npm is the node package manager. If you are using Node.js, you will have used it and you will be familiar with it, but since it works so well you don't take much thought into it until it doesn't ... which can have a catastrophic effect. There's an interesting tale from Tictail (the perfect npm storm) on such an event. Such tales help keep life interesting but for those that want to keep their sanity I'll go over some of these npm quirks and features you should be aware of and take some time to look into.

npm2 vs npm3

A great source of confusion and problems comes from upgrading npm to version 3.

npm3 resolves dependencies differently than npm2. npm3 will attempt to flatten the dependency tree and the dependency resolution depends on install order. The only way to reliably get the same dependency tree is by removing the node_modules folder and proceed to install all the dependencies again.

peerDependencies are deprecated. If you have dependencies or projects using peerDependencies, they will be ignored by npm3. You will need to upgrade those to dependencies.

just copy it

A straight forward method to prevent issues on production would be to use the almost fail-safe solution of deploying your code with the node_modules folder. Almost, because you will need to be aware of packages with install scripts or node-gyp dependencies which are typically platform-specific.


The command npm shrinkwrap produces a npm-shrinkwrap.json file that locks down your dependencies' versions. You should run it after npm install. Now, you can control when to update a dependency to a new version. You may check if there are any available updates with npm outdated.


npm keeps a cache of the packages and will minimize transfers. The minimum duration for a cache is 10 seconds after which it will query the registry for an update. You can use this configuration to force it to install from cache. You can change the global npm config with npm config set cache-min Infinity or when you want to change a specific install, use npm install --cache-min Infinity.


The default semver prefix is the caret ^. It will accept all new versions except for major changes [major.minor.patch], but you can also use other prefixes: for example, the tilde ~ prefix will signal npm to only accept patch changes.


You can use npm scripts to minimize your build setup. However, you will want to keep this straight forward as they can turn into a maintenance nightmare otherwise. It's important that you are aware of what hook scripts are set up by your dependencies. If you are having problems originating from these, you can use the --ignore-scripts flag so it will ignore all of them.

run your own registry

npm allows you to specify the registry to use. This is a great solution to keep your code private and still use npm for its features. This can also be used to isolute your servers if required. You may want to look into the Sinopia project to learn more about this topic.

I hope these npm tips help you save some dev time and headaches trying to resolve issues that can be prevented or resolved quite easily.

For any further information on npm, I can recommend the following articles: