- NPM
- Yarn
- PNPM
- Additional resources
- update node:
curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -sudo apt-get install -y nodejs
- update npm:
sudo npm install -g npm@latest - get node-module location:
npm root [-g]
echo >> ~/.bashrc && npm completion >> ~/.bashrc && source ~/.bashrc= enable npm completion
- set defaults:
npm config set init-author-name "<name>" - get defaults:
npm config get init-author-name - delete defauts:
npm config delete init-author-name
-
create package.json:
npm init- without prompt:
npm init -y
- without prompt:
-
remount project with packages.json:
npm install -
get package info =
npm view <package>- specific info =
npm view <package> dependencies
- specific info =
-
install dependency:
npm install [-g] <dependencies name> [--save-dev | -D], aliases:i- install specific version:
npm install [-g] <name>@<version> - install from git remotes (repository must be a npm package, have a package.json):
npm i <github:>username/repository
- install specific version:
-
uninstall dependency:
npm uninstall [-g] <name>, aliases:remove, rm, un -
list installed dependencies:
npm list, aliases:ls- using depth flag:
npm -g ls --depth 0
- using depth flag:
-
check updates:
npm [-g] outdated -
update all packages, respecting semver:
npm update [-g] [name]- update package(s) to the version defined at column 'wanted' of
npm outdated - if you want to update to version in column 'latest' of
npm outdated, edit manually the package.json ornpm i <package>@latest
- update package(s) to the version defined at column 'wanted' of
- package.json lists, among other things, your package dependencies - but not their dependencies (nested dependencies)
- and the dependencies' versions are locked with a carret (e.g.
^2.20.0) - meaning any future minor and patch updates will be installed instead of the exact version
- describes the entries to be included when your package is installed as a dependency
- it's supposed to follow a syntax similar to
.gitignore, here - however, it supports braces expansion (e.g.
!src/**/*.{test,spec}.{js,jsx,ts,tsx}), as you can see innpm packoutput - differently,
eslint-plugin-node(which looks atpackage.json'sfilesfield to perform rulesno-unpublished-*) doesn't understand braces expansion - mysticatea/eslint-plugin-node#199
- mysticatea/eslint-plugin-node#290
- npm can be locked with a package-lock or npm-shrinkwrap, see below
- a good reason to always keep a lock file is to be able to know exactly when (i.e. in which version of each dependency) everything was working
- after update dependencies, you should always check to make sure everything is working
- if there is no lockfile, you will have to check the dependencies every time you install or re-install them and make sure that everything still works
- package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree or package.json
- it describes the exact dependency tree (direct and nested dependencies...) that was generated
- the goal of this file is to keep track of the exact version of every package that is installed so that the project is 100% reproducible even if packages are updated by their maintainers
- its intended to be committed to the repository but cannot be published to npm registry (if you want to publish a lock file, use shrinkwrap)
npm shrinkwrap= creates a npm-shrinkwrap.json- a file identical to package-lock.json, but that can be publish
- you should keep lock or shrinkwrap, one or another, they're not programmed to coexist
- for instance, if you run
npm shrinkwrapin a project that already contains a lock file, this lock file will be renamed to shrinkwrap and future installations will modified the shrinkwrap
npx package-name- run a locally installed package (alternative to npm scripts)
- if package isn't installed, download and execute it but won't save it:
npx <non-installed package>- you can run different versions of the same command, using the syntax '@version'
npx node@6= run code using a different Node versionnpx https://gist.github.com/zkat/4bc19503fe9e9309e2bfaa2c58074d32= run code (must be a npm package) from url
- the two more useful commands to run after encounter any warning or error:
auditandcache clean
npm audit= scan project for vulnerabilities and just show the detailsnpm audit fix= automatically install any compatible updates to vulnerable dependencies
npm cache verify= display cache infonpm cache clean --force= clean the cache
- open site, docs:
npm home <package>,npm docs <package> - open github repo:
npm repo <package>
npm <script-name>= run pre-defined script names (install, test, publish...); full list herenpm run <script-name>= run arbitrary scripts- to run a script before or after a script use 'pre' and 'post' hooks (even user defined scripts), example: preinstall, postmycustom
--silentprevent the default NPM logs
- useful for when you need to work on application code and a dependency at the same time
- link in two steps:
- in the dependency directory
sudo npm link= in the global node_modules (get it withnpm root -g) create a symbolic link pointing to this project - in the main project
npm link linkname --save= in this project's node_modules, create a symbolic link pointing to the specified link (located at the global node_modules)
- in the dependency directory
sudo npm unlink -g linkname= to delete from the global node_modules directory
- instead of link, you could instead
npm installthe directory of the local dependency - differences is that npm install:
- won't use the global node-modules
- will alter project's package.json
- both options accept .gitignore pattern and glob
{
"files": [
"dist",
"src",
"!src/**/__tests__",
"!src/**/*.{test,spec}.{js,jsx,ts,tsx}"
],
}# config files
/*.{js,cjs,json}
.browserslistrc
.editorconfig
.husky
# test files
src/**/__tests__
src/**/*.{test,spec}.{js,jsx,ts,tsx}
- NOTE: with a free account, you only get to create public packages
- create a NPM account
- log in the cli with
npm login - make sure the package is not already taken
- in the package directory,
npm publish
npm unpublish <package-name>@<version>= delete a single versionnpm unpublish [<@scope>/]<pkg>[@<version>]= scoped packages- NOTE: you cannot republish the same version ever again
