.-.-.-.-.-

developers.7000064400000020543151701453040007010 0ustar00.TH "DEVELOPERS" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBdevelopers\fR - Developer Guide
.SS "Description"
.P
So, you've decided to use npm to develop (and maybe publish/deploy) your project.
.P
Fantastic!
.P
There are a few things that you need to do above the simple steps that your users will do to install your program.
.SS "About These Documents"
.P
These are man pages. If you install npm, you should be able to then do \fBman npm-thing\fR to get the documentation on a particular topic, or \fBnpm help thing\fR to see the same information.
.SS "What is a Package"
.P
A package is:
.RS 0
.IP \(bu 4
a) a folder containing a program described by a package.json file
.IP \(bu 4
b) a gzipped tarball containing (a)
.IP \(bu 4
c) a url that resolves to (b)
.IP \(bu 4
d) a \fB<name>@<version>\fR that is published on the registry with (c)
.IP \(bu 4
e) a \fB<name>@<tag>\fR that points to (d)
.IP \(bu 4
f) a \fB<name>\fR that has a "latest" tag satisfying (e)
.IP \(bu 4
g) a \fBgit\fR url that, when cloned, results in (a).
.RE 0

.P
Even if you never publish your package, you can still get a lot of benefits of using npm if you just want to write a node program (a), and perhaps if you also want to be able to easily install it elsewhere after packing it up into a tarball (b).
.P
Git urls can be of the form:
.P
.RS 2
.nf
git://github.com/user/project.git#commit-ish
git+ssh://user@hostname:project.git#commit-ish
git+http://user@hostname/project/blah.git#commit-ish
git+https://user@hostname/project/blah.git#commit-ish
.fi
.RE
.P
The \fBcommit-ish\fR can be any tag, sha, or branch which can be supplied as an argument to \fBgit checkout\fR. The default is whatever the repository uses as its default branch.
.SS "The package.json File"
.P
You need to have a \fBpackage.json\fR file in the root of your project to do much of anything with npm. That is basically the whole interface.
.P
See \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json\(ra\fR for details about what goes in that file. At the very least, you need:
.RS 0
.IP \(bu 4
name: This should be a string that identifies your project. Please do not use the name to specify that it runs on node, or is in JavaScript. You can use the "engines" field to explicitly state the versions of node (or whatever else) that your program requires, and it's pretty well assumed that it's JavaScript.
.P
It does not necessarily need to match your github repository name.
.P
So, \fBnode-foo\fR and \fBbar-js\fR are bad names. \fBfoo\fR or \fBbar\fR are better.
.IP \(bu 4
version: A semver-compatible version.
.IP \(bu 4
engines: Specify the versions of node (or whatever else) that your program runs on. The node API changes a lot, and there may be bugs or new functionality that you depend on. Be explicit.
.IP \(bu 4
author: Take some credit.
.IP \(bu 4
scripts: If you have a special compilation or installation script, then you should put it in the \fBscripts\fR object. You should definitely have at least a basic smoke-test command as the "scripts.test" field. See npm help scripts.
.IP \(bu 4
main: If you have a single module that serves as the entry point to your program (like what the "foo" package gives you at require("foo")), then you need to specify that in the "main" field.
.IP \(bu 4
directories: This is an object mapping names to folders. The best ones to include are "lib" and "doc", but if you use "man" to specify a folder full of man pages, they'll get installed just like these ones.
.RE 0

.P
You can use \fBnpm init\fR in the root of your package in order to get you started with a pretty basic package.json file. See npm help init for more info.
.SS "Keeping files \fIout\fR of your Package"
.P
Use a \fB.npmignore\fR file to keep stuff out of your package. If there's no \fB.npmignore\fR file, but there \fIis\fR a \fB.gitignore\fR file, then npm will ignore the stuff matched by the \fB.gitignore\fR file. If you \fIwant\fR to include something that is excluded by your \fB.gitignore\fR file, you can create an empty \fB.npmignore\fR file to override it. Like \fBgit\fR, \fBnpm\fR looks for \fB.npmignore\fR and \fB.gitignore\fR files in all subdirectories of your package, not only the root directory.
.P
\fB.npmignore\fR files follow the \fBsame pattern rules\fR \fI\(lahttps://git-scm.com/book/en/v2/Git-Basics-Recording-Changes-to-the-Repository#_ignoring\(ra\fR as \fB.gitignore\fR files:
.RS 0
.IP \(bu 4
Blank lines or lines starting with \fB#\fR are ignored.
.IP \(bu 4
Standard glob patterns work.
.IP \(bu 4
You can end patterns with a forward slash \fB/\fR to specify a directory.
.IP \(bu 4
You can negate a pattern by starting it with an exclamation point \fB!\fR.
.RE 0

