Original author(s) | Isaac Z. Schlueter |
---|---|
Developer(s) | npm, Inc. (a subsidiary of GitHub, [1] a subsidiary of Microsoft) |
Initial release | 12 January 2010 [2] |
Stable release | |
Repository | |
Written in | JavaScript |
Platform | Cross-platform |
Type | Package manager |
License | Artistic License 2.0 |
Website | www |
npm is a package manager for the JavaScript programming language maintained by Microsoft's npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer. [4]
It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
While "npm" is commonly understood to be an abbreviation for "Node Package Manager", it's officially a recursive backronym for "npm is not an acronym". [5]
npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl). [6] npm is a JavaScript replacement for pm, a shell script. [7]
In March 2020 it was announced that npm is to be acquired by GitHub. [1]
npm can manage packages that are local dependencies of a particular project, as well as globally-installed JavaScript tools. [8] When used as a dependency manager for a local project, npm can install, in one command, all the dependencies of a project through the package.json
file. [9] In the package.json
file, each dependency can specify a range of valid versions using the semantic versioning scheme, allowing developers to auto-update their packages while at the same time avoiding unwanted breaking changes. [10] npm also provides version-bumping tools for developers to tag their packages with a particular version. [11] npm also provides the package-lock.json
[12] file which has the entry of the exact version used by the project after evaluating semantic versioning in package.json
.
npm's command-line interface client allows users to consume and distribute JavaScript modules that are available in the registry. [13]
In February 2018, an issue was discovered in version 5.7.0 in which running sudo npm
on Linux systems would change the ownership of system files, permanently breaking the operating system. [14]
In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages. [15] The source of security vulnerabilities were taken from reports found on the Node Security Platform (NSP) and has been integrated with npm since npm's acquisition of NSP. [16]
Packages in the registry are in ECMAScript Module (ESM) or CommonJS format and include a metadata file in JSON format. [17]
Over 1.3 million packages are available in the main npm registry. [18]
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. [17] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious. [19] npm exposes statistics including number of downloads and number of depending packages to assist developers in judging the quality of packages. [20]
Internally npm relies on the NoSQL Couch DB to manage publicly available data. [21]
In March 2016, npm attracted press attention [22] after a package called left-pad
, which many popular JavaScript packages depended on, was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik. [23] [24] Although the package was republished three hours later, [25] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future. [26]
In April 2020, a small package called is-promise
resulted in outage in serverless applications and deployments worldwide by virtue of being a dependency of many big and important applications. [27] [ non-primary source needed ]
In July 2018, the npm credentials of a maintainer of the popular eslint-scope
package were compromised resulting in a malicious release of eslint-scope
, version 3.7.2. The malicious code copied the npm credentials of the machine running eslint-scope
and uploaded them to the attacker. [28]
In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream
. The malicious package, called flatmap-stream
, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package. [29] [30]
In January 2022, the maintainer of the popular package colors
pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package, faker
, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?" [31]
In March 2022, developer Brandon Nozaki Miller released a version of the package node-ipc
containing malicious code that would delete files from users with Belarusian and Russian IP addresses, in protest of the Russian invasion of Ukraine. Vue.js, which uses node-ipc
as a dependency, did not pin its dependencies to a safe version, meaning that some users of Vue.js became affected by the malicious package if the dependency was fetched as the latest package. [32] [33] The affected dependency was also briefly present in version 3.1 of Unity Hub; a hotfix was released the same day to remove the issue, however. [34]
There are a number of open-source alternatives to npm for installing modular JavaScript, including ied
, pnpm
, npmd
, Yarn, [35] Bun and Deno. Deno and Bun also provide a JavaScript runtime, while only Deno operates independently from NPM Registry or any centralized repository [36] and its support of NPM registry is still a subject of ongoing work in progress as of January 2024. [37] They are all compatible with the public npm registry and use it by default, but provide different client-side experiences, usually focused on improving performance and determinism compared to the npm client. [38]
TypeScript is a free and open-source high-level programming language developed by Microsoft that adds static typing with optional type annotations to JavaScript. It is designed for the development of large applications and transpiles to JavaScript. Because TypeScript is a superset of JavaScript, all JavaScript programs are syntactically valid TypeScript, but they can fail to type-check for safety reasons.
Google Closure Tools is a set of tools to help developers build rich web applications with JavaScript. It was developed by Google for use in their web applications such as Gmail, Google Docs and Google Maps. As of 2023, the project had over 230K LOCs not counting the embedded Mozilla Rhino compiler.
Node.js is a cross-platform, open-source JavaScript runtime environment that can run on Windows, Linux, Unix, macOS, and more. Node.js runs on the V8 JavaScript engine, and executes JavaScript code outside a web browser.
Amber Smalltalk, formerly named Jtalk, is an implementation of the programming language Smalltalk-80, that runs on the JavaScript runtime of a web browser. It is designed to enable client-side development using Smalltalk. The programming environment in Amber is named Helios.
Mustache is a web template system. Mustache is described as a logic-less system because it lacks any explicit control flow statements, like if
and else
conditionals or for loops; however, both looping and conditional evaluation can be achieved using section tags processing lists and anonymous functions (lambdas). It is named "Mustache" because of heavy use of braces, { }
, that resemble a sideways moustache. Mustache is used mainly for mobile and web applications.
AngularJS is a discontinued free and open-source JavaScript-based web framework for developing single-page applications. It was maintained mainly by Google and a community of individuals and corporations. It aimed to simplify both the development and the testing of such applications by providing a framework for client-side model–view–controller (MVC) and model–view–viewmodel (MVVM) architectures, along with components commonly used in web applications and progressive web applications.
Socket.IO is an event-driven library for real-time web applications. It enables real-time, bi-directional communication between web clients and servers. It consists of two components: a client, and a server. Both components have a nearly identical API.
Yeoman is an open source client-side scaffolding tool for web applications. Yeoman runs as a command-line interface written for Node.js and combines several functions into one place, such as generating a starter template, managing dependencies, running unit tests, providing a local development server, and optimizing production code for deployment.
Composer is an application-level dependency manager for the PHP programming language that provides a standard format for managing dependencies of PHP software and required libraries. It was developed by Nils Adermann and Jordi Boggiano, who continue to manage the project. They began development in April 2011 and first released it on March 1, 2012. Composer is strongly inspired by Node.js's "npm" and Ruby's "bundler". The project's dependency solving algorithm started out as a PHP-based port of openSUSE's libzypp SAT solver.
Browserify is an open-source JavaScript bundler tool that allows developers to write and use Node.js-style modules that compile for use in the browser.
Webpack is a free and open-source module bundler for JavaScript. It is made primarily for JavaScript, but it can transform front-end assets such as HTML, CSS, and images if the corresponding loaders are included. Webpack takes modules with dependencies and generates static assets representing those modules.
NativeScript is an open-source framework to develop mobile apps on the iOS and Android platforms. It was originally conceived and developed by Progress. At the end of 2019 responsibility for the NativeScript project was taken over by long-time Progress partner, nStudio. In December 2020 nStudio also oversaw the induction of NativeScript into OpenJS Foundation as an Incubating Project. NativeScript apps are built using JavaScript, or by using any programming language that transpiles to JavaScript, such as TypeScript. NativeScript supports the Angular and Vue JavaScript frameworks. Mobile applications built with NativeScript result in fully native apps, which use the same APIs as if they were developed in Xcode or Android Studio. Additionally, software developers can re-purpose third-party libraries from CocoaPods, Maven, and npm.js in their mobile applications without the need for wrappers.
gulp is an open-source JavaScript toolkit, used as a streaming build system in front-end web development.
Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. It uses a command-line interface to run custom tasks defined in a file. Grunt was created by Ben Alman and is written in Node.js. It is distributed via npm. As of October 2022, there were more than 6,000 plugins available in the Grunt ecosystem.
ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code. It was created by Nicholas C. Zakas in 2013. Rules in ESLint are configurable, and customized rules can be defined and loaded. ESLint covers both code quality and coding style issues. ESLint supports current standards of ECMAScript, and experimental syntax from drafts for future standards. Code using JSX or TypeScript can also be processed when a plugin or transpiler is used.
Yarn is one of the main JavaScript package managers, developed in 2016 by Sebastian McKenzie of Meta for the Node.js JavaScript runtime environment. An alternative to the npm package manager, Yarn was created as a collaboration of Facebook, Exponent, Google, and Tilde to solve consistency, security, and performance problems with large codebases.
Deno is a runtime for JavaScript, TypeScript, and WebAssembly that is based on the V8 JavaScript engine and the Rust programming language. Deno was co-created by Ryan Dahl, who also created Node.js.
AssemblyScript is a TypeScript-based programming language that is optimized for, and statically compiled to, WebAssembly. Resembling ECMAScript and JavaScript, but with static types, the language is developed by the AssemblyScript Project with contributions from the AssemblyScript community.
npm, Inc., is a company founded in 2014. It was acquired by GitHub, a subsidiary of Microsoft, in 2020. The company maintains the npm package manager for Node.js and the npm Registry, which hosts software packages and version control based on Git.
peacenotwar is a piece of malware/Protestware created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc
, a common JavaScript dependency.