 | This articlerelies excessively onreferences toprimary sources. Please improve this article by addingsecondary or tertiary sources. Find sources: "Npm" – news ·newspapers ·books ·scholar ·JSTOR(June 2020) (Learn how and when to remove this message) |
 | |
| Original author(s) | Isaac Z. Schlueter |
|---|---|
| Developer(s) | npm, Inc. (a subsidiary ofGitHub,[1] a subsidiary ofMicrosoft) |
| Initial release | 12 January 2010; 15 years ago (2010-01-12)[2] |
| Stable release | 11.2.0[3]  / 5 March 2025 |
| Repository | |
| Written in | JavaScript |
| Platform | Cross-platform |
| Type | Package manager |
| License | Artistic License 2.0 |
| Website | www |
npm is apackage manager for theJavaScript programming language maintained by npm, Inc., a subsidiary ofGitHub. npm is the default package manager for the JavaScript runtime environmentNode.js and is included as a recommended feature in the Node.js installer.[4]
It consists of a command line client, also called npm, and anonline database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
Although "npm" is commonly understood to be an abbreviation of "Node Package Manager", it is officially arecursivebackronymic abbreviation for "npm is not an acronym".[5]
npm can manage packages that are localdependencies of a particular project, as well as globally-installed JavaScript tools.[6] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through thepackage.json file.[7] In thepackage.json file, each dependency can specify a range of validversions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.[8] npm also provides version-bumping tools for developers to tag their packages with a particular version.[9] npm also provides thepackage-lock.json[10] file which has the entry of the exact version used by the project after evaluating semantic versioning inpackage.json.
Thenpx command, which is an acronym forNode Package eXecuter,[11] executes packages without running them.[12]: 22
npm'scommand-line interface client allows users to consume and distribute JavaScript modules that are available in the registry.[13] In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.[14] The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP.[15]
Packages in the registry are inECMAScript Module (ESM) orCommonJS format and include a metadata file inJSON format.[16] Over 3.1 million packages are available in the main npm registry.[17] The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.[16] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.[18] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.[19] Internally npm relies on the NoSQLCouch DB to manage publicly available data.[20]
npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such asPEAR (PHP) andCPAN (Perl).[21] npm is a JavaScript replacement for pm, ashell script.[22]
The company npm, Inc. was founded in 2014 inOakland, California, United States, with Laurie Voss as co-founder. Bryan Bogensberger joined the company as CEO in July 2018 and resigned in September 2019.[23] Before Bogensberger's resignation, Laurie Voss resigned in July 2019.[24]
Theleft-pad incident occurred in March 2016, a package calledleft-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, andKik.[25][26] The package was immensely popular on the platform, being depended on by thousands of projects and reaching 15 million downloads prior to its removal.[25][27] Several projects critical to the JavaScript ecosystem includingBabel andWebpack depended onleft-pad and were rendered unusable.[28] Although the package was republished three hours later,[29] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.[30]
In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular packageevent-stream.[31] The malicious package, calledflatmap-stream, contained an encrypted payload that stolebitcoins from certain applications.[32]
In March 2020, npm was acquired byGitHub, which is a subsidiary ofMicrosoft.
In May 2021,pac-resolver, an npm package that received over 3 million downloads per week, was discovered to have aremote code execution vulnerability.[33] The vulnerability resulted from how the package handled config files, and was fixed in versions 5 and greater.[34]
In January 2022, the maintainer of the popular packagecolors pushed changes printing garbage text in an infinite loop.[27] The maintainer also cleared the repository of another popular package,faker, and its package on npm, and replaced it with a README that read, "What really happened toAaron Swartz?"[35]
In March 2022 thepeacenotwar incident occurred. DeveloperBrandon Nozaki Miller, maintainer of thenode-ipc package, addedpeacenotwar as a dependency to the package;peacenotwar recursively overwrites an affected machine's hard drive contents with theheart emoji if they have a Belarusian or Russian IP address. The package also leaves atext file on the machine containing a message in protest of theRussian invasion of Ukraine.Vue.js, which usesnode-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package.[36][37] The affected dependency was also briefly present in version 3.1 ofUnity Hub; a hotfix was released the same day to remove the issue, however.[38]
In May 2023, several npm packages includingbignum were found to be exploited, stealing user credentials and information from affected machines. Researchers discovered that these packages had been compromised through an exploit involvingAmazon S3 buckets and thenode-gyp command line tool.[39]
There are a number of open-source alternatives to npm for installing modular JavaScript, includingpnpm,Yarn,[40]Bun andDeno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from npm Registry or any centralized repository[41] and its support of npm registry is still a subject of ongoing work in progress as of January 2024.[42] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance anddeterminism compared to the npm client.[43]
| Platform |  | |
|---|---|---|
| Frameworks | ||
| Libraries | ||
| Languages | ||
