NPM is the default package manager for Node.js and the largest software registry in the world. Every JavaScript developer uses it dozens of times per day, yet most developers only scratch the surface of what the CLI can do. The typical workflow — npm install, npm run dev, npm publish — covers maybe ten percent of the available surface. The remaining ninety percent hides powerful commands for auditing security, managing monorepo workspaces, cleaning caches, configuring registries, and streamlining CI pipelines.
Our free interactive NPM commands cheat sheet solves this by organizing sixty-five commands into nine real-world categories. Each command includes a concise explanation, copyable syntax examples, and visual tags for quick scanning. The Cargo Terminal aesthetic — deep industrial background, floating container particles, and category-colored border glows — makes the interface as memorable as the commands themselves. Everything is client-side. No data leaves your browser.
Why NPM Commands Deserve a Dedicated Cheat Sheet
NPM is not just an installer. It is a complete package lifecycle manager that touches dependency resolution, script orchestration, security auditing, version management, registry authentication, and workspace coordination. A developer who only knows npm install is like a pilot who only knows takeoff. The real value appears when things go wrong — a peer dependency conflict, a corrupted cache, a vulnerable transitive dependency, or a monorepo package that needs selective updates.
The NPM CLI has accumulated features over more than a decade. Some flags like --legacy-peer-deps were added to solve specific ecosystem problems. Others like npm ci exist solely for deterministic CI builds. Knowing which command to reach for, and which flags modify its behavior, separates fluent Node.js developers from beginners.
A well-organized cheat sheet provides two benefits. First, it reduces the cognitive load of memorizing flags and options. Second, it surfaces commands you might not know exist. Many developers have never run npm doctor or npm fund, even though both provide valuable information about their environment and community.
Install and Remove Commands
Dependency management is the core of NPM. Understanding the difference between npm install, npm ci, and npm update prevents the most common source of "works on my machine" bugs.
Installing Dependencies
The npm install command reads your package.json and installs every dependency into node_modules. It also updates package-lock.json to reflect the resolved tree. This is the command you run during daily development.
npm install
npm iWhen you pass a package name, NPM fetches it from the registry and adds it to dependencies in package.json. You can install a specific version using the @ syntax.
npm install lodash
npm install react@18.2.0Development dependencies — build tools, test runners, type definitions — belong in devDependencies. Use the --save-dev flag (or -D) to place them there. This distinction matters for production deployments, where npm install --production skips devDependencies entirely.
npm install vitest --save-dev
npm install vitest -DGlobal installations place packages in a system-wide directory, making their CLI binaries available everywhere. This is useful for tools you use across projects, such as TypeScript or the Angular CLI.
npm install typescript --global
npm install typescript -gThe --save-exact flag (or -E) pins the installed version exactly, removing the default caret (^) prefix. This prevents accidental upgrades when another developer runs npm install later.
npm install react --save-exact
npm install react -EHandling Peer Dependency Conflicts
Modern NPM enforces peer dependency constraints strictly. If two packages request incompatible versions of the same peer, installation fails. The --legacy-peer-deps flag tells NPM to ignore these conflicts, restoring the behavior from NPM 6. Use this sparingly — it exists as an escape hatch, not a permanent solution.
npm install --legacy-peer-depsClean Install with npm ci
The npm ci command is designed for automated environments. It deletes node_modules, installs exact versions from package-lock.json, and never modifies the lock file. This guarantees that every build uses identical dependencies. Use it in CI pipelines and production deploys. Never use it during active development, because it is slower and will erase any local symlinks created by npm link.
npm ciRemoving Packages
The npm uninstall command removes a package from node_modules and from package.json. It accepts the same aliases as install — remove, rm, and un all work.
npm uninstall lodash
npm rm lodash
npm remove lodashPruning Extraneous Dependencies
Over time, node_modules accumulates packages that are no longer listed in package.json. The npm prune command removes these orphans. Add --production to also strip devDependencies, which is useful before creating a minimal Docker image.
npm prune
npm prune --productionScripts and Execution
NPM scripts are the universal task runner in the JavaScript ecosystem. They are defined in package.json under the scripts field and executed with npm run. Because every Node.js project uses them, understanding their nuances is essential.
Running Scripts
The npm run command executes a named script. Common examples include build, test, and dev. Script names are arbitrary strings — the convention is what matters.
npm run build
npm run test
npm run devNPM provides four lifecycle shortcuts that do not require the run keyword: start, test, stop, and restart. The restart script runs stop followed by start automatically.
npm start
npm test
npm stop
npm restartExecuting Packages with npx
The npx command downloads and executes a package without installing it globally. It is the safest way to run one-off CLI tools, scaffolding generators, or specific versions of a package. If the package is not found locally, npx downloads it temporarily, runs it, and cleans up afterward.
npx create-react-app my-app
npx viteYou can also specify an exact version. This is invaluable when testing compatibility or reproducing a bug in an older release.
npx create-react-app@5.0.0 my-appUnder the hood, modern NPM uses npm exec for this behavior. The syntax is identical in practice, but npm exec accepts additional flags for workspace and configuration control.
npm exec eslint -- .Publishing and Versioning
Publishing to the NPM registry is the final step in sharing your code with the world. The publish workflow involves versioning, tagging, and occasionally deprecating or unpublishing releases.
