npm Command Cheat Sheet
A searchable reference of common npm commands and what each one does.
| Command | What it does |
|---|---|
npm install | Install every dependency listed in package.json into the local node_modules folder. |
npm i pkg | Add a package and save it to dependencies (i is short for install). |
npm i -D pkg | Add a package to devDependencies, for tooling needed only during development. |
npm i -g pkg | Install a package globally so its command is available anywhere on your system. |
npm i pkg@version | Install one exact version of a package, for example lodash@4.17.21. |
npm i pkg@latest | Install the newest published version of a package. |
npm ci | Do a clean install straight from package-lock.json, deleting node_modules first, for reproducible builds. |
npm uninstall pkg | Remove a package and delete it from package.json. |
npm update | Upgrade installed packages to the newest versions their package.json ranges allow. |
npm outdated | List installed packages that have a newer version available. |
npm dedupe | Simplify the dependency tree by sharing common packages where possible. |
npm run script | Run a named script defined in the scripts section of package.json. |
npm start | Run the start script, a common shortcut that needs no run keyword. |
npm test | Run the test script, another built-in shortcut. |
npm run build | Run the build script, typically to compile or bundle the project. |
npm run x -- --flag | Pass extra flags to a script; everything after the double dash goes to the underlying command. |
npx pkg | Run a package binary without installing it globally, fetching it on demand if needed. |
npm exec | Run a command from a local or remote package, similar to npx. |
npm init | Start an interactive prompt that creates a new package.json. |
npm init -y | Create a package.json instantly using default answers. |
npm login | Authenticate with the npm registry so you can publish packages. |
npm whoami | Show the npm username you are currently logged in as. |
npm publish | Upload the current package to the npm registry. |
npm publish --access public | Publish a scoped package publicly, since scoped packages default to private. |
npm version patch | Bump the patch number for backward-compatible bug fixes and create a git tag. |
npm version minor | Bump the minor number for new backward-compatible features and tag it. |
npm version major | Bump the major number for breaking changes and tag it. |
npm pack | Create the tarball that publish would upload, without publishing it. |
npm deprecate | Mark a published version as deprecated so installers see a warning. |
npm unpublish | Remove a published version from the registry, subject to strict time limits. |
npm ls | Show the installed dependency tree for the current project. |
npm ls -g --depth=0 | List globally installed packages without their nested dependencies. |
npm view pkg | Show registry details about a package, such as its latest version and metadata. |
npm view pkg versions | List every version of a package published to the registry. |
npm root | Print the path to the local node_modules folder. |
npm root -g | Print the path to the global node_modules folder. |
npm config get | Read the value of an npm configuration key. |
npm config set | Set an npm configuration key and save it to your .npmrc file. |
npm audit | Scan dependencies for known security vulnerabilities and report them. |
npm audit fix | Upgrade vulnerable dependencies automatically where a compatible fix exists. |
npm doctor | Check your environment and registry setup for common problems. |
npm fund | List packages in your tree that are seeking funding, with their links. |
dependencies | package.json field listing packages required to run the project in production. |
devDependencies | package.json field listing packages needed only for development and testing. |
scripts | package.json field mapping short names to commands you run with npm run. |
engines | package.json field declaring the Node and npm versions the project supports. |
main | package.json field naming the entry file loaded when the package is required. |
"type": "module" | package.json setting that makes .js files use ES modules instead of CommonJS. |
bin | package.json field mapping command names to executable files the package provides. |
files | package.json field listing which files are included when the package is published. |
workspaces | package.json field enabling a monorepo of several packages in one repository. |
.npmrc | Config file where npm stores settings like registry URLs and auth tokens. |
npm cache clean --force | Delete the local npm download cache to reclaim space or clear corruption. |
No commands match your search.
Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.
What this tool does
This is a searchable quick reference for the npm commands you reach for every day, from installing and updating dependencies to running scripts, publishing packages, inspecting the tree, and configuring package.json. Each row pairs the exact command with a plain-English note on what it does. Type in the filter box to search across both columns, or tap a category button to focus on one workflow. The whole list is built into the page, so it works offline and sends nothing anywhere.
How to use it
Start typing in the Filter box. Entering ci jumps to
the clean install; entering audit surfaces the security commands;
entering version shows the release bumps. The category
buttons (Install, Scripts, Publish, Inspect, Config) narrow the table to one
family and combine with the text filter, so you can pick Config and type
dev to zero in on devDependencies. Clear the box to see the
full sheet again.
Common use cases
- Recalling the exact flags for a command you use rarely, like
npm publish --access publicornpm ls -g --depth=0. - Copying a safe command into your terminal instead of guessing and breaking a lockfile.
- Explaining to a teammate the difference between
dependenciesanddevDependencies. - Deciding between
npm installandnpm cifor a build script. - Reviewing the core npm workflow before an interview or a new job.
Common pitfalls
- Using npm install in CI.
npm installcan quietly update your lockfile and pull in newer patch versions. In automated builds prefernpm ci, which installs the exact pinned versions and fails fast if the lockfile is out of sync. - Forgetting the double dash for script arguments. Running
npm run test --watchpasses--watchto npm, not your test runner. You neednpm run test -- --watchso the flag reaches the underlying command. - Publishing a scoped package without access. Scoped packages
default to private, so a plain
npm publishcan fail or publish privately. Add--access publicthe first time to release it openly. - Installing tools locally when you meant globally. Leaving off
-gadds a command line tool to one project instead of your whole system, while overusing-ghides a real dependency from your package.json. Match the flag to whether the tool belongs to the project or the machine.
Frequently asked questions
- What is the difference between npm install and npm ci?
- npm install reads package.json, resolves versions within the allowed ranges, adds anything missing, and may update package-lock.json. npm ci ignores package.json ranges, deletes node_modules, and installs the exact versions pinned in package-lock.json, failing if the lockfile and package.json disagree. Use npm install while developing, and npm ci in continuous integration and other places where you want a fast, reproducible install.
- What do the -D and -g flags mean when installing?
- The -D flag (short for --save-dev) records the package under devDependencies, meaning it is only needed while building or testing, such as a bundler or a test runner, and is skipped in production installs. The -g flag installs the package globally instead of into the current project, so its command line tool becomes available system wide. Most project libraries need neither flag and land in plain dependencies.
- What is npx and how is it different from npm?
- npx runs a package binary rather than managing installs. If the package is already in your project it runs that copy; otherwise it downloads it temporarily, runs it, and does not add it to your dependencies. That makes npx handy for one-off tools or scaffolding commands like create-react-app without cluttering your global install. npm exec does the same thing with slightly different argument handling.
- How do I pass arguments to an npm script?
- Put a double dash after the script name and everything that follows is handed to the underlying command. For example npm run test -- --watch passes --watch to your test runner rather than to npm. Without the double dash, npm would try to interpret the flags itself. This lets you keep a short script in package.json and still tweak its behavior from the command line.
- How do I fix npm audit warnings?
- Run npm audit to see the vulnerable packages and their severity, then npm audit fix to upgrade the ones that have a compatible patch. Fixes that require a breaking major upgrade are not applied automatically; you can force them with npm audit fix --force, but test carefully afterward because it can break your build. Warnings buried deep in transitive dependencies sometimes need the offending package to publish a fix first.
- Does this cheat sheet send my searches anywhere?
- No. The entire command list is baked into the page and every filter and search runs in your browser with JavaScript, so nothing you type leaves your device. Open your browser DevTools and watch the Network tab while you search to confirm there are zero requests.
Cite this tool
For academic, journalistic, or technical references. Pick a format:
Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.