaScript.

To interact with the npm registry, the command of the same name is used. That command gives the developer a huge number of opportunities.

The npm command can be used to download packages from the registry. Npm does a lot of things like dividing dependencies into dev and production categories, adding a new package to the project and dependencies section, updating and upgrading already installed packages to newer versions, uninstalling installed packages, running scripts from package.json, etc.

Let’s look at examples of its use below.
If the project has a package.json file, and you want to install all project dependencies,
use the following command to install them:

npm install

This command will download everything the project needs and place these materials in the _nodemodules folder, creating it if it does not exist in the project directory.

To install a separate package use the following command:

npm install 

Oftentimes you can notice how this command is used not in a simple form, but with some flags. Let’s have a look.

The –save flag allows you to install a package and add an entry for it to the dependencies section of the package.json file, which describes the project’s dependencies. These dependencies are used by the project to implement its main functionality; they are installed during its deployment on the server (after the release of npm 5, records about the installed packages in the dependencies section are made automatically, and without using this flag).

  "dependencies": {
    "lodash": "^4.17.21"

The –save-dev flag allows you to install a package and add an entry about it to the section containing a list of development dependencies (that is, packages that are needed during project development, such as libraries for testing, but are not required for its production execution) of the package.json file called devDependencies.
Libraries for testing (jest) or packages for linting (eslint), for hooking git commands (husky), and so on.

  "devDependencies": {
    "jest": "^26.6.3"

To update packages use the following command:

npm update

After receiving this command, npm will check all packages for new versions, and if it finds new versions that match the package version restrictions set in package.json, npm will install them.

To update a separate package use this command:

npm update 

Npm also supports downloading specific versions of packages. The ability to install a specific version of a certain package is useful in situations where, for example, the most recent release of this package is quite suitable for you, but it turns out it has a bug in it. While waiting for a fixed version of a package to be released, you can use an older but stable release.

The ability to specify specific versions of the libraries needed by the project is useful in team development when all team members use the same libraries.

Where does npm install packages?

When installing packages using npm, two installation options are available: local and global.
By default, when a command like npm install lodash is used to install a package, the package ends up in the _nodemodules folder located in the project folder.

Global installation of packages is done using the -g flag:

npm install -g lodash

By executing a command like this, npm does not install the package to the local project folder. Instead, it copies the package files to a global location. Let’s figure out where exactly do these files go?

To figure it out, use the following command:

npm root -g

On macOS or Linux, package files may appear in the /usr/local/lib/node_modules directory. On Windows, it could be something like C:UsersYOUAppDataRoamingnpmnode_modules.

However, if you are using Node.js nvm for versioning, the path to the global packages folder may change.
For example, I use nvm, and the above command tells me that global packages are installed at this address: /Users/flavio/.nvm/versions/node/v8.9.0/lib/node_modules.

Package.json file

The package.json file is an essential element of many projects based on the Node.js ecosystem. If you have worked with JavaScript, whether it was server-side or client-side development, then you have probably seen the package.json file before.

Now let’s find out when to use a package.json file.
You may have an idea for a small script and may be wondering if a package.json file is really necessary. It isn’t always necessary, but in general, you should create them as often as possible. Node developers prefer small modules, and expressing dependencies in package.json means your project, no matter how small, is super-easy to install in the future, or on another person’s platform.

Why is it needed? What should you know about it and what opportunities does it give you?
Package.json is a kind of manifest file for a project. It gives the developer a lot of versatile possibilities at his disposal. For example, it provides a central repository of settings for the tools used in a project. It is also where npm and yarn store information about the names and versions of installed packages.

Here’s an example of the simplest package.json file:


As you can see, it is empty. There are no tough requirements of what should be present in such a file for an application. The only requirement for the structure of the file is that it must follow the rules of the JSON format. Otherwise, this file cannot be read by programs that will try to access its contents.

If you’re creating a Node.js package that you want to distribute via npm, things change radically, and your package.json should have a set of properties to help other people use the package.
Here’s another example of package.json:

  "name": "test-project"

The example contains the name property, the value of which is the name of the application or package that is contained in the same folder where this file is located.

Package-lock.json File

The package-lock.json file has been in use since npm version 5 became available. It is generated automatically when Node.js packages are installed.
What kind of file is it? Possibly, you have not heard about this file. It became available with version 5 when npm introduced it.

The purpose of this file is to keep track of the exact versions of installed packages so that the product being developed is 100% reproducible in its original form, even if the package maintainers have updated it.

This file solves a very specific issue that package.json does not. In package.json, you can specify which updates of a certain package are suitable for you (patch versions or minor versions) using the above version specifiers.

Git does not commit the _nodemodules folder, as it is usually huge. When you try to recreate the project on another platform, using the npm install command it is going to be installed if you specified the ~ syntax and a patch release of a package has been released. In fact the same works for ^ and other minor releases.

So someone is trying to initialize a project using the npm install command. When new versions of packages are released, it will turn out that this project is different from the original one. Even if, following the rules of semantic versioning, minor releases and patch releases should not contain changes that prevent backward compatibility, we all know that bugs can (and do) go anywhere.
The package-lock.json file stores the version information of each installed package unchanged, and npm will use those package versions when running the npm install command.

The approach of package-lock.json is not new. Other programming languages package managers (like Composer in PHP) have been using an alike system for years.

The package-lock.json file needs to be uploaded to the Git repository, which will allow other people to download it if the project is publicly available, or if the project is being developed by a team of programmers, or if you use Git to deploy the project.

The dependency versions will be updated in package-lock.json after running the npm update command.

We hope you learned how important is to take advantage of Node’s unique tools like the package.json file and npm. Now it’s time for techniques. Good Luck!

Looking for Developers Jobs?

Discover more on!

Leave a Reply

Your email address will not be published.