.P
By default, the following paths and files are ignored, so there's no need to add them to \fB.npmignore\fR explicitly:
.RS 0
.IP \(bu 4
\fB.*.swp\fR
.IP \(bu 4
\fB._*\fR
.IP \(bu 4
\fB.DS_Store\fR
.IP \(bu 4
\fB.git\fR
.IP \(bu 4
\fB.gitignore\fR
.IP \(bu 4
\fB.hg\fR
.IP \(bu 4
\fB.npmignore\fR
.IP \(bu 4
\fB.npmrc\fR
.IP \(bu 4
\fB.lock-wscript\fR
.IP \(bu 4
\fB.svn\fR
.IP \(bu 4
\fB.wafpickle-*\fR
.IP \(bu 4
\fBconfig.gypi\fR
.IP \(bu 4
\fBCVS\fR
.IP \(bu 4
\fBnpm-debug.log\fR
.RE 0

.P
Additionally, everything in \fBnode_modules\fR is ignored, except for bundled dependencies. npm automatically handles this for you, so don't bother adding \fBnode_modules\fR to \fB.npmignore\fR.
.P
The following paths and files are never ignored, so adding them to \fB.npmignore\fR is pointless:
.RS 0
.IP \(bu 4
\fBpackage.json\fR
.IP \(bu 4
\fBREADME\fR (and its variants)
.IP \(bu 4
\fBCHANGELOG\fR (and its variants)
.IP \(bu 4
\fBLICENSE\fR / \fBLICENCE\fR
.RE 0

.P
If, given the structure of your project, you find \fB.npmignore\fR to be a maintenance headache, you might instead try populating the \fBfiles\fR property of \fBpackage.json\fR, which is an array of file or directory names that should be included in your package. Sometimes manually picking which items to allow is easier to manage than building a block list.
.SS "Testing whether your \fB.npmignore\fR or \fBfiles\fR config works"
.P
If you want to double check that your package will include only the files you intend it to when published, you can run the \fBnpm pack\fR command locally which will generate a tarball in the working directory, the same way it does for publishing.
.SS "Link Packages"
.P
\fBnpm link\fR is designed to install a development package and see the changes in real time without having to keep re-installing it. (You do need to either re-link or \fBnpm rebuild -g\fR to update compiled packages, of course.)
.P
More info at npm help link.
.SS "Before Publishing: Make Sure Your Package Installs and Works"
.P
\fBThis is important.\fR
.P
If you can not install it locally, you'll have problems trying to publish it. Or, worse yet, you'll be able to publish it, but you'll be publishing a broken or pointless package. So don't do that.
.P
In the root of your package, do this:
.P
.RS 2
.nf
npm install . -g
.fi
.RE
.P
That'll show you that it's working. If you'd rather just create a symlink package that points to your working directory, then do this:
.P
.RS 2
.nf
npm link
.fi
.RE
.P
Use \fBnpm ls -g\fR to see if it's there.
.P
To test a local install, go into some other folder, and then do:
.P
.RS 2
.nf
cd ../some-other-folder
npm install ../my-package
.fi
.RE
.P
to install it locally into the node_modules folder in that other place.
.P
Then go into the node-repl, and try using require("my-thing") to bring in your module's main module.
.SS "Create a User Account"
.P
Create a user with the adduser command. It works like this:
.P
.RS 2
.nf
npm adduser
.fi
.RE
.P
and then follow the prompts.
.P
This is documented better in npm help adduser.
.SS "Publish your Package"
.P
This part's easy. In the root of your folder, do this:
.P
.RS 2
.nf
npm publish
.fi
.RE
.P
You can give publish a url to a tarball, or a filename of a tarball, or a path to a folder.
.P
Note that pretty much \fBeverything in that folder will be exposed\fR by default. So, if you have secret stuff in there, use a \fB.npmignore\fR file to list out the globs to ignore, or publish from a fresh checkout.
.SS "Brag about it"
.P
Send emails, write blogs, blab in IRC.
.P
Tell the world how easy it is to install your program!
.SS "See also"
.RS 0
.IP \(bu 4
npm help npm
.IP \(bu 4
npm help init
.IP \(bu 4
\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR
.IP \(bu 4
npm help scripts
.IP \(bu 4
npm help publish
.IP \(bu 4
npm help adduser
.IP \(bu 4
npm help registry
.RE 0
orgs.7000064400000005042151701453040005607 0ustar00.TH "ORGS" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBorgs\fR - Working with Teams & Orgs
.SS "Description"
.P
There are three levels of org users:
.RS 0
.IP 1. 4
Super admin, controls billing & adding people to the org.
.IP 2. 4
Team admin, manages team membership & package access.
.IP 3. 4
Developer, works on packages they are given access to.
.RE 0

