Swiftpack.co - Package - npm/npm

npm(1) -- a JavaScript package manager

Build Status


This is just enough info to get you up and running.

Much more info available via npm help once it's installed.


You need node v4 or higher to run this program.

To install an old and unsupported version of npm that works on node v0.12 and prior, clone the git repo and dig through the old tags and branches.

npm is configured to use npm, Inc.'s public package registry at https://registry.npmjs.org by default.

You can configure npm to use any compatible registry you like, and even run your own registry. Check out the doc on registries.

Use of someone else's registry may be governed by terms of use. The terms of use for the default public registry are available at https://www.npmjs.com.

Super Easy Install

npm is bundled with node.

Windows Computers

Get the MSI. npm is in it.

Apple Macintosh Computers

Get the pkg. npm is in it.

Other Sorts of Unices

Run make install. npm will be installed with node.

If you want a more fancy pants install (a different version, customized paths, etc.) then read on.

Fancy Install (Unix)

There's a pretty robust install script at https://www.npmjs.com/install.sh. You can download that and run it.

Here's an example using curl:

curl -L https://www.npmjs.com/install.sh | sh

Slightly Fancier

You can set any npm configuration params with that script:

npm_config_prefix=/some/path sh install.sh

Or, you can run it in uber-debuggery mode:

npm_debug=1 sh install.sh

Even Fancier

Get the code with git. Use make to build the docs and do other stuff. If you plan on hacking on npm, make link is your friend.

If you've got the npm source code, you can also semi-permanently set arbitrary config keys using the ./configure --key=val ..., and then run npm commands by doing node bin/npm-cli.js <command> <args>. (This is helpful for testing, or running stuff without actually installing npm itself.)

Windows Install or Upgrade

Many improvements for Windows users have been made in npm 3 - you will have a better experience if you run a recent version of npm. To upgrade, either use Microsoft's upgrade tool, download a new version of Node, or follow the Windows upgrade instructions in the npm Troubleshooting Guide.

If that's not fancy enough for you, then you can fetch the code with git, and mess with it directly.

Installing on Cygwin



So sad to see you go.

sudo npm uninstall npm -g

Or, if that fails,

sudo make uninstall

More Severe Uninstalling

Usually, the above instructions are sufficient. That will remove npm, but leave behind anything you've installed.

If you would like to remove all the packages that you have installed, then you can use the npm ls command to find them, and then npm rm to remove them.

To remove cruft left behind by npm 0.x, you can use the included clean-old.sh script file. You can run it conveniently like this:

npm explore npm -g -- sh scripts/clean-old.sh

npm uses two configuration files, one for per-user configs, and another for global (every-user) configs. You can view them by doing:

npm config get userconfig   # defaults to ~/.npmrc
npm config get globalconfig # defaults to /usr/local/etc/npmrc

Uninstalling npm does not remove configuration files by default. You must remove them yourself manually if you want them gone. Note that this means that future npm installs will not remember the settings that you have chosen.

More Docs

Check out the docs.

You can use the npm help command to read any of them.

If you're a developer, and you want to use npm to publish your program, you should read this.


When you find issues, please report them:

Be sure to include all of the output from the npm command that didn't work as expected. The npm-debug.log file is also helpful to provide.

You can also find npm people in #npm on https://package.community/ or on Twitter. Whoever responds will no doubt tell you to put the output in a gist or email.


  • npm(1)
  • npm-help(1)
  • npm-index(7)


Stars: 15183
Help us keep the lights on



v5.6.0 - Nov 28, 2017


You may have noticed this is a semver-minor bump. Wondering why? This is why!

  • bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
  • f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
  • 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
  • 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!

Bug Fixes

  • b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
  • 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
  • a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
  • fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
  • be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
  • bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
  • b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
  • 8c194b86e npm-packlist@1.1.10: Include node_modules/ directories not in the root. (@isaacs)
  • d7ef6a20b libnpx@9.7.1: Fix some *nix binary path escaping issues. (@zkat)
  • 981828466 cacache@10.0.1: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
  • a0be6bafb pacote@7.0.2: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
  • b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
  • cac225025 #19054 Don't count failed optionals when summarizing installed packages. (@iarna)


  • b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
  • 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
  • 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
  • 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
  • 798428b0b #19172 bin-links@1.1.0: Log the fact line endings are being changed upon install. (@marcosscriven)


Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!

  • 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
  • 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
  • c930e98ad npm-lifecycle@2.0.0: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
  • 876f0c8f3 829893d61 #19099 find-npm-prefix@1.0.1: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've cd'd into a subdirectory. Did you know you can run npm install from these subdirectories, and it'll only affect the root? It works like git! (@iarna)


Dependency Bumps

v5.5.1 - Oct 4, 2017

A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.

  • e628e058b Fix login to properly recognize OTP request and store bearer tokens. ([@Rebecca Turner](https://github.com/Rebecca Turner))

v5.5.0 - Oct 4, 2017

Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).

The changes largely came together in one piece, so I'm just gonna leave the commit line here:


You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:

npm profile enable-tfa

With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.


You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a read-only token to give to your CI. It will be able to download your private modules but it won't be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.

Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.


You can finally change your password from the CLI with npm profile set password! You can also update your email address with npm profile set email <address>. If you change your email address we'll send you a new verification email so you verify that its yours.


You can also update all of the other attributes of your profile that previously you could only update via the website: fullname, homepage, freenode, twitter and github.


All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.


  • 5ee55dc71 install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying to upgrade using curl | http://npmjs.com/install.sh. (@iarna)
  • 5cad1699a npm-lifecycle@1.0.3 Fix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
  • cd256cbb2 npm-packlist@1.1.9 Fix a bug where test directories would always be excluded from published modules. (@isaacs)
  • 2a11f0215 Fix formatting of unsupported version warning (@iarna)


  • 6d2a285a5 npm-registry-client@8.5.0
  • 69e64e27b request@2.83.0
  • 34e0f4209 abbrev@1.1.1
  • 10d31739d aproba@1.2.0
  • 2b02e86c0 meant@1.0.1
  • b81fff808 rimraf@2.6.2: Fixes a long standing bug in rimraf's attempts to work around Windows limitations where it owns a file and can change its perms but can't remove it without first changing its perms. This may be an improvement for Windows users of npm under some circumstances. (@isaacs)

v5.4.2 - Sep 15, 2017

This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.


  • 0b28ac72d #18458 Fix a bug on Windows where rolling back of failed optional dependencies would fail. (@marcins)
  • 3a1b29991 write-file-atomic@2.1.0 Revert update of write-file-atomic. There were changes made to it that were resulting in EACCES errors for many users. (@iarna)
  • cd8687e12 Fix a bug where if npm decided it needed to move a module during an upgrade it would strip out much of the package.json. This would result in broken trees after package updates.
  • 5bd0244ee #18385 Fix npm outdated when run on non-registry dependencies. (@joshclow) (@iarna)


  • 339f17b1e Report unsupported node versions with greater granularity. (@iarna)


v5.4.1 - Sep 6, 2017

This is a very small bug fix release to fix a problem where permissions on installed binaries were being set incorrectly.