I discovered several tips working with NPM on a daily basis. Here are the top ones.

TL;DR: save-exact, npm ci, npm audit fix, npx, updtr, NVM_SYMLINK_CURRENT

I presented those tips to my coworkers, the slides are available online.

Reproducible builds

Problem: your local install can/will differ from another coworkers, even on the CI server!

Cause: Version range are problematic: "rxjs": "^6.2.2"

Greenkeeper.io tells us that 15% of packages break the minor or patch updates:

Solution: Use --save-exact when installing a dependency

$ npm install --save-exact aDependency # Shorter: $ npm i -E aDependency

Better solution: Always exact, never use a range: npm config set save-exact true

$ npm config set save-exact true

Installing package

Problem: Using npm install will tries to resolves the dependency graph, possibly installing different versions (because of ranges declared in dependencies, not yours even if you used --save-exact ) and then updating the package-lock.json even if you did not want to.

Solution: Use npm ci which only read the package-lock.json

↗ Speed (on CI and locally)

➕ Avoid dirty-ing the package-lock.json

$ npm ci

Global package

Problem: Polluting the global node_modules with global packages: nest-cli, create-react-apps (= hundreds of packages)

Solution: npx runs a package without installing it (but first, tries to find it locally in node_modules )

# Example with params given to cleaver $ npx cleaver watch index.md

Security

Problem: Finding packages with security flaws

Solution: Use the builtin npm audit and npm audit fix

➕ Fails the build given integrated it in CI

Another solution is to use the builtin services of Github and Gitlab.

$ npm audit fix

Updating packages

Problem: Updating dependency and finding the one that breaks the code is tedious.

Solution 1 (best): updtr update one dependency, then run the tests, then repeat

$ npx updtr

Solution 2: npm-check show a pretty menu of all updates

$ npx npm-check -u

Problem: When configuring Node/Typescript, the node path is version-dependent

Solution: if you use NVM for managing installation of Node.js, NVM can automatically manage a symlink to the current version of node. NVM will link ~/.nvm/current to, for example, ~/.nvm/versions/node/v11.0.0 and recreate the link when changing of node version (automatically if you use NVM auto-use ZSH plugin).

# Put this in your .bashrc/.zshrc $ export NVM_SYMLINK_CURRENT = true

(Bonus) Follow Github Releases

Problem: Be notified of releases

Solution 1: (Updated: 2018.12.02) Github now support watching releases of a repository: Documentation.

Solution 2: Gitpunch.com seems to solve the problem. It can follow all your Github stars and specific projects.