I discovered several tips working with NPM on a daily basis. Here are the top ones.
TL;DR: save-exact, npm ci, npm audit fix, npx, updtr,
I presented those tips to my coworkers, the slides are available online.
Problem: your local install can/will differ from another coworkers, even on the CI server!
Cause: Version range are problematic:
Greenkeeper.io tells us that 15% of packages break the minor or patch updates:
--save-exact when installing a dependency
$ npm install --save-exact aDependency # Shorter: $ npm i -E aDependency
Better solution: Always exact, never use a range:
npm config set save-exact true
$ npm config set save-exact true
npm install will tries to resolves the dependency graph, possibly installing different versions (because of ranges declared in dependencies, not yours even if you used
--save-exact) and then updating the
package-lock.json even if you did not want to.
npm ci which only read the
↗ Speed (on CI and locally)
➕ Avoid dirty-ing the
$ npm ci
Problem: Polluting the global
node_modules with global packages: nest-cli, create-react-apps (= hundreds of packages)
npx runs a package without installing it (but first, tries to find it locally in
# Example with params given to cleaver $ npx cleaver watch index.md
Problem: Finding packages with security flaws
Solution: Use the builtin
npm audit and
npm audit fix
➕ Fails the build given integrated it in CI
Another solution is to use the builtin services of Github and Gitlab.
$ npm audit fix
Problem: Updating dependency and finding the one that breaks the code is tedious.
Solution 1 (best): updtr update one dependency, then run the tests, then repeat
$ npx updtr
Solution 2: npm-check show a pretty menu of all updates
$ npx npm-check -u
Current Node version in Tools
Problem: When configuring Node/Typescript, the node path is version-dependent
Solution: if you use NVM for managing installation of Node.js, NVM can automatically manage a symlink to the current version of node. NVM will link
~/.nvm/current to, for example,
~/.nvm/versions/node/v11.0.0 and recreate the link when changing of node version (automatically if you use NVM auto-use ZSH plugin).
# Put this in your .bashrc/.zshrc $ export NVM_SYMLINK_CURRENT=true
(Bonus) Follow Github Releases
Problem: Be notified of releases
Solution 1: (Updated: 2018.12.02) Github now support watching releases of a repository: Documentation.
Solution 2: Gitpunch.com seems to solve the problem. It can follow all your Github stars and specific projects.