►
Description
Ashley Williams works for npm, is on the board of directors at the Node.js Foundation and is also the founder of Node Together, an initiative to improve the diversity of the Node community by bringing people of underrepresented groups together to learn Node.js.
Ashley describes how to best use npm and what you might not know about this package manager.
You can follow Ashley on Twitter @ag_dubs.
Thank you to Opbeat for sponsoring the videos for Node.js Live Paris, and IBM for sponsoring the Node.js Live Paris event.
A
Alright,
so
I'm
here
to
talk
to
you
about
npm,
how
many
people
in
the
audience
use
NPM
how
many
people
love
em
p.m.
I
saw
some
hands.
That's
okay.
Hopefully,
by
the
end,
you
will
so
something
I
care
about
again.
I
said
these
are
slides,
are
both
open
source
and
available
here,
I've
also
tweeted
it
out.
If
you
follow
me
on
Twitter,
and
something
like
to
do
is,
if
you
see
an
error,
you
have
a
suggestion
or
a
typo.
A
A
This
really
lovely
group
of
human
beings
got
together
at
the
Museum
of
sciences
and
Industry
to
learn
note
an
MPN
for
the
very
first
time-
and
this
was
through
a
program
that
I
started,
I
guess
in
january
called
node
together
and
so
no
together
is
an
educational
initiative
to
try
and
get
more
people
from
underrepresented
groups
into
node.
I
was
at
a
the
node
interactive
conference
last
winter
and
I
was
really
disappointed
about
how
homogenous
the
population
was.
Everybody
was
kind
of
like
a
30
year
old
white
dude
and
I
was
like
yeah.
A
That's
not
really
my
thing,
I,
don't
I.
Don't
really
think
that
that's
okay
and
I
know
that
one
of
the
best
ways
to
get
more
people
into
it
is
to
teach
them,
and
so
we
are
going
to
be
traveling
all
over
the
world.
This
year
we
started
in
LA.
I
was
in
India
last
month.
Here
we
are
in
Paris
now
and
then
we'll
be
going
to
china
next
month,
and
so
I'm
extremely
excited
about
this,
because
we've
been
really
getting
great
great
students
with
extremely
diverse
backgrounds.
A
So
one
of
the
things
that
I
want
to
encourage
people
to
do
is
to
get
involved
and
also
become
a
mentor
at
these
events.
So
if
you're
interested
in
this
program,
you
can
check
out
that
website
here
and
we're
also
on
Twitter
at
node
underscore
together.
So
that's
a
pretty
cool
thing
and
we
were
traveling
around
with
node
live,
so
let's
get
into
npm
alright.
A
So
every
day
1,800,000
install
events
occur
and
for
each
one
of
those
it
installs
around
70
packages,
that's
on
average,
and
so
when
you
stick
that
together,
you
have
a
hundred
and
twenty-six
million
packages
getting
downloaded
every
day.
That's
a
lot
of
packages,
so
my
name
is
a
g-dubs
on
Twitter
I.
Don't
necessarily
recommend
that
you
follow
me,
but
you
can
at
your
own
peril.
I
am
the
developer
community
and
content
manager
at
mpm.
We
all
know
what
that
means
right.
That
means
that
now
I've
no
idea
what
that
means
all
right.
A
It's
a
really
long
title
and
it's
tricky.
So
what
I
like
to
say
is
that
if
you
don't
understand
how
an
p.m.
works,
that's
my
problem
and
it
turns
out
a
lot
of
people,
don't
understand
how
mpm
works.
My
job
is
to
make
sense,
and
this
is
actually
a
very
difficult
job,
because
we've
got
some
big
numbers.
These
are
the
rolling
weekly
downloads
of
NPM
packages
taken
as
of
two
days
ago.
A
I,
don't
know
if
you
note
that
number
up
there,
but
two
days
ago,
was
our
biggest
single
day
ever
all
right,
188
billion
downloads
or
more
than
2,100
downloads
per
second,
every
second
for
the
whole
day.
So
take
a
moment
and
think
about
our
ops
team.
