Search across all documentation pages
Rules that keep installs reproducible, audits meaningful, and monorepos maintainable.
npm ci, audit gates) rather than README reminders.node_modules graphs.npm ci in CI, not npm install. Prevents silent resolution drift on every pipeline run.engines. e.g. 24.18.0, not floating 24.x only.dependencies and devDependencies correctly. TypeScript, ESLint, and test runners are dev-only.scripts as the automation contract. npm test, npm run build, and npm run typecheck work locally and in CI.postinstall scripts. Slow installs hurt every developer and every cached CI job.prepublishOnly for publish gates. Tests and typecheck run before tarballs reach the registry.npx in scripts. tsx and eslint belong in devDependencies.workspace:* for internal packages. Symlink local libs instead of manual file: paths.exports, not deep relative imports. Cross-package ../../packages/foo/src breaks boundaries.@acme/api, @acme/shared clarifies ownership.npm audit --audit-level=high on every dependency PR. Block merge until fixed or excepted with expiry.postinstall additions are high risk.engine-strict=true in .npmrc. Unsupported Node fails at install, not in production.files whitelist when publishing. Never ship tests, .env.example secrets, or raw src/ unintentionally..d.ts for TypeScript libraries. Consumers should not compile your source.npm version plus CI publish keeps registry and source aligned.npm deprecate warns consumers without breaking lockfiles.Two lockfiles mean two graphs. CI may install with npm while a developer uses Yarn, masking bugs until production.
Large monorepos with many duplicate transitives benefit from pnpm disk efficiency and stricter dependency boundaries.
No. Commit lockfiles only. CI and Docker rebuild node_modules from the lockfile.
Open a PR updating the lockfile, run full CI, deploy. Avoid npm install directly on production servers.
workspaces, shared dev tooling, orchestration scripts (build, test, lint). Deployables keep their own runtime deps.
Libraries use ranges in package.json; the app lockfile pins exact versions for the deployable graph.
Document Node version (Volta/nvm), npm ci, and npm run dev. engine-strict catches mismatches immediately.
Necessary but not sufficient. Layer Socket or similar for behavior analysis and typosquat detection.
When monorepo install time or phantom dependency bugs hurt velocity. Plan a one-PR migration with lockfile regeneration and full CI.
0.0.0 is fine for private-only packages. Bump semver before publishing externally or when consumers outside the repo appear.
npm ci detailsStack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.