Flash cards
Review the key moves
What is the main idea behind Node.js Managing Dependencies?
Lesson checks
Practice each idea before moving on
Short Mimo-style checks built from this lesson's code, terms, and sequence.
Which statement best captures the main point of this lesson?
Complete the missing token from the example code.
"___": {Put the learning moves in the order that makes the concept easiest to apply.
What is Dependency Management?
Dependency management is the process of tracking, installing, updating, and removing the external packages your application depends on.
It helps ensure your applications remains stable, secure, and maintainable over time.
npm (Node Package Manager) is the default package manager for Node.js, but alternatives like Yarn and pnpm are also popular.
The key components of Node.js dependency management include:
- The package.json file for declaring dependencies
- Lock files ( package-lock.json or yarn.lock ) for dependency versioning
- Package manager commands to install, update, and remove packages
- Security tools to identify and fix vulnerabilities
Understanding Semantic Versioning
Node.js packages follow semantic versioning (SemVer), using a three-part version number: MAJOR.MINOR.PATCH
- MAJOR : Incremented for incompatible API changes
- MINOR : Incremented for backward-compatible new features
- PATCH : Incremented for backward-compatible bug fixes
In package.json , version requirements can be specified using special characters:
| Symbol | Example | Meaning |
|---|---|---|
| ^ | ^2.8.1 | Any with 2.x.x, only MAJOR version must match (2.8.1 or higher) |
| ~ | ~2.8.1 | Any with 2.8.x, only MAJOR.MINOR must match (2.8.1 or higher) |
| * | * | Any version (not recommended for production) |
| >= | >=2.8.1 | Version 2.8.1 or higher |
| none | 2.8.1 | Exact version only |
Example: Different Version Specifications
{
"dependencies": {
"express": "^2.8.1", // Any 2.x.x version (2.8.1 or higher)
"lodash": "~2.8.1", // Any 2.8.x version (2.8.1 or higher)
"moment": "2.8.1", // Exactly version 2.8.1
"axios": ">=2.8.1", // Version 2.8.1 or any higher version
"debug": "2.x" // Any version starting with 2
}
}Installing Dependencies
There are several ways to install dependencies in a Node.js project:
Installing All Dependencies
npm installThis command reads the package.json file and installs all dependencies listed there.
Installing a Specific Package
npm install expressThis installs the latest version of the package and adds it to your dependencies in package.json .
Installing a Specific Version
npm install express@4.17.1Installing Without Saving to package.json
npm install express --no-saveInstalling Globally
npm install -g nodemonGlobal packages are installed system-wide rather than in the project's node_modules directory.
Types of Dependencies
Node.js projects can have several types of dependencies, each serving a different purpose:
Regular Dependencies
npm install express --save
# or simply
npm install expressThese are packages required for your application to run in production.
Development Dependencies
npm install jest --save-dev
# or
npm install jest -DThese are packages needed only for local development and testing, like testing frameworks or build tools.
Peer Dependencies
Specified in package.json to indicate compatibility with other packages without actually including them:
{
"name": "my-plugin",
"version": "1.0.0",
"peerDependencies": {
"react": "^17.0.0"
}
}This tells users that your package expects React 17.x to be installed in their project.
Optional Dependencies
npm install fancy-feature --save-optional
# or
npm install fancy-feature -OThese packages enhance functionality but aren't required for the core application to work.
Tip
Use dependencies for packages needed in production, and devDependencies for packages only needed during development or testing.
Package Lock Files
Lock files ensure consistent installations across different environments by recording the exact version of each package and its dependencies.
package-lock.json (npm)
This file is automatically generated when npm modifies the node_modules tree or package.json .
{
"name": "my-app",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"node_modules/express": {
"version": "4.18.2",
"resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
"dependencies": {
"accepts": "~1.3.8",
"array-flatten": "1.1.1"
}
}
}
}yarn.lock (Yarn)
Yarn's lock file serves a similar purpose but has a different format.
Important: Always commit your lock files to version control to ensure consistent installations across your team and deployment environments.
Check for Outdated Packages
npm outdatedUpdate a Specific Package
npm update expressUpdate All Packages
npm updateUpdate npm Itself
npm install -g npm@latestUsing npm-check-updates
For more control over updates, you can use the npm-check-updates package:
# Install npm-check-updates globally
npm install -g npm-check-updates
# Check for updates
ncu
# Update package.json
ncu -u
# Install updated packages
npm installAudit Your Dependencies
npm auditFix Security Vulnerabilities
npm audit fix