|Original author(s)||Isaac Z. Schlueter|
|Developer(s)||npm, Inc. (a subsidiary of GitHub, a subsidiary of Microsoft)|
|Initial release||12 January 2010|
10.2.4 / 15 November 2023
|License||Artistic License 2.0|
It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
package.json file. In the
package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the
package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in
In February 2018, an issue was discovered in version 5.7.0 in which running
sudo npm on Linux systems would change the ownership of system files, permanently breaking the operating system.
In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages. The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.
Over 1.3 million packages are available in the main npm registry.
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious. npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.
Security and disruption
Dependency chain issues
In March 2016, npm attracted press attention after a package called
In April 2020, a small package called
is-promise resulted in outage in serverless applications and deployments worldwide by virtue of being a dependency of many big and important applications.
Compromised and disruptively-edited packages
In July 2018, the npm credentials of a maintainer of the popular
eslint-scope package were compromised resulting in a malicious release of
eslint-scope, version 3.7.2. The malicious code copied the npm credentials of the machine running
eslint-scope and uploaded them to the attacker.
In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package
event-stream. The malicious package, called
flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package.
In January 2022, the maintainer of the popular package
colors pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package,
faker, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?"
In March 2022, developer Brandon Nozaki Miller released a version of the package
node-ipc containing malicious code that would delete files from users with Belarusian and Russian IP addresses, in protest of the Russian invasion of Ukraine. Vue.js, which uses
node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package. The affected dependency was also briefly present in version 3.1 of Unity Hub; a hotfix was released the same day to remove the issue, however.
npmd, and Yarn, the last of which was released by Facebook in October 2016. They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client.
- "Earliest releases of npm". GitHub. Retrieved 5 January 2019.
- "Release 10.2.4". 15 November 2023. Retrieved 19 November 2023.
- Dierx, Peter (30 March 2016). "A Beginner's Guide to npm – the Node Package Manager". sitepoint. Retrieved 22 July 2016.
- npm [@npmjs] (22 August 2011). ""npm" doesn't stand for "Node Package Manager". It stands for "npm Is Not An Acronym". Why not "NINAA"? Because then it would be an acronym" (Tweet). Retrieved 9 November 2023 – via Twitter.
- Ellingwood, Justin. "How To Use npm to Manage Node.js Packages on a Linux Server". DigitalOcean. Retrieved 22 October 2016.
- "npm-install". docs.npmjs. Retrieved 22 October 2016.
- "semver". docs.npmjs. Archived from the original on 3 December 2016. Retrieved 22 October 2016.
- "npm-version". docs.npm. Retrieved 29 October 2016.
- Koirala, Shivprasad (21 August 2017). "What is the need of package-lock.json in Node?". codeproject.
- Ampersand.js. "Ampersand.js – Learn". ampersandjs.com. Retrieved 22 July 2016.
- "Critical Linux filesystem permissions are being changed by latest version". GitHub. Retrieved 25 February 2018.
- npm. "'npm audit': identify and fix insecure dependencies". The npm Blog. Retrieved 14 August 2018.
- npm. "The Node Security Platform service is shutting down 9/30". The npm Blog. Retrieved 14 August 2018.
- Ojamaa, Andres; Duuna, Karl (2012). "Assessing the Security of Node.js Platform". 2012 International Conference for Internet Technology and Secured Transactions. IEEE. ISBN 978-1-4673-5325-0. Retrieved 22 July 2016.
- Nassri, Ahmad (14 April 2020). "So long, and thanks for all the packages!". The npm Blog. Retrieved 6 January 2021.
- "npm Code of Conduct: acceptable package content". Retrieved 9 May 2017.
- Vorbach, Paul. "npm-stat: download statistics for NPM packages". npm-stat.com.
- "registry | npm Docs". docs.npmjs.com. Retrieved 10 May 2021.
- Collins, Keith (27 March 2016). "How one programmer broke the internet by deleting a tiny piece of code". Quartz. Retrieved 23 December 2020.
- "kik, left-pad, and npm". Retrieved 9 May 2017.
- "changes to unpublish policy". npm Blog (Archive). Retrieved 23 January 2022.
- "ERR_INVALID_PACKAGE_TARGET". Github. Retrieved 22 August 2020.
- "Virus in eslint-scope? · Issue #39 · eslint/eslint-scope". GitHub.
- "Details about the event-stream incident". The npm Blog. Retrieved 28 November 2018.
- "Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2". Github. Retrieved 28 November 2018.
- "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". Bleeping Computer. Retrieved 9 January 2022.
- "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. Retrieved 17 March 2022.
- Juha Saarinen (17 March 2022). "'Protestware' npm package dependency labelled supply-chain attack". IT News. nextmedia.
- "Hello, Yarn!". The npm Blog. 11 October 2016. Retrieved 17 December 2016.
- Katz, Yehuda (11 October 2016). "Why I'm working on Yarn". Retrieved 17 December 2016.