Package Managers Basics
8 examples to get you started with Package Managers - 6 basic and 2 intermediate.
Prerequisites
- Node.js 24.18.0 (Active LTS) installed.
- A new project directory:
mkdir my-api && cd my-api && npm init -y. - Pick one manager per repo and commit its lockfile.
Basic Examples
1. Install a Runtime Dependency with npm
Add a production dependency and record the exact resolved version in package-lock.json.
npm install express@5npm install <pkg>writes todependenciesand updatespackage-lock.json.- npm 10+ ships with Node 24; no separate install needed.
- Use exact majors in
package.jsonwhen you need predictable upgrades.
Related: Lockfiles & Reproducible Installs - CI-safe installs
2. Install a Dev Dependency
Keep build-time tools out of production bundles by using --save-dev.
npm install --save-dev typescript@5.6- Dev dependencies are omitted when
NODE_ENV=productionand you runnpm ci --omit=dev. - TypeScript belongs in
devDependenciesfor backend services compiled at build time. - Pin the major in
package.json; let the lockfile pin the patch.
Related: package.json Scripts - wire
buildandtypecheckscripts
3. Run a One-Off Package Without Installing
Execute CLIs without polluting package.json using npx.
npx --yes tsx src/index.tsnpxdownloads to a cache, runs the binary, and exits.--yesskips the install prompt in CI and scripts.- Prefer a devDependency when you run the same CLI on every build.
4. Check for Outdated Packages
Surface drift between package.json ranges and the registry.
npm outdated- Columns show current, wanted (within range), and latest (may be a major bump).
- Run weekly in active repos; pair with
npm auditfor security fixes. - Do not blindly
npm updateon Friday afternoon without a test run.
Related: Supply Chain: npm audit & Socket - gate risky upgrades
5. Use pnpm for Disk-Efficient Monorepos
pnpm stores packages once on disk and links them into each project via a content-addressable store.
corepack enable
corepack prepare pnpm@latest --activate
pnpm init
pnpm add fastify@5- Hard links mean 10 services do not duplicate 10 copies of
lodash. node_modules/.pnpmlayout is stricter; phantom dependencies are harder to rely on accidentally.- Enable
corepackso CI and laptops use the same pnpm version.
Related: Workspaces & Monorepos -
workspace:*protocol
6. Use Yarn Berry with Zero-Installs (Optional)
Yarn Modern (v4) supports Plug'n'Play and optional checked-in caches for fast CI.
corepack enable
yarn init -2
yarn add zod- Berry defaults differ from Classic Yarn v1; read the migration guide before switching.
- Zero-installs trade repo size for faster
yarn installin CI. - Only adopt if the team commits to Yarn-specific tooling and docs.
Intermediate Examples
7. Enforce Node Version with engines
Reject installs on unsupported Node versions before runtime surprises.
{
"engines": {
"node": ">=24.18.0 <25"
}
}# .npmrc at repo root
engine-strict=trueenginesdocuments the supported runtime;engine-strictmakes npm fail on mismatch.- Mirror the check in CI with
node --versionandnpm ci. - Align with your platform's LTS policy (Node 24 Active LTS in 2026).
Related: engines & engine-strict - local and CI enforcement
8. Choose npm vs pnpm vs Yarn for Your Team
Decision matrix for backend TypeScript services.
| Manager | Choose when | Skip when |
|---|---|---|
| npm | Default choice, single-service repos, minimal tooling | Massive monorepos where install time dominates |
| pnpm | Monorepos, disk/CI cache pressure, strict dependency graph | Team unwilling to fix phantom-import assumptions |
| Yarn Berry | Zero-install workflow, PnP benefits understood | Mixed ecosystem expecting Classic node_modules layout |
- Standardize on one manager per org or monorepo; mixed lockfiles break CI.
- npm 10+ is excellent for most Node 24 API services.
- Revisit the choice when workspace count exceeds ~5 deployables.
Related: Package Managers Best Practices - one lockfile policy
Stack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.