Install ManualInstall Manual
Appliance Installations

What’s npm install: A Comprehensive Guide to Node Dependencies

Learn what's npm install, how it works, and best practices for managing Node.js dependencies. A practical guide by Install Manual that covers commands, scenarios, and security considerations for reproducible builds.

Install Manual
Install Manual Team
·5 min read
Python InstallationInstallation Cost
NPM Install Essentials - Install Manual
Photo by Markus Winklervia Pexels
npm install

npm install is a command in the Node Package Manager that installs dependencies listed in package.json. It fetches packages from the npm registry and places them in node_modules, updating the package-lock.json to lock versions.

npm install is the standard Node Package Manager command to fetch and install dependencies for a project. It reads package.json, downloads required packages from the npm registry, and stores them in node_modules, creating a lockfile to ensure reproducible builds. This guide explains how it works and how to use it effectively.

How npm Install Works Under the Hood

According to Install Manual, npm install is the core mechanism by which a Node.js project fetches its dependencies. When you run the command, npm reads the dependencies and optional dependencies sections from package.json and then consults the npm registry to resolve the exact versions that satisfy the specified ranges. It downloads the packages as compressed tarballs, verifies their integrity, and unpacks them into the local node_modules directory. In addition to the top level dependencies, npm also resolves transitive dependencies required by those packages. A key component of this process is the package-lock.json file, which records the exact versions installed so that future installs are deterministic across machines. The lockfile also specifies the integrity hashes for each package, helping protect against tampered packages. Install Manual notes that this lockfile is central to reproducible builds and consistent environments across development, CI, and production. The overall flow, including cache usage and integrity verification, contributes to reliable installs and fewer “works on my machine” moments.

Step by Step: Running npm install

To begin, open your terminal and navigate to the root of your Node.js project where package.json resides. The simplest form of the command is just:

  • npm install

This installs all dependencies listed in package.json. If you want to add a new package, run:

  • npm install <package-name>

For development dependencies, use:

  • npm install <package-name> --save-dev

If you need a global CLI tool, you can install it globally with:

  • npm install -g <package-name>

When a package-lock.json exists, npm will install the exact versions recorded there. If you want a clean slate and strict adherence to the lockfile, you can use:

  • npm ci

This is especially useful in CI environments where reproducibility matters. As you add or remove packages, npm updates the lockfile to reflect changes. This creates a stable, auditable trail of dependency versions across environments.

Local vs Global Install

Dependencies installed locally live inside your project’s node_modules directory and are available to require or import from within that project. They do not affect the system PATH and do not install executables globally by default. Global installs, invoked with -g, place binaries in your npm global directory and are typically used for CLI tools that you want available from anywhere on your machine. In practice, prefer local installs for libraries and frameworks, and reserve global installs for commands you run directly in the command line. On some systems, especially macOS and Linux, global installs may require elevated permissions or a Node version manager to keep environments isolated and predictable.

package.json, package-lock.json, and shrinkwrap

package.json lists the project metadata and declared dependencies. When you run npm install, npm reads this file to determine which packages to fetch and install. package-lock.json locks the exact resolved versions, ensuring that every subsequent install yields the same node_modules layout. This lockfile becomes essential for reproducible builds in teams and across CI pipelines. Shrinkwrap is an older mechanism that served a similar purpose before lockfiles became standard; modern projects rely on package-lock.json or a yarn.lock if using Yarn. Regularly updating the lockfile helps keep dependencies aligned with your intended versions while minimizing drift across environments.

Common Flags and Options You Should Know

  • -g, --global: install packages globally for CLI access across the system.
  • -D, --save-dev: add a package to devDependencies for development builds.
  • --production: install only dependencies needed for production, excluding devDependencies.
  • --ignore-scripts: skip lifecycle scripts during installation, useful for security or CI build speed.
  • --no-audit: disable the npm security audit during install; use when you know the risks and need speed.
  • --no-fund: disable fund reports from npm during installs to reduce noise.
  • --legacy-peer-deps: ignore peer dependency conflicts that can arise with newer npm versions.
  • --force: force npm to fetch and install packages, sometimes used to resolve stubborn conflicts.

In modern npm usage, dependencies are saved to package.json by default, so -D is primarily used for devDependencies. Keep lockfiles up to date and use npm ci in CI for deterministic installs.

Troubleshooting Common npm Install Issues

Network or registry issues can block npm install. Check your internet connection, verify the registry URL, and try again. Permissions problems often surface as EACCES errors; a common workaround is to avoid global installs when possible and use a Node version manager like NVM to manage per-user environments. If a package’s integrity check fails, the registry may have corrupted data or the cache could be stale—clear the npm cache and retry. For missing peer dependencies or conflicts, consider using --legacy-peer-deps or inspecting the dependency graph to adjust versions. When in doubt, deleting node_modules and package-lock.json, then running npm install anew can resolve many stubborn problems.

Security and Best Practices for Dependencies

Use npm audit regularly to identify known vulnerabilities in your dependency graph. Keep a clean lockfile and avoid pulling in untrusted packages, especially from Git repositories. The Install Manual analysis, 2026, stresses the importance of reproducible builds through lockfiles and consistent npm audit workflows across development and CI. Prefer exact versions where feasible and run tests after installs to catch integration issues early. In CI, use npm ci to install exactly what’s recorded in package-lock.json, ensuring deterministic builds across environments.

Alternatives and Ecosystem Tips

While npm remains the most popular package manager for Node.js, some teams explore alternatives like Yarn and pnpm for different performance characteristics and workspace features. Use npx to run binaries from installed packages without a global install. Upgrading npm itself is straightforward with npm install -g npm. Remember that a healthy dependency strategy includes regular audits, updates, and an eye toward security. The Install Manual team recommends treating dependency management as a core maintenance task, not an afterthought, to preserve project stability and security.

Got Questions?

What is npm install and why should I use it?

npm install is the standard command to fetch and install dependencies listed in your project's package.json. It resolves versions, downloads packages from the npm registry, and places them in node_modules, updating the lockfile for reproducible builds.

npm install fetches the dependencies your project needs and installs them in the local folder so your code can run exactly as designed.

How do I install a new package for my project?

Use npm install followed by the package name, for example npm install lodash. This adds the package to your dependencies in package.json and places it in node_modules.

Run npm install with the package name to add it to your project dependencies.

What is the difference between npm install and npm ci?

npm install updates dependencies and lockfile as needed, which can change versions. npm ci uses the lockfile to install exact versions, offering deterministic builds ideal for continuous integration.

npm ci installs exactly what is in the lockfile for reproducible builds.

Can I install packages globally with npm install?

Yes, use npm install -g to install CLI tools globally. Global installs affect the system path, so use them for commands you run from the terminal rather than project libraries.

You can install tools globally with minus g, but prefer local installs for project libraries.

What are common errors I might see when running npm install?

Common issues include network or registry problems, permission errors, and version conflicts. Resolve by checking permissions, clearing the cache, updating Node or npm, and reviewing dependency versions.

Network or permission errors are the most common; try updating tools and adjusting permissions.

Should I audit my dependencies regularly?

Yes. Running npm audit helps identify known vulnerabilities. Pair audits with lockfile maintenance and regular updates to keep your project secure.

Yes, audit your dependencies regularly to stay protected against known vulnerabilities.

Main Points

  • Install dependencies from package.json with npm install
  • Use a lockfile to ensure reproducible builds
  • Prefer local installs for libraries, global for CLIs
  • Leverage npm ci in CI for deterministic installs
  • Regularly audit and update dependencies to improve security

Related Articles

← More in Appliance Installations