That
is
a
lot
a
lot
of
traffic
all
right,
and
so
we've
got
lots
and
lots
of
big
numbers
at
mpm.
Again.
The
total
packages
now
are
at
268,000
all
right.
In
the
last
day,
all
right
I
took
these
numbers
today,
182
million.
A
These
are
big
big
numbers
all
right
and
if
you
look
at
module
counts,
this
is
a
website
that
you
can
go
to
module,
counts,
calm
and
what
this
does
is
it
tracks?
The
number
of
packages
in
almost
all
of
the
package
managers
for
every
single,
different
language
and
I
just
want
you
to
note
that
green
line
in
business
in
America.
A
We
have
all
of
these
packages
because
we
have
a
really
vibrant
community
and
MPM
install
is
the
stuff
that
everybody
knows,
but
it
turns
out
that
mpm
is
a
lot
more
than
NPM,
install
and
there's
a
bunch
of
stuff
that
not
everybody
knows,
and
so
we're
going
to
go
through
that
a
little
bit
today.
Now,
certainly
there's
going
to
be
some
things
that
you
already
know,
but
hopefully
there's
one
or
two
little
tricks
in
here
that
are
going
to
make
your
workflow
just
a
little
bit
better.
A
So
let's
go
so
a
lot
of
people
know
that
to
create
a
package.json,
you
can
type
mpm
in
it,
but
what
they
don't
know
is
that
mpm
in
it
is
actually
extremely
smart.
It's
an
extremely
smart
command.
It's
able
to
know
all
of
your
dependents
from
your
node
modules.
Folder
it'll
know
your
repository
from
your
git
repo
and
it
will
always
add,
keys
and
never
delete
them.
So
say
you
forgot
to
do
a
get
in
it
and
you
did
mpm
in
it
first.
A
You
could
always
just
get
in
it
and
then
mpm
in
it
again,
and
it
will
just
pick
up
that
stuff
that
it
already
knows
now.
Lots
of
people
know
this,
but
not
everybody
knows
that
you
can
just
immediately
get
those
defaults
by
doing
dash
dash.
Yes,
so
you
don't
have
to
go
through
the
whole
CLI
like
interface.
You
can
just
do
dash
dash,
yes,
and
it
immediately
generate
one
with
all
of
those
defaults.
A
Now,
especially
if
you
are
a
node
together
yesterday,
you
know
about
this,
but
what
you
might
not
know
is
you
can
actually
customize
the
questions
that
in
it
will
ask
you
using
a
dot
file
called
mpm
dash
in
it
Jas.
So
in
your
company,
if
you
are
using
NPM
packages,
you're
able
to
take
that
question
the
questions
that
are
asked
to
create
that
package.json
and
you
can
make
them
fit
the
standards
you
want
to
enforce
at
your
company.
A
The
thing
that's
working
behind
the
scenes
on
this
is
a
package
called
prom,
Zard
I,
don't
know
why
it's
called
that.
It's
a
super
weird
name,
but
again.
This
is
pretty
neat
all
right.
So
to
add
dependencies
to
your
package
from
the
CLI.
You
can
just
type
MPM,
install
dash,
dash,
save
and
we'll
automatically
insert
that
package
name
into
your
package,
and
so
a
lot
of
people
know
this.
But
programmers
are
lazy
like
we
don't
like
typing
a
lot
right.
A
So
I
type
this
out
and
you
could
just
type
that
instead
and
it's
significantly
shorter,
which
is
pretty
cool,
so
the
capital
letters
do
matter
just
a
note.
Somebody
had
tweeted
this
the
last
time.
I
gave
this
presentation
and
they
didn't
capitalize
them.
Those
flags
do
totally
different
things,
so
be
careful.
So
another
thing
that
happened
is
MP.
M3
came
out.
It
actually
came
out
a
really
long
time
ago,
but
it
didn't
ship
with
node
until
node
5
came
out,
and
so
a
lot
of
people
just
heard
about
mpm
3.
A
But
then
we
decided
to
create
a
more
shallow
tree,
which
means
that
sometimes
you're
nested
dependencies
are
up
at
the
top
level,
and
this
moved
a
lot
of
people's
cheese,
which
is
I,
mean
I,
guess
American
for
just
saying
we
kind
of
messed
up
your
project,
sometimes
right.