.P
The super admin is the only person who can add users to the org because it impacts the monthly bill. The super admin will use the website to manage membership. Every org has a \fBdevelopers\fR team that all users are automatically added to.
.P
The team admin is the person who manages team creation, team membership, and package access for teams. The team admin grants package access to teams, not individuals.
.P
The developer will be able to access packages based on the teams they are on. Access is either read-write or read-only.
.P
There are two main commands:
.RS 0
.IP 1. 4
\fBnpm team\fR see npm help team for more details
.IP 2. 4
\fBnpm access\fR see npm help access for more details
.RE 0

.SS "Team Admins create teams"
.RS 0
.IP \(bu 4
Check who you\[cq]ve added to your org:
.RE 0

.P
.RS 2
.nf
npm team ls <org>:developers
.fi
.RE
.RS 0
.IP \(bu 4
Each org is automatically given a \fBdevelopers\fR team, so you can see the whole list of team members in your org. This team automatically gets read-write access to all packages, but you can change that with the \fBaccess\fR command.
.IP \(bu 4
Create a new team:
.RE 0

.P
.RS 2
.nf
npm team create <org:team>
.fi
.RE
.RS 0
.IP \(bu 4
Add members to that team:
.RE 0

.P
.RS 2
.nf
npm team add <org:team> <user>
.fi
.RE
.SS "Publish a package and adjust package access"
.RS 0
.IP \(bu 4
In package directory, run
.RE 0

.P
.RS 2
.nf
npm init --scope=<org>
.fi
.RE
.P
to scope it for your org & publish as usual
.RS 0
.IP \(bu 4
Grant access:
.RE 0

.P
.RS 2
.nf
npm access grant <read-only|read-write> <org:team> \[lB]<package>\[rB]
.fi
.RE
.RS 0
.IP \(bu 4
Revoke access:
.RE 0

.P
.RS 2
.nf
npm access revoke <org:team> \[lB]<package>\[rB]
.fi
.RE
.SS "Monitor your package access"
.RS 0
.IP \(bu 4
See what org packages a team member can access:
.RE 0

.P
.RS 2
.nf
npm access ls-packages <org> <user>
.fi
.RE
.RS 0
.IP \(bu 4
See packages available to a specific team:
.RE 0

.P
.RS 2
.nf
npm access ls-packages <org:team>
.fi
.RE
.RS 0
.IP \(bu 4
Check which teams are collaborating on a package:
.RE 0

