Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The npm package 'npm' is the package manager for Node.js. It allows users to install, update, and manage dependencies for Node.js applications. It also provides tools for package discovery, publishing, and managing a local development environment.
Package Installation
Installs the 'express' package and its dependencies into the node_modules directory.
npm install express
Package Update
Updates the 'lodash' package to the latest version according to the versioning in package.json.
npm update lodash
Package Removal
Removes the 'moment' package from the node_modules directory and updates the package.json.
npm uninstall moment
Listing Installed Packages
Lists the top-level packages installed in the node_modules directory.
npm list --depth=0
Running Scripts
Runs the 'test' script specified in the package.json file.
npm run test
Publishing a Package
Publishes the current package to the npm registry, making it available for others to install.
npm publish
Yarn is a package manager that provides faster, more reliable, and more secure dependency management compared to npm. It uses a lockfile to ensure that the same package versions are installed across different environments.
pnpm is a fast, disk space efficient package manager that works by creating a single copy of a package version and linking it in the node_modules of every project that uses it. This approach saves disk space and improves installation speed compared to npm.
Bower is a package manager primarily for front-end web development. It manages components that contain HTML, CSS, JavaScript, fonts, or even image files. Bower is less commonly used now due to npm and Yarn's ability to handle front-end packages as well.
This is just enough info to get you up and running.
Much more info will be available via npm help
once it's installed.
You need node v6 or higher to run this program.
To install an old and unsupported version of npm that works on node v5 and prior, clone the git repo and dig through the old tags and branches.
npm is configured to use npm, Inc.'s public registry at https://registry.npmjs.org by default. Use of the npm public registry is subject to terms of use available at https://www.npmjs.com/policies/terms.
You can configure npm to use any compatible registry you like, and even run your own registry. Check out the doc on registries.
npm is bundled with node.
Get the MSI. npm is in it.
Get the pkg. npm is in it.
Run make install
. npm will be installed with node.
If you want a more fancy pants install (a different version, customized paths, etc.) then read on.
There's a pretty robust install script at https://www.npmjs.com/install.sh. You can download that and run it.
Here's an example using curl:
curl -L https://www.npmjs.com/install.sh | sh
You can set any npm configuration params with that script:
npm_config_prefix=/some/path sh install.sh
Or, you can run it in uber-debuggery mode:
npm_debug=1 sh install.sh
Get the code with git. Use make
to build the docs and do other stuff.
If you plan on hacking on npm, make link
is your friend.
If you've got the npm source code, you can also semi-permanently set
arbitrary config keys using the ./configure --key=val ...
, and then
run npm commands by doing node bin/npm-cli.js <command> <args>
. (This is helpful
for testing, or running stuff without actually installing npm itself.)
Many improvements for Windows users have been made in npm 3 - you will have a better experience if you run a recent version of npm. To upgrade, either use Microsoft's upgrade tool, download a new version of Node, or follow the Windows upgrade instructions in the Installing/upgrading npm post.
If that's not fancy enough for you, then you can fetch the code with git, and mess with it directly.
No.
So sad to see you go.
sudo npm uninstall npm -g
Or, if that fails,
sudo make uninstall
Usually, the above instructions are sufficient. That will remove npm, but leave behind anything you've installed.
If you would like to remove all the packages that you have installed,
then you can use the npm ls
command to find them, and then npm rm
to
remove them.
To remove cruft left behind by npm 0.x, you can use the included
clean-old.sh
script file. You can run it conveniently like this:
npm explore npm -g -- sh scripts/clean-old.sh
npm uses two configuration files, one for per-user configs, and another for global (every-user) configs. You can view them by doing:
npm config get userconfig # defaults to ~/.npmrc
npm config get globalconfig # defaults to /usr/local/etc/npmrc
Uninstalling npm does not remove configuration files by default. You must remove them yourself manually if you want them gone. Note that this means that future npm installs will not remember the settings that you have chosen.
Check out the docs.
You can use the npm help
command to read any of them.
If you're a developer, and you want to use npm to publish your program, you should read this.
When you find issues, please report them:
Be sure to include all of the output from the npm command that didn't work
as expected. The npm-debug.log
file is also helpful to provide.
FAQs
a package manager for JavaScript
The npm package npm receives a total of 4,743,422 weekly downloads. As such, npm popularity was classified as popular.
We found that npm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.