█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Programming Languages/Node.js/npm and the Node Ecosystem
40 minBeginner

npm and the Node Ecosystem

After this lesson, you will be able to: Master package.json, semantic versioning, lockfiles, and workspaces.

npm is more than `install`. Understanding semver + lockfiles avoids 90% of dependency surprises.

Prerequisites:Node Core Modules

package.json essentials

What each field does.

json
{
"name": "myapp",
"version": "1.2.3",
"type": "module", // ESM by default
"private": true, // prevents accidental npm publish
"engines": { "node": ">=20" },
"main": "./dist/index.js", // CommonJS entry
"exports": { // modern conditional exports
".": {
"import": "./dist/index.mjs",
"require": "./dist/index.cjs",
"types": "./dist/index.d.ts"
}
},
"scripts": {
"dev": "tsx watch src/index.ts",
"build": "tsc",
"test": "vitest"
},
"dependencies": { "zod": "^3.22.0" },
"devDependencies": { "vitest": "^1.0.0" }
}

Semver in one paragraph

MAJOR.MINOR.PATCH. Increment MAJOR on breaking changes; MINOR on new features (backwards-compatible); PATCH on bug fixes. Ranges: `^1.2.3` allows >=1.2.3 < 2.0.0 (any 1.x). `~1.2.3` allows >=1.2.3 < 1.3.0 (only patches). `1.2.3` = exact. 0.x versions: minor increments may break (1.0 marks stability).

Lockfiles

package.json declares RANGES. package-lock.json (npm) / pnpm-lock.yaml / yarn.lock pin exact versions for reproducibility. ALWAYS commit your lockfile. `npm ci` (CI) installs strictly from lockfile; `npm install` may update. Hash mismatches between teammates? Different lockfile generators (npm vs pnpm vs yarn). Pick one per project.

npm workspaces (monorepos)

Built into npm 7+.

bash
// Root package.json
{
"name": "my-monorepo",
"private": true,
"workspaces": ["packages/*", "apps/*"]
}
// Use:
npm install # installs all workspaces
npm install lodash -w packages/utils
npm run build -w apps/web
npm run test --workspaces # run in all workspaces

Common mistakes only experienced Node devs avoid

Committing node_modules. Never. Not committing the lockfile. Reproducible installs broken. Mixing npm + yarn + pnpm in the same repo. Pick one. Installing globally (`npm install -g foo`) when npx + project-local works.

Quick Check

Why commit the lockfile?

Pick the cleanest answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Node Core Modules
Back to Node.js
Building HTTP Servers: raw http → Express → Fastify→