{"id":1580,"date":"2022-05-12T09:24:10","date_gmt":"2022-05-12T09:24:10","guid":{"rendered":"https:\/\/blog.amt.in\/?p=1580"},"modified":"2022-05-12T09:24:10","modified_gmt":"2022-05-12T09:24:10","slug":"introduction-to-node-package-manager","status":"publish","type":"post","link":"https:\/\/blog.amt.in\/index.php\/2022\/05\/12\/introduction-to-node-package-manager\/","title":{"rendered":"Introduction to Node Package Manager"},"content":{"rendered":"<p>NPM\u00c2\u00a0Node Package Manager<b>\u00c2\u00a0<\/b>is a\u00c2\u00a0package manager\u00c2\u00a0for the\u00c2\u00a0JavaScript\u00c2\u00a0programming language. It is the default package manager for the JavaScript run time environment\u00c2\u00a0Node.js. It consists of a command line client, also called npm, and an\u00c2\u00a0online database\u00c2\u00a0of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.<\/p>\n<p>npm is written entirely in JavaScript and was developed by Isaac Z. Schlueter as a result of having &#8220;seen module packaging done terribly&#8221; and with inspiration from other similar projects such as\u00c2\u00a0PEAR\u00c2\u00a0(PHP) and\u00c2\u00a0CPAN\u00c2\u00a0(Perl).<\/p>\n<p><span id=\"Notable_breakages\" class=\"mw-headline\">Notable breakages:<\/span><\/p>\n<ul>\n<li>In March 2016, npm attracted press attention\u00c2\u00a0after a package called\u00c2\u00a0<code>left-pad<\/code>, which was a dependency of many popular JavaScript packages, was unpublished as the result of a naming dispute.\u00c2\u00a0Although the package was republished 3 hours later,\u00c2\u00a0it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.<\/li>\n<li>In February 2018, an issue was discovered in version 5.7.0 in which running\u00c2\u00a0<code>sudo npm<\/code>\u00c2\u00a0on Linux systems would change the ownership of system files, permanently breaking the operating system.<\/li>\n<li>In July 2018, the npm credentials of a maintainer of the popular\u00c2\u00a0<code>eslint-scope<\/code>\u00c2\u00a0package were compromised resulting in a malicious release of\u00c2\u00a0<code>eslint-scope<\/code>, version 3.7.2. The malicious code copies the npm credentials of the machine running\u00c2\u00a0<code>eslint-scope<\/code>\u00c2\u00a0and uploads them to the attacker.<\/li>\n<li>In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package\u00c2\u00a0<code>event-stream<\/code>. The malicious package, called\u00c2\u00a0<code>flatmap-stream<\/code>, contained an encrypted payload that steals\u00c2\u00a0bitcoins\u00c2\u00a0from certain applications. npm administrators responded by removing the offending package.<\/li>\n<\/ul>\n<p>npm is included as a recommended feature in\u00c2\u00a0Node.js\u00c2\u00a0installer.\u00c2\u00a0npm consists of a\u00c2\u00a0command line\u00c2\u00a0client that interacts with a remote registry. It allows users to consume and distribute JavaScript modules that are available on the registry.\u00c2\u00a0Packages on the registry are in\u00c2\u00a0CommonJS\u00c2\u00a0format and include a metadata file in\u00c2\u00a0JSON\u00c2\u00a0format.\u00c2\u00a0Over 477,000 packages are available on the main npm registry.\u00c2\u00a0The registry has no vetting process for submission, which means that packages found there can be low quality, insecure, or malicious.\u00c2\u00a0Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure or malicious.\u00c2\u00a0npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages.<\/p>\n<p>In npm version 6, the audit feature was introduced to help developers identify and fix vulnerability and security issues in installed packages.\u00c2\u00a0The source of security issues were taken from reports found on the Node Security Platform (NSP), and has been integrated with npm since npm&#8217;s acquisition of NSP.<\/p>\n<p>npm can manage packages that are local\u00c2\u00a0dependencies\u00c2\u00a0of a particular project, as well as globally-installed JavaScript tools.\u00c2\u00a0When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the\u00c2\u00a0<code>package.json<\/code>\u00c2\u00a0file.\u00c2\u00a0In the\u00c2\u00a0<code>package.json<\/code>\u00c2\u00a0file, each dependency can specify a range of valid\u00c2\u00a0versions\u00c2\u00a0using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes.\u00c2\u00a0npm also provides version-bumping tools for developers to tag their packages with a particular version.\u00c2\u00a0npm also provides the\u00c2\u00a0<code>package-lock.json<\/code>\u00c2\u00a0file which has the entry of the exact version used by the project after evaluating semantic versioning in\u00c2\u00a0<code>package.json<\/code>.<\/p>\n<p>The above is a brief about Node Package Manager. Watch this space for more updates in the latest trends in Technology.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NPM\u00c2\u00a0Node Package Manager\u00c2\u00a0is a\u00c2\u00a0package manager\u00c2\u00a0for<\/p>\n","protected":false},"author":1,"featured_media":1582,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,418,154,7],"tags":[14,420,156,18],"class_list":["post-1580","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-javascript","category-node-package-manager","category-programming-language","category-techtrends","tag-javascript","tag-node-package-manager","tag-programming-language","tag-technology"],"_links":{"self":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/comments?post=1580"}],"version-history":[{"count":1,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1580\/revisions"}],"predecessor-version":[{"id":1581,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1580\/revisions\/1581"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media\/1582"}],"wp:attachment":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media?parent=1580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/categories?post=1580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/tags?post=1580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}