.P
.RS 2
.nf
npm access ls-collaborators <pkg>
.fi
.RE
.SS "See also"
.RS 0
.IP \(bu 4
npm help team
.IP \(bu 4
npm help access
.IP \(bu 4
npm help scope
.RE 0
removal.7000064400000003314151701453040006302 0ustar00.TH "REMOVAL" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBremoval\fR - Cleaning the Slate
.SS "Synopsis"
.P
So sad to see you go.
.P
.RS 2
.nf
sudo npm uninstall npm -g
.fi
.RE
.P
Or, if that fails, please proceed to more severe uninstalling methods.
.SS "More Severe Uninstalling"
.P
Usually, the above instructions are sufficient. That will remove npm, but leave behind anything you've installed.
.P
If that doesn't work, or if you require more drastic measures, continue reading.
.P
Note that this is only necessary for globally-installed packages. Local installs are completely contained within a project's \fBnode_modules\fR folder. Delete that folder, and everything is gone unless a package's install script is particularly ill-behaved.
.P
This assumes that you installed node and npm in the default place. If you configured node with a different \fB--prefix\fR, or installed npm with a different prefix setting, then adjust the paths accordingly, replacing \fB/usr/local\fR with your install prefix.
.P
To remove everything npm-related manually:
.P
.RS 2
.nf
rm -rf /usr/local/{lib/node{,/.npm,_modules},bin,share/man}/npm*
.fi
.RE
.P
If you installed things \fIwith\fR npm, then your best bet is to uninstall them with npm first, and then install them again once you have a proper install. This can help find any symlinks that are lying around:
.P
.RS 2
.nf
ls -laF /usr/local/{lib/node{,/.npm},bin,share/man} | grep npm
.fi
.RE
.P
Prior to version 0.3, npm used shim files for executables and node modules. To track those down, you can do the following:
.P
.RS 2
.nf
find /usr/local/{lib/node,bin} -exec grep -l npm \[rs]{\[rs]} \[rs]; ;
.fi
.RE
.SS "See also"
.RS 0
.IP \(bu 4
npm help uninstall
.IP \(bu 4
npm help prune
.RE 0
config.7000064400000152517151701453040006114 0ustar00.TH "CONFIG" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBconfig\fR - More than you probably want to know about npm configuration
.SS "Description"
.P
This article details npm configuration in general. To learn about the \fBconfig\fR command, see npm help config.
.P
npm gets its configuration values from the following sources, sorted by priority:
.SS "Command Line Flags"
.P
Putting \fB--foo bar\fR on the command line sets the \fBfoo\fR configuration parameter to \fB"bar"\fR. A \fB--\fR argument tells the cli parser to stop reading flags. Using \fB--flag\fR without specifying any value will set the value to \fBtrue\fR.
.P
Example: \fB--flag1 --flag2\fR will set both configuration parameters to \fBtrue\fR, while \fB--flag1 --flag2 bar\fR will set \fBflag1\fR to \fBtrue\fR, and \fBflag2\fR to \fBbar\fR. Finally, \fB--flag1 --flag2 -- bar\fR will set both configuration parameters to \fBtrue\fR, and the \fBbar\fR is taken as a command argument.
.SS "Environment Variables"
.P
Any environment variables that start with \fBnpm_config_\fR will be interpreted as a configuration parameter. For example, putting \fBnpm_config_foo=bar\fR in your environment will set the \fBfoo\fR configuration parameter to \fBbar\fR. Any environment configurations that are not given a value will be given the value of \fBtrue\fR. Config values are case-insensitive, so \fBNPM_CONFIG_FOO=bar\fR will work the same. However, please note that inside npm help scripts npm will set its own environment variables and Node will prefer those lowercase versions over any uppercase ones that you might set. For details see \fBthis issue\fR \fI\(lahttps://github.com/npm/npm/issues/14528\(ra\fR.
.P
Notice that you need to use underscores instead of dashes, so \fB--allow-same-version\fR would become \fBnpm_config_allow_same_version=true\fR.
.SS "npmrc Files"
.P
The four relevant files are:
.RS 0
.IP \(bu 4
per-project configuration file (\fB/path/to/my/project/.npmrc\fR)
.IP \(bu 4
per-user configuration file (defaults to \fB$HOME/.npmrc\fR; configurable via CLI option \fB--userconfig\fR or environment variable \fB$NPM_CONFIG_USERCONFIG\fR)
.IP \(bu 4
global configuration file (defaults to \fB$PREFIX/etc/npmrc\fR; configurable via CLI option \fB--globalconfig\fR or environment variable \fB$NPM_CONFIG_GLOBALCONFIG\fR)
.IP \(bu 4
npm's built-in configuration file (\fB/path/to/npm/npmrc\fR)
.RE 0