This
really
broke
some
things
for
people
and
that's
definitely
frustrating
but
I.
Think
if
you're
able
to
check
out
exactly
how
it
works,
a
lot
of
great
things
happened
in
mp.
M3.
The
shallow
tree
actually
makes
it
much
better
for
Windows
users.
How
many
people
here
use
windows?
A
It's
going
to
say
that
you're,
using
NPM
and
windows
you're
running
into
max
path
issues,
which
is
the
fact
that
windows
actually
doesn't
let
you
go
beyond
a
certain
character
length
in
your
path,
because
you
know
computers
right,
that's
a
good
idea.
So
again
we
did
this
primarily
to
support
Windows
users
and
then,
additionally,
it
also
liked
it
actually
fixes
a
lot
of
race
conditions
that
happen
native
modules,
there's
a
lot
of
great
things
in
mp
m3
and
should
definitely
check
it
out,
but
one
of
the
things
that
people
really
got
frustrated
Wiz.
A
They
can
no
longer
look
at
their
node
modules,
folder
and
immediately
see
the
primary
dependencies,
because
now
it
was
mixed
up.
Some
of
them
were
primary.
Some
of
them
were
sub
dependencies,
and
so
we
have
a
command
called
MP.
Mls
that'll
allow
you
to
show
your
dependency
tree
all
right.
So,
even
though
it
doesn't
match
exactly
what
your
file
directory
structure
looks
like,
you
can
show
the
dependency
tree
using
MP
MLS,
and
if
you
just
want
your
primary
dependencies,
you
can
use
LS
dash
dash
depth
equals
0.
A
So
this
is
going
to
give
you
that
exact
information
that
you
were
looking
for
when
you
are
looking
at
mpm
to
just
at
your
directory
structure
in
node
modules,
all
right.
So
this
is
a
big
thing.
We
get
a
lot
how
many
people
have
ever
tried
to
NPM
install
on
an
airplane
all
right,
I'm
pretty
sure
I
took
down
the
Wi-Fi
on
this
delta
flight.
I
had
to
beta
bangalore,
so
a
lot
of
people
ask.
Is
there
a
global
cache
if
I've
already
downloaded
modular?
Do
I
have
to?
A
Why
am
I
doing
it
again
shouldn't
it?
Just
use
the
local
one
and
it
turns
out
there
is
an
MPN
global
cache
it's
in
a
dot,
mpm
directory,
that's
usually
under
your
user
name,
but
it
turns
out
that
where
this
goes
depends
on
how
you
install
NPM
and
you'd,
be
amazed
how
many
people
install
NPM
in
node
in
different
ways.
A
We
really
should
probably
just
alias
this.
The
NPM
install
dash
dash
offline,
but
we're
not
going
to
do
that
because
there
are
situations
where
this
doesn't
work,
so
that
bottom
thing,
which
is
what
we
all
really
want
right.
We
just
can't
have
it
quite
yet,
but
there's
a
couple
of
different
things
that
you
can
do
if
you
want
to
be
using
a
dependency
that
you're
not
going
to
sleaze
the
cash,
but
that
we
give
you
tools
to
do
so.
A
One
of
the
tools
we
have
is
mpm
pack
and
what
mpm
pack
allows
you
to
do
is
to
create
a
tar
ball
out
of
any
of
your
packages,
and
then
it
turns
out
that
you
can
type
npm
install
and
you
can
immediately
install
from
that
tar
ball
that
you
made
so
a
lot
of
people.
Don't
know
that
you
don't
just
have
to
write
the
name.
You
can
actually
point
it
to
a
package
that
you
have
packed
locally
now,
there's
a
little
trick
with
NPM
pack,
because
unfortunately,
mpm
pack
doesn't
add
your
packages
dependencies.
A
However,
if
you
saw
those
dependencies
not
just
as
plain
dependencies
but
as
bundled
dependencies,
those
bundle
dependencies
are
going
to
be
added
to
the
tarball
you
make
with
mpm
pack.
