Demystifying NPM
NPM

Demystifying NPM

When you are building a software product or a service solution, then you will not always build everything from scratch; you need different third party libraries. Those third party libraries that are well maintained, open source, in which bugs already encountered and fixed, makes the life of developer very easy so he/ she can focus on actually adding a feature/service instead of setting everyting from scratch.

There is place from where we take these already build libraries / packages / modules / utilities... that place is called NPM - Node Package Manager. so, NPM is simply a registry where all the packagess are listed and we just download the package we need.

We can also build and deploy our own package so that other people can use it. NPM is own by Github; Github is now acquired by microsoft.

Just like NPM, we also have yarn. Yarn is own by facebook (now called Meta). Yarn is just an alternative of NPM. It's also open source but a bit more faster than NPM and have better security checks.

All the packages are not written from scratch, In case of few packages to work they also need some external support, it's called "peer dependencies". For example to run 'react-dom' you will need 'react'. If we try to install a dependency which needed peer dependency to install, then NPM used to give warning till it's 6th version. But from NPM 7 version, these peer dependencies will get automatically installed.

There are two types of dependencies :

1. Dev Dependency - The dependency that is required at the time of developement in your local machine.

ex. testing dependencies.

2. Prod Level Dependency - The dependency required for production environment. ex. axios, loadash

1. Local / Project Level dependency - scope is restricted to the project.?

2. Global Level dependecy - present all across our machine; available at any project, any folder.

Semantic versioning -?

No alt text provided for this image
semantic versioniong

NPM wanted to make the symmetry in semantic versioning so in NPM-5 they introduces something called package.lock.json file. developers needs to follow the semantic versioning.

Patch releases: 1.0 or 1.0.x or ~1.0.4

Minor releases: 1 or 1.x or ^1.0.4

Major releases: * or x?

There are 3 common ways to show semantic versioning.

^ 3.2.1 => upgrades patch version and minor version ex. 3.x.x?

~ 3.2.1 => upgrade only patch version ex.3.2.x

3.2.1 => no change

There is difference between NPM and NPX

When you do npm install then that specific package in your machine?whereas npx just brings that package in our sysyem from npm registry?without installing it, execute it and delete package afterwards. it's just make the use of code that is provided by dependency.

The use of NPM packages makes the developers job very easy but at the same time, installing these third party libraries can also add some vulnarabilities in project. So one should be very careful before selecting newly released NPM package for the project he/she is building.

It's very important to select right NPM package for the project, consider following points before the final decision:

  1. NPM package; it's popularity and weekely downloads - higher downloads indicates that more people are using this package.
  2. Last release and how frequently they release new update, bug fix, breaking changes etc.
  3. Mainteners, community contributors
  4. Peer dependency - avoid if it has so many peer dependencies as failure of one dependency can cause failure of entire package and thus your project. The choice is relative and not always binary.
  5. Documentation - A good documentation helps developers to find the features and solve his/ her doubts if any.
  6. Github metrics, stars, open and closed issues
  7. NPM package size - It should be small so that bundle JS is relatively smaller and application will load, perform faster.

要查看或添加评论,请登录

Vaibhav Matere的更多文章

  • The rise and rise of JavaScript

    The rise and rise of JavaScript

    The story starts from 1995, The Netscape Navigator browser was very popular and getting very high adoption from…

    6 条评论
  • What is Hacktoberfest & Why should we care about it ?

    What is Hacktoberfest & Why should we care about it ?

    Hactoberfest in Open Source initiative by Digital Ocean organized to encourage developers to contribute, participate to…

    1 条评论
  • Why we import CSS & JavaScript files in HTML like this ?

    Why we import CSS & JavaScript files in HTML like this ?

    I always wonder why we do, what we do and sometimes I try to figure out few things in detail. JavaScript is always…

  • Power Of Connections and Networking

    Power Of Connections and Networking

    By building up a network of people around you who have similar passion and are headed in the same direction, you…

社区洞察

其他会员也浏览了