npm unpublish --force package= delete the entire package from npm registry- NOTE: you'll need to wait 24 to republish package, NOTE: you cannot publish the same versions you published previously
- unpublishing rules
- dependencies get installed in the root
node_modules - even if a dependency is shared by multiple packages, it gets saved only once in the root
- however, if multiple workspaces depend on different versions of a package
- npm will create a node_modules folder inside of one of the packages
- containing the package at different version of the one inside the root
node_modules/
- inside a directory
package.jsonnpm init -w packages/a -w packages/b -y
- structure:
├── node_modules/
├── package.json
└── packages
├── package-a
│ └── package.json
└── package-b
└── package.json
- root package.json must contain:
{
"private": true,
"workspaces": [
"packages/*", // every directory in packages/ will be a package
],
}npm i= all workspaces will be symlinked at /node_modules, making possible for them to reference one another- you must add local dependencies in the local dependent package.json
- otherwise, dependencies wouldn't be downloaded when downloading dependent package
- workspace command:
--workspace,-wfollowed by a workspace name = operates in a single workspace--workspaces,-ws= operates in all workspaces
- install, uninstall:
npm i pkgname -ws= install in all workspacesnpm [install|remove] pkgname -w workspacename
- run scripts:
npm run test -wsnpm run test -w a
- publish:
npm publish -ws= publish all workspaces (if package is scoped, read below)- for scoped monorepo (
@scope/pkgname):- must create an organization (scope) in NPM site
--access publicis needed in the initial publication
- for scoped monorepo (
- upon release, yarn had many advantages compared to npm
- however, the rise of yarn pushed npm to make improvements and the competion has became increasingly tighten
- though, yarn is still (even after npm 6.0) somewhat faster
- the popularity gap is slowly closing but npm still is the most popular
- `sudo npm install -g yarn
curl --compressed -o- -L https://yarnpkg.com/install.sh | bash= update yarn
yarn init [-y]yarnoryarn install= install all dependencies listed at 'package.json' and, if 'yarn.lock' exists and is enough to satisfy every dependency, the exact versions recorded in 'yarn.lock' are installed
yarn info package= info about a package = now you can use yarn as package manager anywhere, just like npmyarn info package field= select a specific field, e.g. description, versions, license
yarn list= lists all dependencies for the current directoryyarn list --depth 0 --pattern "pattern"
yarn add [package]@[version]= installyarn add [package] --dev|--peer|--optional= different categories of dependencies
yarn global add package= install globallyyarn outdated= checks for outdated package dependenciesyarn upgrade [package]@[version]= update dependencyyarn remove [package]= remove dependency
yarn run scriptname
- yarn stores every package in a global cache in your user directory on the file system
yarn cache list= view every cached packageyarn cache list --pattern "pattern"
- when you run either
yarnoryarn add package, Yarn will generate a yarn.lock - this file will ensure that they get precisely the same dependencies as you have, is equivalent to npm's 'package-lock.json' and 'pm-shrinkwrap.json'
- for development, a package can be linked into another project
- two steps:
yarn link= in package you want to linkyarn link packagelinked= link the linked package into current directory
yarn loginyarn publish,yarn publish --new-version <version>,yarn publish --access <public|restricted>= publish current package- as of now, no command to unpublish
- add to
package.json:"workspaces": ["packages/*"] - tutorial
yarn workspacesinfo= info about each workspacerun <command>= run command in each workspace- currently in version 1, error if a package hasn't script
- version 2 fixed this, here
yarn workspace<workspace-name> <command>= run script in the choosen workspace
- delete
node_modules,package-lock.json - run
yarn(equivalent tonpm i)
- NOTE: blocks both
npm i,npm i <package-name>,npm remove <package-name>,npm update
// package.json
"engines": {
"npm": "use `yarn` instead",
"pnpm": "use `yarn` instead"
},// .npmrc
engine-strict = true
- NOTE: apparently
only-allowdoesn't work withnpmanymore, so the other method is recommended; here - NOTE: blocks only
npm i(notnpm i <package-name>) - NOTE: no need to install (it's run via
npx)
// package.json
"scripts": {
"preinstall": "npx only-allow yarn"
}npm install=>pnpm installnpm i <package-name>=>pnpm add <package-name>
pnpm run <cmd>(runis optional) = run scriptpnpm exec <cmd>(execis optional) = run command
pnpm exec <cmd>(execis optional) = run commandpnpm dlx <pkg>= run package without installing
- when
pnpm iyou may get error:Issues with peer dependencies found pnpm - the way to fix is to install (add to
package.json& repeat command) missing peer dependencies asdevDependencies
- yarn monorepos must contain this file at root
- defines the root of the workspace and enables you to include / exclude directories from the workspace
packages:
# all packages in subdirs of packages/ and components/
- 'packages/**'
- 'components/**'
# exclude packages that are inside test directories
- '!**/test/**'- this is how local packages reference one another
- variations:
workspace:*=> exact current versionworkspace:~=> tilde range (patch versions only)workspace:^=> caret range (patch & minor versions only)
- replace any mention of
npmoryarntopnpm pnpm import= generates a pnpm-lock.yaml from another package manager's lockfile (package-lock.jsonoryarn.lock)- force
pnpm(instead ofnpmoryarn):
// package.json
"engines": {
"npm": "use `pnpm` instead",
"yarn": "use `pnpm` instead"
},// .npmrc
engine-strict = true
- alpha versions:
1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
ncu(no arguments)= display available updatesncu -u= upgrade allncu --target minor= update only patch & minor versions- upgrade only some packages:
ncu chalk reactncu --filter chalk react= include only package names matching the given string, wildcard, glob, comma-or-space-delimited list, or /regex/ncu --reject react chalk= exclude packages matching the given string, wildcard, glob, comma-or-space-delimited list, or /regex/