Skip to content

NPM Dependency Management Guide

Jump to bottom
smitmad9 edited this page Aug 3, 2020 · 29 revisions

NPM Vulnerabilities

Occasionally there are security vulnerabilities in the npm packages that you install. You can find them by running npm audit from the command line:

Npm audit is also run in the background with npm install, so you will see something like this when you first install the modules (though hopefully not as many vulnerabilities) and/or when you run npm audit.

You can fix many vulnerabilities by running npm audit fix from the command line. This command by default only fixes semver-compatible changes, so it might not fix everything but it is also unlikely to create changes that will break your project. To learn more you can check out: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities. After running npm audit fix, you will see a summary report like this:

NPM Updates

When npm packages are updated on the open source repository, they are not automatically updated on your personal repository. To get to the latest version of the dependencies, you can run npm update. This command will update all packages in the node_modules directory to the latest available stable version. (On the other hand, npm install - which is very similar - will install every module which is listed in package.json).

However, npm update doesn’t automatically update the package.json file to reflect that the versions of the updated modules have changed, which is a problem because these changes won’t persist in your GitHub repository or in case your node_modules is accidentally deleted.

Helpful npm packages to use: (install these using 'npm install -g ')

npm-check-updates

  • Running npm-check-updates on the command line will identify and display each module with an available update with its current version and the latest version. The latest version is color-coded - green = patch upgrade, cyan = minor upgrade, and red = major upgrade.
  • Running ncu -u will actually update the package.json file with the latest versions of each listed module. Then you’ll need to run npm install to update your node_modules to match the package.json.
  • For more information about this package, check out the documentation: https://www.npmjs.com/package/npm-check-updates

npm-check

  • Running npm-check determines and displays dependencies which are outdated (similar to npm-check-updates), incorrect, and/or unused. It also provides a helpful link to the documentation for each listed module.
  • This can be useful when inheriting the project or making major changes to any components to see if it is possible to eliminate unused dependencies and make the project as small and efficient as possible.
  • For more information about this package, check out the documentation: https://www.npmjs.com/package/npm-check

NPM Troubleshooting

If you see error messages like this, it may be caused by a discrepancy between your node_modules/ directory and package.json.

To solve this, follow these steps:

  1. npm clean cache --force
  2. rm -r node_modules/
  3. rm package-lock.json
  4. npm install

Table of Contents

Clone this wiki locally