Problem Statement
Explain npm package management, scripts, versioning, and CI/CD integration. Include npm vs yarn, lock files, and security practices.
Explanation
npm (Node Package Manager) manages JavaScript dependencies defined in package.json:
```json
{
"name": "my-app",
"version": "1.0.0",
"description": "My application",
"main": "index.js",
"scripts": {
"start": "node index.js",
"dev": "nodemon index.js",
"build": "webpack --mode production",
"test": "jest",
"lint": "eslint src/",
"format": "prettier --write src/"
},
"dependencies": {
"express": "^4.18.0",
"dotenv": "^16.0.0"
},
"devDependencies": {
"jest": "^28.0.0",
"nodemon": "^2.0.0",
"eslint": "^8.0.0"
},
"engines": {
"node": ">=16.0.0",
"npm": ">=8.0.0"
}
}
```
Dependency types: dependencies (production), devDependencies (development only, not installed in production with npm install --production), peerDependencies (required by library but provided by consumer), optionalDependencies (install if possible, failure doesn't stop installation).
Version ranges: "^4.18.0" (compatible with 4.x.x, >= 4.18.0 < 5.0.0), "~4.18.0" (patch updates, >= 4.18.0 < 4.19.0), "4.18.0" (exact version), "*" (any version). Caret (^) is default, allows minor and patch updates.
Lock files (package-lock.json) ensure reproducible installs by recording exact versions of all dependencies and transitive dependencies:
```json
{
"name": "my-app",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"node_modules/express": {
"version": "4.18.2",
"resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
"integrity": "sha512-..."
}
}
}
```
Commit lock file to version control.
npm commands: npm install (install dependencies from package.json), npm ci (clean install from lock file, faster and more reliable for CI/CD), npm update (update packages within version ranges), npm outdated (show outdated packages), npm audit (check for vulnerabilities), npm audit fix (automatically fix vulnerabilities).
npm scripts enable automation:
```json
"scripts": {
"prebuild": "npm run clean",
"build": "webpack --mode production",
"postbuild": "npm run test",
"clean": "rm -rf dist",
"test": "jest --coverage",
"test:watch": "jest --watch",
"deploy": "npm run build && firebase deploy"
}
```
pre and post hooks automatically run before/after main script.
Yarn alternative offers faster installs, better security, offline mode. Yarn commands: yarn install, yarn add, yarn upgrade. Yarn lock file (yarn.lock) similar to package-lock.json. Modern npm (v7+) matches yarn performance.
CI/CD integration:
```yaml
# GitHub Actions
- uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- run: npm ci
- run: npm run build
- run: npm test
```
Private registry configuration (.npmrc):
```
registry=https://registry.npmjs.org/
@myorg:registry=https://npm.company.com/
//npm.company.com/:_authToken=${NPM_TOKEN}
```
Publishing packages:
```bash
npm version patch # Increment version
npm publish
```
Security practices: npm audit regularly, update dependencies, use exact versions for critical dependencies, scan for known vulnerabilities with Snyk or Dependabot, avoid running npm as root, use .npmrc for private registries, enable 2FA for npm account, use npm ci in CI/CD (ignores package.json, only uses lock file). Understanding npm enables efficient Node.js project management and automation.