So
when
you
put
mpm
pack
and
bundle
dependencies
together,
you
can
have
tar
balls
of
your
packages
that
you
can
simply
npm
install
wherever
you
want
offline
all
right.
So
speaking
of
dependencies
and
wrangling
them,
how
many
people
here
have
used?
Mpm
shrink
wrap?
How
many
people
felt
like
this
when
they
used
it
all
right?
A
This
is
that
it
doesn't
just
lock
down
every
version
of
your
primary
dependencies,
but
it
locks
down
every
version
of
every
dependence
that
you
have
all
the
way
down
the
tree
and
that's
important
to
know,
because
it
can
be
a
little
frustrating
updating
your
shrink
wrap
can
be
a
little
tricky,
but
luckily
new,
with
NPM
3
when
you
use
dash,
dash,
save
and
dash
dash,
save
dev
to
install
packages.
If
you've
already
had
a
shrink
wrap,
it
will
update
your
shrink
wrap
now,
which
is
a
big
deal
for
anyone
who
used
to
run
grab.
A
This
was
extremely
frustrating,
and
now
we
fix
this
in
em,
cam
3,
all
right,
so
a
lot
of
people
are
like
well
if
it's
such
a
good
idea
to
have
exactly
what
you
have
locally
also
in
production,
why
is
shrink
wrap,
not
a
default
feature
and
it's
a
good
question
in
a
lot
people
get
it,
especially
people
who
are
coming
from
something
like
Ruby,
whether
I
used
to
like
a
gem
file.
Don't
lock
their
like?
Why?
A
Why
don't
you
have
this
and
it's
because
of
a
very
specific
product
decision
that
mpm
made,
which
is
that
we
believe
in
semantic
versioning?
How
many
people
here
love
semantic
versioning
yeah?
How
many
people
have
been
burned
really
bad
by
semantic
versioning?
Yes,
it
happens.
I
definitely
have
been
in
some
tricky
situations
in
that,
but
we
have
definitely
a
10pm
have
decided
that
we
believe
that
cember
should
be
like
a
primary
like
product
feature
and
because
we
have
done
that,
we've
we
tried
to
make
it
very
easy.
A
So
there
is
a
command
called
mpm
version
where
you
can
pass
major,
minor
or
patch
and
what
it
will
do
is
it
will
automatically
bump
that
version
in
your
package
and
it
will
create
a
dist
AG
and
also
create
a
commit,
and
this
is
really
really
useful.
I
use
this
all
the
time
because
I
don't
ever
want
to
go
back
in
and
check
my
version
number.
A
I
just
want
to
know
whether
I'm
bumping
it
major
minor
or
patch,
and
so
I
always
take
this
moment
to
reiterate
at
least
a
little
bit
what
the
ideology
is
behind
sem
vers,
major,
minor
and
patch.
So
major
is
for
breaking
changes.
If
you
bump
your
thing,
a
major
version
you're
telling
your
your
users
that
your
stuff
is
going
to
break
minor
means
I've.
Given
you
something
new,
but
I
don't
think
it'll
break
everything
else
and
patches.
A
We
broke
something
already
and
now
we're
trying
to
fix
it,
which
can
be
tricky
because
it
turns
out
that
a
lot
of
people
think
that
some
bugs
are
actually
features
and
rely
on
them,
but
you
could
also
use
them
for
docs.
Cember
is
a
very
subjective
thing,
and
this
is
tricky
as
something
that
we're
trying
to
depend
on.
But
mpm
has
this
ideology
that
we
really
believe
in
people
and
communication,
and
this
is
one
of
those
beliefs.
A
So
another
amazing
feature
of
NPM
that
I
see
so
few
people
using
is
mpm
scripts.
So
how
many
people
here
use
grunt,
gulp
or
broccoli?
How
many
people
think
I
just
said
some
random
words
right
there
both
are
true,
but
those
are
all
automation
and
build
tools,
and
it
turns
out
that
when
you
have
em
p.m.
you
have
a
lot
of
that
already
there.
So
what
you
can
do
is
you
can
type
mpa
run
and
you
can
literally
write
any
word
that
you
don't
and
you're
able
to
customize.