Publishing a Package
The npm publish command uploads your package to the registry. Before running it, ensure you are logged in (npm login), your package.json has a unique name, and the version has been incremented.
npm publishScoped packages — those prefixed with an organization name like @myorg/pkg — default to private. To publish them publicly, add the --access public flag.
npm publish --access publicVersioning with Semantic Releases
The npm version command increments the version in package.json according to semantic versioning rules, creates a Git commit, and tags it. You pass patch, minor, or major depending on the nature of your changes.
npm version patch # 1.0.0 -> 1.0.1
npm version minor # 1.0.0 -> 1.1.0
npm version major # 1.0.0 -> 2.0.0If you prefer to manage Git commits manually, use --no-git-tag-version. This bumps the version number without touching your repository.
npm version patch --no-git-tag-versionDistribution Tags
Tags let you publish multiple release lines for the same package. The default tag is latest, but many projects use beta, next, or canary for pre-releases. Users install a tagged release with npm install pkg@beta.
npm dist-tag add my-pkg@1.2.0 beta
npm dist-tag rm my-pkg betaDeprecating Releases
If a version contains a critical bug or security vulnerability, deprecating it warns users without breaking their builds. Installations still succeed, but a warning message appears in the terminal.
npm deprecate my-pkg@1.0.0 "Use 2.x instead. Critical bug in auth flow."Information and Search Commands
Before adding a dependency, you should inspect its metadata, check for outdated versions, and understand its dependency tree. NPM provides several commands for this reconnaissance.
Listing Installed Packages
The npm list command prints the dependency tree. Without arguments, it shows every package in your project. Use --global and --depth=0 to see only top-level globally installed packages.
npm list
npm list --global --depth=0Inspecting Registry Metadata
The npm view command fetches metadata for a package from the registry. You can inspect the latest version, available versions, dependencies, and even individual fields like dist.tarball.
npm view react
npm view react versions
npm view react dependenciesSearching the Registry
The npm search command queries the registry for packages matching a keyword or phrase. Results include name, description, author, and date.
npm search "form validation"Opening External Links
Three convenience commands open a package's external pages in your default browser: repo for the source repository, docs for documentation, and bugs for the issue tracker.
npm repo lodash
npm docs express
npm bugs reactChecking for Updates
The npm outdated command compares installed versions against the latest available versions. It color-codes the results: red for major updates, yellow for minor/patch updates, and green for up-to-date packages.
npm outdatedUpdate and Security Audit
Keeping dependencies current is a security imperative. NPM provides built-in commands for updating packages and auditing the dependency tree for known vulnerabilities.
Updating Packages
The npm update command respects the version ranges in package.json. It will not jump major versions unless explicitly allowed. To update global packages, add the -g flag.
npm update
npm update -gAuditing for Vulnerabilities
The npm audit command scans your dependency tree against the GitHub Advisory Database. It reports severity levels and affected packages. The output includes a path from your direct dependency to the vulnerable transitive one.
npm auditWhen vulnerabilities can be fixed without breaking changes, npm audit fix automatically updates the affected packages. It modifies package.json and package-lock.json in place.
npm audit fixSome vulnerabilities require major version bumps that might break your application. The --force flag applies these aggressive fixes anyway. Use it only after reviewing the changelogs of affected packages.
npm audit fix --forceEnvironment Diagnostics
The npm doctor command runs a comprehensive diagnostic on your Node.js and NPM setup. It checks for valid Node and NPM binaries, writable paths, correct registry connectivity, and git availability. Run this when NPM behaves unexpectedly.
npm doctorConfiguration and Authentication
NPM stores configuration in a cascading hierarchy: project-level .npmrc, user-level ~/.npmrc, and built-in defaults. The npm config commands let you inspect and modify these settings.
Reading and Writing Configuration
Use npm config list to see every active setting. Use get and set to manipulate individual keys. Common settings include registry, prefix, init-author-name, and save-exact.
npm config list
npm config get registry
npm config set registry https://registry.npmjs.orgInitializing a Project
The npm init command creates a package.json interactively. If you already know the values, use -y to accept defaults.
npm init
npm init -yRegistry Authentication
Before publishing, you must authenticate with the registry. npm login prompts for credentials and stores an auth token in ~/.npmrc. npm whoami confirms your current identity, and npm logout removes the token.
npm login
npm whoami
npm logoutCache and Cleanup
NPM caches downloaded packages to avoid redundant network requests. Over time, this cache can grow large or become corrupted. The cache commands help you manage it.
