glunty

npm Command Cheat Sheet

A searchable reference of common npm commands and what each one does.

Common npm commands with a plain-English description of what each one does
Command What it does
npm install Install every dependency listed in package.json into the local node_modules folder.
npm i pkg Add a package and save it to dependencies (i is short for install).
npm i -D pkg Add a package to devDependencies, for tooling needed only during development.
npm i -g pkg Install a package globally so its command is available anywhere on your system.
npm i pkg@version Install one exact version of a package, for example lodash@4.17.21.
npm i pkg@latest Install the newest published version of a package.
npm ci Do a clean install straight from package-lock.json, deleting node_modules first, for reproducible builds.
npm uninstall pkg Remove a package and delete it from package.json.
npm update Upgrade installed packages to the newest versions their package.json ranges allow.
npm outdated List installed packages that have a newer version available.
npm dedupe Simplify the dependency tree by sharing common packages where possible.
npm run script Run a named script defined in the scripts section of package.json.
npm start Run the start script, a common shortcut that needs no run keyword.
npm test Run the test script, another built-in shortcut.
npm run build Run the build script, typically to compile or bundle the project.
npm run x -- --flag Pass extra flags to a script; everything after the double dash goes to the underlying command.
npx pkg Run a package binary without installing it globally, fetching it on demand if needed.
npm exec Run a command from a local or remote package, similar to npx.
npm init Start an interactive prompt that creates a new package.json.
npm init -y Create a package.json instantly using default answers.
npm login Authenticate with the npm registry so you can publish packages.
npm whoami Show the npm username you are currently logged in as.
npm publish Upload the current package to the npm registry.
npm publish --access public Publish a scoped package publicly, since scoped packages default to private.
npm version patch Bump the patch number for backward-compatible bug fixes and create a git tag.
npm version minor Bump the minor number for new backward-compatible features and tag it.
npm version major Bump the major number for breaking changes and tag it.
npm pack Create the tarball that publish would upload, without publishing it.
npm deprecate Mark a published version as deprecated so installers see a warning.
npm unpublish Remove a published version from the registry, subject to strict time limits.
npm ls Show the installed dependency tree for the current project.
npm ls -g --depth=0 List globally installed packages without their nested dependencies.
npm view pkg Show registry details about a package, such as its latest version and metadata.
npm view pkg versions List every version of a package published to the registry.
npm root Print the path to the local node_modules folder.
npm root -g Print the path to the global node_modules folder.
npm config get Read the value of an npm configuration key.
npm config set Set an npm configuration key and save it to your .npmrc file.
npm audit Scan dependencies for known security vulnerabilities and report them.
npm audit fix Upgrade vulnerable dependencies automatically where a compatible fix exists.
npm doctor Check your environment and registry setup for common problems.
npm fund List packages in your tree that are seeking funding, with their links.
dependencies package.json field listing packages required to run the project in production.
devDependencies package.json field listing packages needed only for development and testing.
scripts package.json field mapping short names to commands you run with npm run.
engines package.json field declaring the Node and npm versions the project supports.
main package.json field naming the entry file loaded when the package is required.
"type": "module" package.json setting that makes .js files use ES modules instead of CommonJS.
bin package.json field mapping command names to executable files the package provides.
files package.json field listing which files are included when the package is published.
workspaces package.json field enabling a monorepo of several packages in one repository.
.npmrc Config file where npm stores settings like registry URLs and auth tokens.
npm cache clean --force Delete the local npm download cache to reclaim space or clear corruption.

Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.

What this tool does

This is a searchable quick reference for the npm commands you reach for every day, from installing and updating dependencies to running scripts, publishing packages, inspecting the tree, and configuring package.json. Each row pairs the exact command with a plain-English note on what it does. Type in the filter box to search across both columns, or tap a category button to focus on one workflow. The whole list is built into the page, so it works offline and sends nothing anywhere.

How to use it

Start typing in the Filter box. Entering ci jumps to the clean install; entering audit surfaces the security commands; entering version shows the release bumps. The category buttons (Install, Scripts, Publish, Inspect, Config) narrow the table to one family and combine with the text filter, so you can pick Config and type dev to zero in on devDependencies. Clear the box to see the full sheet again.

Common use cases

  • Recalling the exact flags for a command you use rarely, like npm publish --access public or npm ls -g --depth=0.
  • Copying a safe command into your terminal instead of guessing and breaking a lockfile.
  • Explaining to a teammate the difference between dependencies and devDependencies.
  • Deciding between npm install and npm ci for a build script.
  • Reviewing the core npm workflow before an interview or a new job.

Common pitfalls

  • Using npm install in CI. npm install can quietly update your lockfile and pull in newer patch versions. In automated builds prefer npm ci, which installs the exact pinned versions and fails fast if the lockfile is out of sync.
  • Forgetting the double dash for script arguments. Running npm run test --watch passes --watch to npm, not your test runner. You need npm run test -- --watch so the flag reaches the underlying command.
  • Publishing a scoped package without access. Scoped packages default to private, so a plain npm publish can fail or publish privately. Add --access public the first time to release it openly.
  • Installing tools locally when you meant globally. Leaving off -g adds a command line tool to one project instead of your whole system, while overusing -g hides a real dependency from your package.json. Match the flag to whether the tool belongs to the project or the machine.

Frequently asked questions

What is the difference between npm install and npm ci?
npm install reads package.json, resolves versions within the allowed ranges, adds anything missing, and may update package-lock.json. npm ci ignores package.json ranges, deletes node_modules, and installs the exact versions pinned in package-lock.json, failing if the lockfile and package.json disagree. Use npm install while developing, and npm ci in continuous integration and other places where you want a fast, reproducible install.
What do the -D and -g flags mean when installing?
The -D flag (short for --save-dev) records the package under devDependencies, meaning it is only needed while building or testing, such as a bundler or a test runner, and is skipped in production installs. The -g flag installs the package globally instead of into the current project, so its command line tool becomes available system wide. Most project libraries need neither flag and land in plain dependencies.
What is npx and how is it different from npm?
npx runs a package binary rather than managing installs. If the package is already in your project it runs that copy; otherwise it downloads it temporarily, runs it, and does not add it to your dependencies. That makes npx handy for one-off tools or scaffolding commands like create-react-app without cluttering your global install. npm exec does the same thing with slightly different argument handling.
How do I pass arguments to an npm script?
Put a double dash after the script name and everything that follows is handed to the underlying command. For example npm run test -- --watch passes --watch to your test runner rather than to npm. Without the double dash, npm would try to interpret the flags itself. This lets you keep a short script in package.json and still tweak its behavior from the command line.
How do I fix npm audit warnings?
Run npm audit to see the vulnerable packages and their severity, then npm audit fix to upgrade the ones that have a compatible patch. Fixes that require a breaking major upgrade are not applied automatically; you can force them with npm audit fix --force, but test carefully afterward because it can break your build. Warnings buried deep in transitive dependencies sometimes need the offending package to publish a fix first.
Does this cheat sheet send my searches anywhere?
No. The entire command list is baked into the page and every filter and search runs in your browser with JavaScript, so nothing you type leaves your device. Open your browser DevTools and watch the Network tab while you search to confirm there are zero requests.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com