A
Basically,
shell
scripts-
and
you
can
write
these
in
your
package.json
and
what's
amazing
about
this-
is
that
these
packages
get
a
lot
of
stuff
all
right.
So
the
first
thing
is
that
this
package,
the
scripts
that
you
have
in
your
package.json,
are
aware
of
the
lifecycle
events
of
your
package,
so
they're
context-aware,
so
you're
able
to
do
things.
A
You
know
if
it's
been
after,
like
after
MPM
install
before
MPM
install
before
like
run
my
tests
before
I
publish,
there's
a
lot
of
great
things
here
that
can
help
you
build
a
workflow
that
will
automatically
be
checking
things.
You
don't
want
to
be
publishing
your
package,
but
have
your
test
fail,
and
this
is
something
that
you
can
script
away
with
NPM
scripts
now,
additionally,
run
scripts
are
composable
everyone's
composition
over
inheritance
right,
maybe
I'm
into
that.
A
So
another
thing
you
can
do
is
you
can
define
mpm
scripts
in
your
package
and
then
you're
able
to
put
them
together
you're
able
to
talk
about
those
mpm
scripts
within
mpm
scripts
and
use
them
and
combine
them,
which
can
be
very,
very
useful
and
powerful,
but
mostly
the
thing
that
I
think
is
most
powerful.
Is
you
get
a
bunch
of
stuff
for
free?
So
all
of
your
dev
dependencies
that
you've
installed
are
in
path
in
your
mpm
scripts.
A
How
many
people
have
had
to
write
or
read
me
whether
they're,
like
please
install
grunt
globally
to
like
run
the
tasks
or
have
to
have
you
ever
had
to
install
like
grunt
globally?
Anyone
all
right
some
people
right
all
right,
that
can
be
a
pain,
and
sometimes
you
can't
install
things
globally
depending
on
the
permissions
you
have
on
the
machine
here.
That's
not
a
problem.
A
Alright,
so
moving
on
this
is
something
that
a
lot
of
people
on
the
internet
recently
didn't
think
mpm
offered,
and
the
idea
is
that
we
have
something
called
scope
packages,
which
means
that
you
can
claim
a
namespace
on
mpm
and
you're,
basically
able
to
namespace
all
of
your
packages
after
this.
So
potentially
you
might
want
to
know,
create
a
package
called
kick.
A
You
could
scope
that
inside
your
name
and
not
have
a
trademark
problem,
so
the
way
that
you
can
do
this
is,
you
simply
say,
m
p.m.
I,
and
then
you
put
the
scope
with
an
ad
sign
/,
the
name
of
the
package.
Now
by
default
scope
packages
are
private,
but
there's
absolutely
no
reason.
You
can't
use
scope
packages
publicly
when
you
publish,
you
simply,
would
pass
dash
dash
access
equals
public,
and
you
can
have
a
lot
of
scoped
packages.
A
The
polymer
project
recently
published
almost
all
of
their
components
as
scoped
packages
under
the
polymer
name,
and
that
was
super
cool.
Another
great
thing
about
the
scope
packages
is
that
finding
packages
on
NPM
is
pretty
difficult
when
you've
got
like
almost
300,000
packages.
Finding
them
as
hard
a
namespace
is
a
way
to
kind
of
collect
those
packages
and
be
able
to
point
someone
to
them
as
almost
like
an
ecosystem.
So
scope
packages
are
super
neat
now.
A
Additionally,
as
you
might
have
just
heard,
we
also
offer
private
modules
so
there's
often
times
when
you
want
to
be
using
the
open
source
workflow
that
you
have
and
you're
doing
it
publicly
and
that's
great,
but
some
packages
you
just
simply
can't
make
public.
You
need
to
be
using
them
proprietary
inside
your
company,
and
for
that
we
offer
mpm
private
modules.
Now
for
the
savvy
ones
out
there,
you
might
notice
that
I
said
private
modules
and
not
private
packages
like.
Why
are
we
playing
games
with
modules
versus
packages?
