Npm

npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json file. In the package.json file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. npm also provides version-bumping tools for developers to tag their packages with a particular version. npm also provides the package-lock.json file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json. The npx command, which is an acronym for Node Package eXecuter, executes packages without installing them. npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry. In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages. The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP. Registry Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format. Over 3.1 million packages are available in the main npm registry. The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. Internally npm relies on the NoSQL Couch DB to manage publicly available data. == History ==

npm (originally short for Node Package Manager) was created in 2010 by as a response to existing module packaging systems in the JavaScript ecosystem, which he considered to be inadequate. Schlueter was influenced by earlier tools such as PEAR for PHP and CPAN for Perl, and aimed to develop a lightweight, community-oriented package manager designed for the Node.js runtime. npm was introduced as a more capable alternative to an earlier shell script-based tool named pm, which had limited features for managing Node.js packages. The first version of npm was released on January 12, 2010. Over time, npm was increasingly adopted within the Node.js developer community. Its ease of use, speed, and ability to distribute reusable code contributed to its widespread usage as a package manager. It played a significant role in the development of the JavaScript ecosystem by enabling efficient dependency management and sharing of open-source libraries. In 2014, the company npm, Inc. was established in Oakland, California by Schlueter and Laurie Voss to oversee the maintenance of the npm registry and to provide related services. In July 2018, Bryan Bogensberger was appointed as CEO of npm, Inc. During his tenure, the company faced both technical and community challenges, including concerns related to registry performance and organizational transparency. Voss departed the company in July 2019, followed by Bogensberger in September of the same year. In March 2020, npm, Inc. was acquired by GitHub, a subsidiary of Microsoft. The acquisition was presented as a step toward improving the infrastructure of the npm registry and strengthening integration with GitHub's developer tools. Post-acquisition, GitHub committed to keeping the public npm registry free to use and open to the developer community. It also announced enhancements including improved security features, better command-line tooling, and publishing support via GitHub Actions. As of 2025, npm remains one of the most widely used software package registries, hosting a substantial number of open-source packages and serving billions of downloads on a regular basis. It continues to serve as a central infrastructure component for JavaScript and web development workflows. == Package controversies ==

left-pad In March 2016, a package called left-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik. The package was immensely popular on the platform, being depended on by thousands of projects and reaching 15million downloads prior to its removal. Several projects critical to the JavaScript ecosystem including Babel and Webpack depended on left-pad and were rendered unusable. Although the package was republished three hours later, it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future. flatmap-stream In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. pac-resolver In May 2021, pac-resolver, an npm package that received over 3million downloads per week, was discovered to have a remote code execution vulnerability. The vulnerability resulted from how the package handled config files, and was fixed in versions 5 and greater. colors and faker In January 2022, the maintainer of the popular package colors pushed changes printing garbage text in an infinite loop. node-ipc and peacenotwar In March 2022, developer Brandon Nozaki Miller, maintainer of the node-ipc package, added peacenotwar as a dependency to the package. peacenotwar recursively overwrites an affected machine's hard drive contents with the heart emoji if they have a Belarusian or Russian IP address. The package also leaves a text file on the machine containing a message in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js had the peacenotwar package if they were using its latest version. The package was also briefly present as a dependency in version 3.1 of Unity Hub. However, a hotfix was released the same day to remove the dependency. bignum In May 2023, several npm packages including bignum were found to be exploited, stealing user credentials and information from affected machines. Researchers discovered that these packages had been compromised through an exploit involving Amazon S3 buckets and the node-gyp command line tool. September 2025 supply chain attack In September 2025, up to 18 popular npm packages were compromised with malware as part of a supply chain attack. Packages were compromised through a phishing attack on the package maintainers. After the account was compromised attackers began to publish packages with the malware. The malware intercepted cryptocurrency transactions within the browser, redirecting the transactions to the attacker's accounts. September 2025 self-replicating worm Also in September 2025, a self-replicating worm nicknamed Shai-Hulud appeared that steals GitHub developer credentials from affected systems to spread itself to other projects. As of September 16, the worm affected more than 187 packages. November 2025 token farms In November 2025, Amazon Web Services researchers discovered over 150,000 packages hosted on npm that were connected to a Tea blockchain token farming campaign. == Alternatives ==

There are a number of open-source alternatives to npm for installing modular JavaScript, including pnpm, Yarn, Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from npm Registry or any centralized repository and its support of npm registry is still a subject of ongoing work in progress as of January 2024. They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client. == See also ==