Demystifying NPM

When you are building a software product or a service solution, then you will not always build everything from scratch; you need different third party libraries. Those third party libraries that are well maintained, open source, in which bugs already encountered and fixed, makes the life of developer very easy so he/ she can focus on actually adding a feature/service instead of setting everyting from scratch.

There is place from where we take these already build libraries / packages / modules / utilities... that place is called NPM - Node Package Manager. so, NPM is simply a registry where all the packagess are listed and we just download the package we need.

We can also build and deploy our own package so that other people can use it. NPM is own by Github; Github is now acquired by microsoft.

Just like NPM, we also have yarn. Yarn is own by facebook (now called Meta). Yarn is just an alternative of NPM. It's also open source but a bit more faster than NPM and have better security checks.

All the packages are not written from scratch, In case of few packages to work they also need some external support, it's called "peer dependencies". For example to run 'react-dom' you will need 'react'. If we try to install a dependency which needed peer dependency to install, then NPM used to give warning till it's 6th version. But from NPM 7 version, these peer dependencies will get automatically installed.

There are two types of dependencies :

1. Dev Dependency - The dependency that is required at the time of developement in your local machine.

ex. testing dependencies.

2. Prod Level Dependency - The dependency required for production environment. ex. axios, loadash

1. Local / Project Level dependency - scope is restricted to the project.?

2. Global Level dependecy - present all across our machine; available at any project, any folder.

Semantic versioning -?

NPM wanted to make the symmetry in semantic versioning so in NPM-5 they introduces something called package.lock.json file. developers needs to follow the semantic versioning.

Patch releases: 1.0 or 1.0.x or ~1.0.4

Minor releases: 1 or 1.x or ^1.0.4

Major releases: * or x?

There are 3 common ways to show semantic versioning.

^ 3.2.1 => upgrades patch version and minor version ex. 3.x.x?

~ 3.2.1 => upgrade only patch version ex.3.2.x

3.2.1 => no change

There is difference between NPM and NPX

When you do npm install then that specific package in your machine?whereas npx just brings that package in our sysyem from npm registry?without installing it, execute it and delete package afterwards. it's just make the use of code that is provided by dependency.

The use of NPM packages makes the developers job very easy but at the same time, installing these third party libraries can also add some vulnarabilities in project. So one should be very careful before selecting newly released NPM package for the project he/she is building.

It's very important to select right NPM package for the project, consider following points before the final decision:

1. NPM package; it's popularity and weekely downloads - higher downloads indicates that more people are using this package.
2. Last release and how frequently they release new update, bug fix, breaking changes etc.
3. Mainteners, community contributors
4. Peer dependency - avoid if it has so many peer dependencies as failure of one dependency can cause failure of entire package and thus your project. The choice is relative and not always binary.
5. Documentation - A good documentation helps developers to find the features and solve his/ her doubts if any.
6. Github metrics, stars, open and closed issues
7. NPM package size - It should be small so that bundle JS is relatively smaller and application will load, perform faster.