.P
See npm help npmrc for more details.
.SS "Default Configs"
.P
Run \fBnpm config ls -l\fR to see a set of configuration parameters that are internal to npm, and are defaults if nothing else is specified.
.SS "Shorthands and Other CLI Niceties"
.P
The following shorthands are parsed on the command-line:
.RS 0
.IP \(bu 4
\fB-a\fR: \fB--all\fR
.IP \(bu 4
\fB--enjoy-by\fR: \fB--before\fR
.IP \(bu 4
\fB-c\fR: \fB--call\fR
.IP \(bu 4
\fB--desc\fR: \fB--description\fR
.IP \(bu 4
\fB-f\fR: \fB--force\fR
.IP \(bu 4
\fB-g\fR: \fB--global\fR
.IP \(bu 4
\fB--iwr\fR: \fB--include-workspace-root\fR
.IP \(bu 4
\fB-L\fR: \fB--location\fR
.IP \(bu 4
\fB-d\fR: \fB--loglevel info\fR
.IP \(bu 4
\fB-s\fR: \fB--loglevel silent\fR
.IP \(bu 4
\fB--silent\fR: \fB--loglevel silent\fR
.IP \(bu 4
\fB--ddd\fR: \fB--loglevel silly\fR
.IP \(bu 4
\fB--dd\fR: \fB--loglevel verbose\fR
.IP \(bu 4
\fB--verbose\fR: \fB--loglevel verbose\fR
.IP \(bu 4
\fB-q\fR: \fB--loglevel warn\fR
.IP \(bu 4
\fB--quiet\fR: \fB--loglevel warn\fR
.IP \(bu 4
\fB-l\fR: \fB--long\fR
.IP \(bu 4
\fB-m\fR: \fB--message\fR
.IP \(bu 4
\fB--local\fR: \fB--no-global\fR
.IP \(bu 4
\fB-n\fR: \fB--no-yes\fR
.IP \(bu 4
\fB--no\fR: \fB--no-yes\fR
.IP \(bu 4
\fB-p\fR: \fB--parseable\fR
.IP \(bu 4
\fB--porcelain\fR: \fB--parseable\fR
.IP \(bu 4
\fB-C\fR: \fB--prefix\fR
.IP \(bu 4
\fB--readonly\fR: \fB--read-only\fR
.IP \(bu 4
\fB--reg\fR: \fB--registry\fR
.IP \(bu 4
\fB-S\fR: \fB--save\fR
.IP \(bu 4
\fB-B\fR: \fB--save-bundle\fR
.IP \(bu 4
\fB-D\fR: \fB--save-dev\fR
.IP \(bu 4
\fB-E\fR: \fB--save-exact\fR
.IP \(bu 4
\fB-O\fR: \fB--save-optional\fR
.IP \(bu 4
\fB-P\fR: \fB--save-prod\fR
.IP \(bu 4
\fB-?\fR: \fB--usage\fR
.IP \(bu 4
\fB-h\fR: \fB--usage\fR
.IP \(bu 4
\fB-H\fR: \fB--usage\fR
.IP \(bu 4
\fB--help\fR: \fB--usage\fR
.IP \(bu 4
\fB-v\fR: \fB--version\fR
.IP \(bu 4
\fB-w\fR: \fB--workspace\fR
.IP \(bu 4
\fB--ws\fR: \fB--workspaces\fR
.IP \(bu 4
\fB-y\fR: \fB--yes\fR
.RE 0

.P
If the specified configuration param resolves unambiguously to a known configuration parameter, then it is expanded to that configuration parameter. For example:
.P
.RS 2
.nf
npm ls --par
# same as:
npm ls --parseable
.fi
.RE
.P
If multiple single-character shorthands are strung together, and the resulting combination is unambiguously not some other configuration param, then it is expanded to its various component pieces. For example:
.P
.RS 2
.nf
npm ls -gpld
# same as:
npm ls --global --parseable --long --loglevel info
.fi
.RE
.SS "Config Settings"
.SS "\fB_auth\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
A basic-auth string to use when authenticating against the npm registry. This will ONLY be used to authenticate against the npm registry. For other registries you will need to scope it like "//other-registry.tld/:_auth"
.P
Warning: This should generally not be set via a command-line option. It is safer to use a registry-provided authentication bearer token stored in the ~/.npmrc file by running \fBnpm login\fR.
.SS "\fBaccess\fR"
.RS 0
.IP \(bu 4
Default: 'public' for new packages, existing packages it will not change the current level
.IP \(bu 4
Type: null, "restricted", or "public"
.RE 0

.P
If you do not want your scoped package to be publicly viewable (and installable) set \fB--access=restricted\fR.
.P
Unscoped packages can not be set to \fBrestricted\fR.
.P
Note: This defaults to not changing the current access level for existing packages. Specifying a value of \fBrestricted\fR or \fBpublic\fR during publish will change the access for an existing package the same way that \fBnpm access set
status\fR would.
.SS "\fBall\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
When running \fBnpm outdated\fR and \fBnpm ls\fR, setting \fB--all\fR will show all outdated or installed packages, rather than only those directly depended upon by the current project.
.SS "\fBallow-same-version\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Prevents throwing an error when \fBnpm version\fR is used to set the new version to the same value as the current version.
.SS "\fBaudit\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
When "true" submit audit reports alongside the current npm command to the default registry and all registries configured for scopes. See the documentation for npm help audit for details on what is submitted.
.SS "\fBaudit-level\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null, "info", "low", "moderate", "high", "critical", or "none"
.RE 0

