What is package.json and how does npm work?

package.json and npm

npm (Node Package Manager) is the default package manager for Node.js. package.json is the manifest file of every Node.js project, describing its dependencies, scripts, metadata, and configuration.

package.json Structure

json

{
  "name": "my-app",
  "version": "1.0.0",
  "description": "My awesome Node.js app",
  "main": "src/index.js",
  "scripts": {
    "start": "node src/index.js",
    "dev": "nodemon src/index.js",
    "test": "jest",
    "build": "tsc"
  },
  "dependencies": {
    "express": "^4.18.2",
    "dotenv": "^16.0.0"
  },
  "devDependencies": {
    "nodemon": "^3.0.0",
    "jest": "^29.0.0",
    "typescript": "^5.0.0"
  },
  "engines": {
    "node": ">=18.0.0"
  }
}

Key Fields

Field	Description
`name`	Package name (must be unique on npm)
`version`	SemVer: major.minor.patch
`main`	Entry point for the package
`scripts`	CLI shortcuts run with `npm run`
`dependencies`	Packages needed in production
`devDependencies`	Packages needed only for development
`peerDependencies`	Packages the consumer must provide
`engines`	Required Node.js/npm versions

Version Ranges (SemVer)

json

"express": "4.18.2"    // exact version
"express": "^4.18.2"   // compatible: >=4.18.2 <5.0.0
"express": "~4.18.2"   // patch only: >=4.18.2 <4.19.0
"express": "*"          // any version (dangerous!)
"express": ">=4.0.0"   // range

package-lock.json

package-lock.json locks the exact versions of all installed packages (including transitive dependencies). Always commit it!

package.json        → specifies version ranges
package-lock.json   → locks exact resolved versions
node_modules/       → installed packages (never commit this)

Common npm Commands

bash

# Install all dependencies
npm install

# Install a package
npm install express
npm install --save-dev jest     # dev dependency
npm install -g nodemon           # global

# Remove a package
npm uninstall express

# Run a script
npm run dev
npm test          # shortcut for npm run test
npm start         # shortcut for npm run start

# Update packages
npm update
npm outdated      # see outdated packages

# Security audit
npm audit
npm audit fix

# View package info
npm info express
npm list          # installed packages tree

npm Scripts

json

{
  "scripts": {
    "start": "node dist/index.js",
    "dev": "nodemon src/index.ts",
    "build": "tsc",
    "test": "jest --coverage",
    "lint": "eslint src/**/*.ts",
    "prestart": "npm run build",  // runs before "start"
    "posttest": "echo 'Tests done'" // runs after "test"
  }
}

pre and post hooks run automatically before/after scripts.

.npmrc

ini

# .npmrc — npm configuration
registry=https://registry.npmjs.org/
save-exact=true           # save exact versions
engine-strict=true        # enforce engines field

npm vs yarn vs pnpm

	npm	yarn	pnpm
Speed	Good	Fast	Fastest
Disk usage	High	High	Low (hard links)
Lockfile	package-lock.json	yarn.lock	pnpm-lock.yaml
Workspaces	✅	✅	✅

Summary

package.json is the project descriptor for Node.js apps. npm manages your dependencies, scripts, and versioning. Always commit package-lock.json and add node_modules/ to .gitignore.

Short Answer

Interview ready

Premium

A concise answer to help you respond confidently on this topic during an interview.

Finished reading?

Practice Problems