A
It's
because
we
thought
we
were
really
clever,
so
it's
like
mpm
private
modules
and
p.m.
&
M
p.m.
and
it's
a
really
bad
damn
and
we're
going
to
change
it.
So
if
you
hear
private
packages
is
the
same
as
the
private
modules
and
so
the
way
you
would
write
this
is
you
just
do
an
MPN
in
it
and
you're
able
to
just
pass
it
a
scope?
And
that's
then
you
can
use
those
private
modules
side
by
side
with
modules
from
the
public
registry,
so
it's
very
much
like
having
private
and
public
repos
and
github.
A
Now
what
we
discovered
was
that
managing
access
is
hard
much
like
pouring
milk
and
cereal,
and
so
we
also
have
something
called
mpm
organizations.
So
if
you've
ever
struggled
to
kind
of
like
deal
with
like
who
has
access
to
publish
my
package,
we
now
have
a
command
called
mpm
team
and
you're
able
to
create
teams
and
add
member
and
then
you're
able
to
grant
and
revoke
access
to
packages
using
scopes,
and
this
has
been
very
powerful
for
people
trying
to
work
together
on
packages
and
now,
last
but
not
least,
there's
mpm
on
site.
A
If
you
didn't
know,
mpm
is
a
company
and
we
need
to
make
money,
because
the
registry
is
extremely
expensive
to
run,
and
so,
with
this
you're
able
to
run
your
own
on-premises
NPM
registry
and
again
what
I
like
to
do,
though,
I'm
not
trying
to
sell
you
this,
but
what
I
do
want
to
point
out
with
this
is
know
that
the
MPN
CLI
client
can
be
pointed
at
a
number
of
registries.
Not
just
the
NPM
registry.
In
fact,
part
of
the
reason
developing
the
CLI
client
is
so
difficult
and
has
to
proceed.
A
A
So
I
want
to
conclude
with
this
idea
that
it's
very
clear
that
the
community
wants
so
much
more
from
NPM
I
think
we
have
around
2000
issues
on
our
issue.
Tracker
people
are
reaching
out
daily,
and
so
we
know
very
deeply
that
the
MPN
CLI
and
the
registry
are
really
for
and
by
the
community.
They
are
part
of
the
like
how
the
node
ecosystem
works
and,
as
we
saw
if
something
goes
wrong
with
NPM
or
the
registries.
A
A
It
was
a
very
frustrating
situation
for
everyone,
but
what
I'd
rather
say
is
mpm
is
an
open
source
project
and
you
can
get
involved
not
as
a
lawyer
on
reddit,
but
in
a
much
more
constructive
way,
and
so
there's
several
ways
that
you
might
not
know
about
that.
We've
been
trying
to
reach
out
to
the
community.
First
off,
we've
been
doing
weekly
product
calls
on
Tuesdays
time.
A
Zones
are
a
little
tricky,
but
the
more
people
we
have
from
different
time
zones
that
reach
out
and
show
interest
in
participating
the
more
we're
going
to
be
able
to
shift
that
time
around.
So
please
reach
out.
If
you
want
to
be
on
that
call,
we
act,
we
actively
solicit
community
input
there
and
you
can
always
follow
it
on
the
hashtag
mpm
weekly.
A
What
about
10?
What
about
five?
There
are
three
people
who
work
on
the
NPM
CLI
three
and
you
already
saw
those
really
big
numbers.
Won't
my
computer
fell
asleep,
go
computer!
Oh
there,
we
go
those
three
people
work
really
hard
and
we
support
tons
and
tons
of
users
and
that's
actually
just
two
engineers
and
and
their
manager,
and
also
I'd
like
to
point
out
those
two
engineers,
our
women,
which
is
super
cool.
A
So
again
we
want
your
help
and
we
want
the
community
to
get
way
more
involved
so
again
check
out
all
of
these
things
and
feel
free
to
ping
me
whenever,
if
you
wanted
to
have
more
ideas
on
how
to
get
involved,
so
I
hope
you
learn
something
new
here.
Hopefully
even
just
one
thing
and
please
remember:
mpm
is
not
an
evil
cabal
and
PM
loves
you
thanks
very
much.