.P
The minimum level of vulnerability for \fBnpm audit\fR to exit with a non-zero exit code.
.SS "\fBauth-type\fR"
.RS 0
.IP \(bu 4
Default: "web"
.IP \(bu 4
Type: "legacy" or "web"
.RE 0

.P
What authentication strategy to use with \fBlogin\fR. Note that if an \fBotp\fR config is given, this value will always be set to \fBlegacy\fR.
.SS "\fBbefore\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Date
.RE 0

.P
If passed to \fBnpm install\fR, will rebuild the npm tree such that only versions that were available \fBon or before\fR the \fB--before\fR time get installed. If there's no versions available for the current set of direct dependencies, the command will error.
.P
If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
.SS "\fBbin-links\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Tells npm to create symlinks (or \fB.cmd\fR shims on Windows) for package executables.
.P
Set to false to have it not do this. This can be used to work around the fact that some file systems don't support symlinks, even on ostensibly Unix systems.
.SS "\fBbrowser\fR"
.RS 0
.IP \(bu 4
Default: OS X: \fB"open"\fR, Windows: \fB"start"\fR, Others: \fB"xdg-open"\fR
.IP \(bu 4
Type: null, Boolean, or String
.RE 0

.P
The browser that is called by npm commands to open websites.
.P
Set to \fBfalse\fR to suppress browser behavior and instead print urls to terminal.
.P
Set to \fBtrue\fR to use default system URL opener.
.SS "\fBca\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String (can be set multiple times)
.RE 0

.P
The Certificate Authority signing certificate that is trusted for SSL connections to the registry. Values should be in PEM format (Windows calls it "Base-64 encoded X.509 (.CER)") with newlines replaced by the string "\[rs]n". For example:
.P
.RS 2
.nf
ca="-----BEGIN CERTIFICATE-----\[rs]nXXXX\[rs]nXXXX\[rs]n-----END CERTIFICATE-----"
.fi
.RE
.P
Set to \fBnull\fR to only allow "known" registrars, or to a specific CA cert to trust only that specific signing authority.
.P
Multiple CAs can be trusted by specifying an array of certificates:
.P
.RS 2
.nf
ca\[lB]\[rB]="..."
ca\[lB]\[rB]="..."
.fi
.RE
.P
See also the \fBstrict-ssl\fR config.
.SS "\fBcache\fR"
.RS 0
.IP \(bu 4
Default: Windows: \fB%LocalAppData%\[rs]npm-cache\fR, Posix: \fB~/.npm\fR
.IP \(bu 4
Type: Path
.RE 0

.P
The location of npm's cache directory.
.SS "\fBcafile\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: Path
.RE 0

.P
A path to a file containing one or multiple Certificate Authority signing certificates. Similar to the \fBca\fR setting, but allows for multiple CA's, as well as for the CA information to be stored in a file on disk.
.SS "\fBcall\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
Optional companion option for \fBnpm exec\fR, \fBnpx\fR that allows for specifying a custom command to be run along with the installed packages.
.P
.RS 2
.nf
npm exec --package yo --package generator-node --call "yo node"
.fi
.RE
.SS "\fBcidr\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String (can be set multiple times)
.RE 0

.P
This is a list of CIDR address to be used when configuring limited access tokens with the \fBnpm token create\fR command.
.SS "\fBcolor\fR"
.RS 0
.IP \(bu 4
Default: true unless the NO_COLOR environ is set to something other than '0'
.IP \(bu 4
Type: "always" or Boolean
.RE 0

.P
If false, never shows colors. If \fB"always"\fR then always shows colors. If true, then only prints color codes for tty file descriptors.
.SS "\fBcommit-hooks\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Run git commit hooks when using the \fBnpm version\fR command.
.SS "\fBcpu\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
Override CPU architecture of native modules to install. Acceptable values are same as \fBcpu\fR field of package.json, which comes from \fBprocess.arch\fR.
.SS "\fBdepth\fR"
.RS 0
.IP \(bu 4
Default: \fBInfinity\fR if \fB--all\fR is set, otherwise \fB1\fR
.IP \(bu 4
Type: null or Number
.RE 0

.P
The depth to go when recursing packages for \fBnpm ls\fR.
.P
If not set, \fBnpm ls\fR will show only the immediate dependencies of the root project. If \fB--all\fR is set, then npm will show all dependencies by default.
.SS "\fBdescription\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Show the description in \fBnpm search\fR
.SS "\fBdiff\fR"
.RS 0
.IP \(bu 4
Default:
.IP \(bu 4
Type: String (can be set multiple times)
.RE 0

