npm (Node Package Manager) was created by Isaac Z. Schlueter in 2010 and became the default package manager bundled with Node.js. npm, Inc. was acquired by GitHub (owned by Microsoft) in March 2020 for an undisclosed amount, and it’s now headquartered in San Francisco.
The npm registry hosts over 2 million packages, making it the largest software registry in the world by a significant margin. Developers download more than 200 billion packages per month. Nearly every JavaScript project depends on npm for managing its dependencies.
The npm CLI handles package installation, version management, script running, and publishing. The package.json file at the root of every Node.js project defines dependencies, scripts, and metadata. Lock files (package-lock.json) ensure that every team member and CI server installs exactly the same dependency versions.
npm workspaces, introduced in npm 7, added built-in support for monorepos — managing multiple packages within a single repository. npm audit scans your dependencies for known security vulnerabilities and can automatically apply fixes. The npx command lets you run packages without installing them globally, which is great for one-off tasks and trying out tools.
Security has been a major focus area. npm added two-factor authentication, automated security advisories, and provenance attestations to verify that packages were built from their claimed source code. Despite occasional supply chain attacks targeting the ecosystem, npm remains the backbone of JavaScript development worldwide.
