Every JS project starts with these files. Understanding them turns npm from ritual into tool.
The anatomy
{
"name": "my-app",
"scripts": {
"dev": "vite", // npm run dev
"build": "vite build"
},
"dependencies": { // shipped to production
"express": "^4.19.0"
},
"devDependencies": { // build-time only
"vite": "^5.0.0"
}
}The semver symbols (interview trivia)
^4.19.0โ any 4.x.x (minor+patch updates ok) โ the default~4.19.0โ only 4.19.x (patch only)4.19.0โ exactly this, nothing else
The files and what to commit
- package.json โ your declared intent. Commit
- package-lock.json โ the exact resolved tree. COMMIT (teammates get identical installs)
- node_modules/ โ the downloads. NEVER commit; .gitignore line one
Commands that matter
npm install # everything from package.json npm ci # exact lockfile install โ use in CI/CD npm install -D vite # add as devDependency npx create-vite my-app # run a package WITHOUT installing globally npm outdated # what needs updating npm audit # known vulnerabilities
Delete node_modules + npm install is the JS world's turn-it-off-and-on โ works disturbingly often.