.P
Define arguments to compare in \fBnpm diff\fR.
.SS "\fBdiff-dst-prefix\fR"
.RS 0
.IP \(bu 4
Default: "b/"
.IP \(bu 4
Type: String
.RE 0

.P
Destination prefix to be used in \fBnpm diff\fR output.
.SS "\fBdiff-ignore-all-space\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Ignore whitespace when comparing lines in \fBnpm diff\fR.
.SS "\fBdiff-name-only\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Prints only filenames when using \fBnpm diff\fR.
.SS "\fBdiff-no-prefix\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Do not show any source or destination prefix in \fBnpm diff\fR output.
.P
Note: this causes \fBnpm diff\fR to ignore the \fB--diff-src-prefix\fR and \fB--diff-dst-prefix\fR configs.
.SS "\fBdiff-src-prefix\fR"
.RS 0
.IP \(bu 4
Default: "a/"
.IP \(bu 4
Type: String
.RE 0

.P
Source prefix to be used in \fBnpm diff\fR output.
.SS "\fBdiff-text\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Treat all files as text in \fBnpm diff\fR.
.SS "\fBdiff-unified\fR"
.RS 0
.IP \(bu 4
Default: 3
.IP \(bu 4
Type: Number
.RE 0

.P
The number of lines of context to print in \fBnpm diff\fR.
.SS "\fBdry-run\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR.
.P
Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc.
.SS "\fBeditor\fR"
.RS 0
.IP \(bu 4
Default: The EDITOR or VISUAL environment variables, or '%SYSTEMROOT%\[rs]notepad.exe' on Windows, or 'vi' on Unix systems
.IP \(bu 4
Type: String
.RE 0

.P
The command to run for \fBnpm edit\fR and \fBnpm config edit\fR.
.SS "\fBengine-strict\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to true, then npm will stubbornly refuse to install (or even consider installing) any package that claims to not be compatible with the current Node.js version.
.P
This can be overridden by setting the \fB--force\fR flag.
.SS "\fBexpect-result-count\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Number
.RE 0

.P
Tells to expect a specific number of results from the command.
.P
This config can not be used with: \fBexpect-results\fR
.SS "\fBexpect-results\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Boolean
.RE 0

.P
Tells npm whether or not to expect results from the command. Can be either true (expect some results) or false (expect no results).
.P
This config can not be used with: \fBexpect-result-count\fR
.SS "\fBfetch-retries\fR"
.RS 0
.IP \(bu 4
Default: 2
.IP \(bu 4
Type: Number
.RE 0

.P
The "retries" config for the \fBretry\fR module to use when fetching packages from the registry.
.P
npm will retry idempotent read requests to the registry in the case of network failures or 5xx HTTP errors.
.SS "\fBfetch-retry-factor\fR"
.RS 0
.IP \(bu 4
Default: 10
.IP \(bu 4
Type: Number
.RE 0

.P
The "factor" config for the \fBretry\fR module to use when fetching packages.
.SS "\fBfetch-retry-maxtimeout\fR"
.RS 0
.IP \(bu 4
Default: 60000 (1 minute)
.IP \(bu 4
Type: Number
.RE 0

.P
The "maxTimeout" config for the \fBretry\fR module to use when fetching packages.
.SS "\fBfetch-retry-mintimeout\fR"
.RS 0
.IP \(bu 4
Default: 10000 (10 seconds)
.IP \(bu 4
Type: Number
.RE 0

.P
The "minTimeout" config for the \fBretry\fR module to use when fetching packages.
.SS "\fBfetch-timeout\fR"
.RS 0
.IP \(bu 4
Default: 300000 (5 minutes)
.IP \(bu 4
Type: Number
.RE 0

.P
The maximum amount of time to wait for HTTP requests to complete.
.SS "\fBforce\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Removes various protections against unfortunate side effects, common mistakes, unnecessary performance degradation, and malicious input.
.RS 0
.IP \(bu 4
Allow clobbering non-npm files in global installs.
.IP \(bu 4
Allow the \fBnpm version\fR command to work on an unclean git repository.
.IP \(bu 4
Allow deleting the cache folder with \fBnpm cache clean\fR.
.IP \(bu 4
Allow installing packages that have an \fBengines\fR declaration requiring a different version of npm.
.IP \(bu 4
Allow installing packages that have an \fBengines\fR declaration requiring a different version of \fBnode\fR, even if \fB--engine-strict\fR is enabled.
.IP \(bu 4
Allow \fBnpm audit fix\fR to install modules outside your stated dependency range (including SemVer-major changes).
.IP \(bu 4
Allow unpublishing all versions of a published package.
.IP \(bu 4
Allow conflicting peerDependencies to be installed in the root project.
.IP \(bu 4
Implicitly set \fB--yes\fR during \fBnpm init\fR.
.IP \(bu 4
Allow clobbering existing values in \fBnpm pkg\fR
.IP \(bu 4
Allow unpublishing of entire packages (not just a single version).
.RE 0

