Better NPM'ing, Tips and Tricks using NPM

📅 Published: Thomas Queste

Better NPM'ing, Tips and Tricks using NPM

I discovered several tips for working with NPM on a daily basis. Here are the top ones.

I presented those tips to my coworkers and the slides are available online.

TL;DR

  • Use save-exact for consistent installs
  • Run npm ci for fast and consistent installs
  • Run npm audit fix to fix security issues, quickly
  • Use npx npm-check -u or npx updtr to update dependencies
  • Use NVM_SYMLINK_CURRENT to have a symlink to the current node version

Reproducible builds

Problem: your local installation can/will differ from another coworker, even on the CI server!

Cause: Version range are problematic: "rxjs": "^6.2.2"

Greenkeeper.io tells us that 15% of packages break the minor or patch updates:

Greekeeper

Solution: Use --save-exact when installing a dependency

$ npm install --save-exact aDependency
# Shorter:
$ npm i -E aDependency

Better solution: Always exact, never use a range: npm config set save-exact true

$ npm config set save-exact true

Installing package

Problem: Using npm install will try to resolve the dependency graph, possibly installing different versions (because of ranges declared in dependencies, not yours even if you used --save-exact) and then updating the package-lock.json even if you did not want to.

Solution: Use npm ci which only read the package-lock.json

↗ Speed (on CI and locally)

➕ Avoid dirty-ing the package-lock.json

$ npm ci

Global package

Problem: Polluting the global node_modules with global packages: nest-cli, create-react-apps (= hundreds of packages)

Solution: npx runs a package without installing it (but first, tries to find it locally in node_modules)

# Example with params given to cleaver
$ npx cleaver watch index.md

Security

Problem: Finding packages with security flaws

Solution: Use the builtin npm audit and npm audit fix

➕ Fails the build given integrated it in CI

Another solution is to use the builtin services of GitHub and Gitlab.

$ npm audit fix

Updating packages

Problem: Updating dependency and finding the one that breaks the code is tedious.

Solution 1 (best): updtr update one dependency, then run the tests, then repeat

$ npx updtr

Solution 2: npm-check show a pretty menu of all updates

$ npx npm-check -u

npx npm-check -u

Current Node version in Tools

Problem: When configuring Node/Typescript, the node path is version-dependent

List of node version from Intellij

Solution: if you use NVM for managing installation of Node.js, NVM can automatically manage a symlink to the current version of node. NVM will link ~/.nvm/current to, for example, ~/.nvm/versions/node/v11.0.0 and recreate the link when changing of node versions (automatically if you use NVM auto-use ZSH plugin).

# Put this in your .bashrc/.zshrc
$ export NVM_SYMLINK_CURRENT=true

(Bonus) Follow GitHub Releases

Problem: Be notified of releases

Solution 1: (Updated: 2018.12.02) GitHub now supports watching releases of a repository: Documentation.

Solution 2: Gitpunch.com seems to solve the problem. It can follow all your GitHub stars and specific projects.

Git Punch

Improve this post