This is just enough info to get you up and running.
Much more info available via
npm help once it's installed.
You need node v4 or higher to run this program.
To install an old and unsupported version of npm that works on node v0.12 and prior, clone the git repo and dig through the old tags and branches.
npm is configured to use npm, Inc.'s public package registry at https://registry.npmjs.org by default.
You can configure npm to use any compatible registry you like, and even run your own registry. Check out the doc on registries.
Super Easy Install
npm is bundled with node.
Get the MSI. npm is in it.
Apple Macintosh Computers
Get the pkg. npm is in it.
Other Sorts of Unices
make install. npm will be installed with node.
If you want a more fancy pants install (a different version, customized paths, etc.) then read on.
Fancy Install (Unix)
There's a pretty robust install script at https://www.npmjs.com/install.sh. You can download that and run it.
Here's an example using curl:
curl -L https://www.npmjs.com/install.sh | sh
You can set any npm configuration params with that script:
npm_config_prefix=/some/path sh install.sh
Or, you can run it in uber-debuggery mode:
npm_debug=1 sh install.sh
Get the code with git. Use
make to build the docs and do other stuff.
If you plan on hacking on npm,
make link is your friend.
If you've got the npm source code, you can also semi-permanently set
arbitrary config keys using the
./configure --key=val ..., and then
run npm commands by doing
node bin/npm-cli.js <command> <args>. (This is helpful
for testing, or running stuff without actually installing npm itself.)
Windows Install or Upgrade
Many improvements for Windows users have been made in npm 3 - you will have a better experience if you run a recent version of npm. To upgrade, either use Microsoft's upgrade tool, download a new version of Node, or follow the Windows upgrade instructions in the npm Troubleshooting Guide.
If that's not fancy enough for you, then you can fetch the code with git, and mess with it directly.
Installing on Cygwin
So sad to see you go.
sudo npm uninstall npm -g
Or, if that fails,
sudo make uninstall
More Severe Uninstalling
Usually, the above instructions are sufficient. That will remove npm, but leave behind anything you've installed.
If you would like to remove all the packages that you have installed,
then you can use the
npm ls command to find them, and then
npm rm to
To remove cruft left behind by npm 0.x, you can use the included
clean-old.sh script file. You can run it conveniently like this:
npm explore npm -g -- sh scripts/clean-old.sh
npm uses two configuration files, one for per-user configs, and another for global (every-user) configs. You can view them by doing:
npm config get userconfig # defaults to ~/.npmrc npm config get globalconfig # defaults to /usr/local/etc/npmrc
Uninstalling npm does not remove configuration files by default. You must remove them yourself manually if you want them gone. Note that this means that future npm installs will not remember the settings that you have chosen.
Check out the docs.
You can use the
npm help command to read any of them.
If you're a developer, and you want to use npm to publish your program, you should read this.
When you find issues, please report them:
Be sure to include all of the output from the npm command that didn't work
as expected. The
npm-debug.log file is also helpful to provide.
You can also find npm people in
#npm on https://package.community/ or
on Twitter. Whoever responds will no
doubt tell you to put the output in a gist or email.
Help us keep the lights on
v5.6.0 - Nov 28, 2017
You may have noticed this is a semver-minor bump. Wondering why? This is why!
bc263c3fd#19054 Fully cross-platform
package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that
package-lock.jsonshould now be generated consistently across platforms! 🎉 (@iarna)
--package-lock-onlyconfig option. This makes it so you can generate a target
package-lock.jsonwithout performing a full install of
66d18280c#19104 Add new
--node-optionsconfig to pass through a custom
NODE_OPTIONSfor lifecycle scripts. (@bmeck)
114d518c7Ignore mtime when packing tarballs: This means that doing
npm packon the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)
Previously, it turns out npm broke on the latest Node,
node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!