Verifying and Cleaning the Cache
The npm cache verify command checks the integrity of the cache directory, garbage-collects unreachable data, and repairs corruption. Run it periodically or when installs fail mysteriously.
npm cache verifyTo completely clear the cache, use npm cache clean --force. This removes every cached package, forcing fresh downloads on the next install.
npm cache clean --forceReducing Duplication
The npm dedupe command restructures node_modules to eliminate duplicate package installations. This reduces disk usage and can improve install times. Modern NPM runs deduplication automatically during install, but manual invocation is useful after switching branches or resolving conflicts.
npm dedupeWorkspace Commands
NPM workspaces enable monorepo development by allowing multiple packages to coexist in a single repository with a shared node_modules tree. Introduced in NPM 7, workspaces have become the standard for JavaScript monorepos that do not need the full complexity of Nx or Turborepo.
Running Commands Across Workspaces
The --workspaces flag runs a command in every workspace package. For example, building all packages in parallel:
npm run build --workspacesTo target a specific workspace, use the --workspace flag (or -w) followed by the workspace name or path.
npm run test --workspace=pkg-a
npm install lodash --workspace=pkg-bPublishing Workspaces
You can publish every workspace package in one command. NPM respects the dependency graph, publishing base packages before those that depend on them.
npm publish --workspacesLifecycle and Utility Commands
Beyond the core workflows, NPM provides several utility commands for local development, debugging, and shell integration.
Local Package Linking
The npm link command creates a symbolic link between a local package and your current project. This is indispensable when developing a library and its consumer simultaneously. In the library directory, run npm link to register it globally. In the consumer directory, run npm link my-lib to create the symlink.
cd my-lib && npm link
cd my-app && npm link my-libWhen you are finished, npm unlink removes the symlink.
npm unlink my-libPackaging and Inspection
The npm pack command creates a tarball from your package, exactly as it would appear when published. This is useful for inspecting the final bundle size and contents before a release.
npm packThe npm prefix, npm root, and npm bin commands display important paths in your project. prefix shows the project root, root shows node_modules, and bin shows the executables directory.
npm prefix
npm root
npm binShell Completion
The npm completion command outputs a shell script that enables tab completion for NPM commands. Redirect it to your shell configuration file to activate it.
npm completion >> ~/.bashrcUsing the Interactive NPM Commands Cheat Sheet
Our free interactive NPM commands cheat sheet takes all sixty-five commands and presents them in a searchable, filterable grid. The interface is designed for speed: type a keyword to search across command names, descriptions, and tags; click a category tab to narrow the scope; hover over any code block to reveal a copy button. Destructive commands like npm uninstall and npm cache clean are marked with red warning badges so you never run them by accident.
The Cargo Terminal aesthetic draws from logistics and dispatch operations — deep industrial background tones, floating container particles, and category-colored strip lights that evoke a warehouse control room. Each card feels like a shipping manifest: clear, scannable, and precise. The typography pairs Teko display headings for an industrial feel with Sora body text and JetBrains Mono for code.
Because the entire tool runs in your browser, there is no server, no database, and no tracking. You can use it offline after the first load, and your clipboard never leaves your machine.
Related Developer Tools
If you work with Node.js and NPM, these related tools will streamline your workflow:
- Terminal Commands Cheat Sheet — 80+ Bash, Linux, and macOS commands for file operations, process management, and networking.
- Git Commands Cheat Sheet — 100+ Git commands covering branching, merging, rebasing, and remote operations.
- Docker Commands Cheat Sheet — 90+ Docker commands for containers, images, volumes, and Compose.
- JavaScript Array Methods Cheat Sheet — 40+ array methods with mutating vs non-mutating badges and ES version tags.
- CSS Selectors Cheat Sheet — 70+ selectors with specificity scores and browser support notes.
- Python Built-in Functions Cheat Sheet — 70+ Python built-ins organized by category with syntax highlighting.
- React Hooks Cheat Sheet — 20+ built-in hooks and 10 custom patterns with React 19 coverage.
- JSON Formatter & Validator — Format, validate, and minify JSON with a cartographer-themed interface.
- Regex Tester — Test regular expressions with real-time match highlighting and explanation.
- HTTP Status Code Lookup — Quick reference for every HTTP status code with meaning and usage.
- SQL Formatter & Beautifier — Format SQL queries with syntax highlighting and error detection.
Conclusion
NPM is far more than npm install. It is a complete toolchain for dependency management, script execution, security auditing, version publishing, and monorepo coordination. The commands covered in this guide — install, remove, run, exec, publish, audit, config, cache, workspace, and utility operations — represent the full surface area that a professional Node.js developer uses in daily practice.
Bookmark our interactive NPM commands cheat sheet and reach for it whenever you need a quick reminder. It is free, requires no signup, and works entirely in your browser. Whether you are scaffolding a new project, debugging a peer dependency conflict, or publishing your first package to the registry, the right command is always a search away.