Fix node@9incompatibility. (@isaacs)
6caf23096Remove "unsupported" warning for Node 9 now that things are fixed. (@iarna)
1930b0f8cUpdate test matrix with
b70321733#18881 When dealing with a
node_modulesthat was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with
versionset to tarball URLs. This should now be fixed. (@iarna)
2f9c5dd00#18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
a93e0a51d#18846 Correctly save transitive dependencies when using
fdde7b649#18825 Fix typo and concatenation in error handling. (@alulsh)
be67de7b9#18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
bfdf0fd39#19033 Fix issue where files with
@signs in their names would not get included when packing tarballs. (@zkat)
b65b89bde#19048 Fix problem where
npm loginwas ignoring various networking-related options, such as custom certs. (@wejendorp)
node_modules/directories not in the root. (@isaacs)
email@example.com: Fix some *nix binary path escaping issues. (@zkat)
firstname.lastname@example.org: Fix fallback to
copy-concurrentlywhen file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
email@example.com: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
b80d650de#19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
cac225025#19054 Don't count failed optionals when summarizing installed packages. (@iarna)
b1ec2885c#18326 Stop truncating output of
npm view. This means, for example, that you no longer need to use
--jsonwhen a package has a lot of versions, to see the whole list. (@SimenB)
55a124e0a#18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
635481c61#18844 Improve error messaging for OTP/2FA. (@iarna)
52b142ed5#19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when
fseventsfailed to install. (@iarna)
firstname.lastname@example.org: Log the fact line endings are being changed upon install. (@marcosscriven)
Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!
9d22c96b7#18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
015a7803b#18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like
email@example.com: Use our own
node-gyp. This means npm no longer needs to pull some maneuvers to make sure
node-gypis in the right place, and that external packages using
npm-lifecyclewill get working native builds without having to do their own
firstname.lastname@example.org: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've
cd'd into a subdirectory. Did you know you can run
npm installfrom these subdirectories, and it'll only affect the root? It works like git! (@iarna)
7ae12b21c#18823 Fix spelling of the word authenticator. Because English is hard. (@tmcw)
5dfc3ab7b#18742 Explicitly state 'github:foo/bar' as a valid shorthand for hosted git specs. (@felicio)
a9dc098a6#18679 Add some documentation about the
a8a45668f#18568 Improve wording for the docs for the "engines" section of package.json files. (@apitman)
dbc7e5b60#19118 Use valid JSON in example for bundledDependencies. (@charmander)
779339485#19162 Remove trailing white space from
npm accessdocs. (@WispProxy)
v5.5.1 - Oct 4, 2017
A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.
e628e058bFix login to properly recognize OTP request and store bearer tokens. ([@Rebecca Turner](https://github.com/Rebecca Turner))
v5.5.0 - Oct 4, 2017
Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).
The changes largely came together in one piece, so I'm just gonna leave the commit line here:
346a34260Two factor authentication, profile editing and token management. (@iarna)
TWO FACTOR AUTHENTICATION
You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:
npm profile enable-tfa
With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.
You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a
read-only token to give to your CI. It will be able to download your private modules but it won't be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.
Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.
CHANGE YOUR PASSWORD, SET YOUR EMAIL
You can finally change your password from the CLI with
npm profile set password! You can also update your email address with
npm profile set email <address>. If you change your email address we'll send you a new verification email so you verify that its yours.
AND EVERYTHING ELSE ON YOUR PROFILE
You can also update all of the other attributes of your profile that previously you could only update via the website:
AVAILABLE STAND ALONE
All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.
5ee55dc71install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying to upgrade using
curl | http://npmjs.com/install.sh. (@iarna)
email@example.comFix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
firstname.lastname@example.orgFix a bug where test directories would always be excluded from published modules. (@isaacs)
2a11f0215Fix formatting of unsupported version warning (@iarna)
email@example.com: Fixes a long standing bug in rimraf's attempts to work around Windows limitations where it owns a file and can change its perms but can't remove it without first changing its perms. This may be an improvement for Windows users of npm under some circumstances. (@isaacs)
v5.4.2 - Sep 15, 2017
This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.
0b28ac72d#18458 Fix a bug on Windows where rolling back of failed optional dependencies would fail. (@marcins)
firstname.lastname@example.orgRevert update of
write-file-atomic. There were changes made to it that were resulting in EACCES errors for many users. (@iarna)
cd8687e12Fix a bug where if npm decided it needed to move a module during an upgrade it would strip out much of the
package.json. This would result in broken trees after package updates.
npm outdatedwhen run on non-registry dependencies. (@joshclow) (@iarna)