.P
If you don't have a clear idea of what you want to do, it is strongly recommended that you do not use this option!
.SS "\fBforeground-scripts\fR"
.RS 0
.IP \(bu 4
Default: \fBfalse\fR unless when using \fBnpm pack\fR or \fBnpm publish\fR where it defaults to \fBtrue\fR
.IP \(bu 4
Type: Boolean
.RE 0

.P
Run all build scripts (ie, \fBpreinstall\fR, \fBinstall\fR, and \fBpostinstall\fR) scripts for installed packages in the foreground process, sharing standard input, output, and error with the main npm process.
.P
Note that this will generally make installs run slower, and be much noisier, but can be useful for debugging.
.SS "\fBformat-package-lock\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Format \fBpackage-lock.json\fR or \fBnpm-shrinkwrap.json\fR as a human readable file.
.SS "\fBfund\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
When "true" displays the message at the end of each \fBnpm install\fR acknowledging the number of dependencies looking for funding. See npm help fund for details.
.SS "\fBgit\fR"
.RS 0
.IP \(bu 4
Default: "git"
.IP \(bu 4
Type: String
.RE 0

.P
The command to use for git commands. If git is installed on the computer, but is not in the \fBPATH\fR, then set this to the full path to the git binary.
.SS "\fBgit-tag-version\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Tag the commit when using the \fBnpm version\fR command. Setting this to false results in no commit being made at all.
.SS "\fBglobal\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Operates in "global" mode, so that packages are installed into the \fBprefix\fR folder instead of the current working directory. See npm help folders for more on the differences in behavior.
.RS 0
.IP \(bu 4
packages are installed into the \fB{prefix}/lib/node_modules\fR folder, instead of the current working directory.
.IP \(bu 4
bin files are linked to \fB{prefix}/bin\fR
.IP \(bu 4
man pages are linked to \fB{prefix}/share/man\fR
.RE 0

.SS "\fBglobalconfig\fR"
.RS 0
.IP \(bu 4
Default: The global --prefix setting plus 'etc/npmrc'. For example, '/usr/local/etc/npmrc'
.IP \(bu 4
Type: Path
.RE 0

.P
The config file to read for global config options.
.SS "\fBheading\fR"
.RS 0
.IP \(bu 4
Default: "npm"
.IP \(bu 4
Type: String
.RE 0

.P
The string that starts all the debugging log output.
.SS "\fBhttps-proxy\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or URL
.RE 0

.P
A proxy to use for outgoing https requests. If the \fBHTTPS_PROXY\fR or \fBhttps_proxy\fR or \fBHTTP_PROXY\fR or \fBhttp_proxy\fR environment variables are set, proxy settings will be honored by the underlying \fBmake-fetch-happen\fR library.
.SS "\fBif-present\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, npm will not exit with an error code when \fBrun-script\fR is invoked for a script that isn't defined in the \fBscripts\fR section of \fBpackage.json\fR. This option can be used when it's desirable to optionally run a script when it's present and fail if the script fails. This is useful, for example, when running scripts that may only apply for some builds in an otherwise generic CI setup.
.P
This value is not exported to the environment for child processes.
.SS "\fBignore-scripts\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, npm does not run scripts specified in package.json files.
.P
Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run-script\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
.SS "\fBinclude\fR"
.RS 0
.IP \(bu 4
Default:
.IP \(bu 4
Type: "prod", "dev", "optional", or "peer" (can be set multiple times)
.RE 0

.P
Option that allows for defining which types of dependencies to install.
.P
This is the inverse of \fB--omit=<type>\fR.
.P
Dependency types specified in \fB--include\fR will not be omitted, regardless of the order in which omit/include are specified on the command-line.
.SS "\fBinclude-staged\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Allow installing "staged" published packages, as defined by \fBnpm RFC PR #92\fR \fI\(lahttps://github.com/npm/rfcs/pull/92\(ra\fR.
.P
This is experimental, and not implemented by the npm public registry.
.SS "\fBinclude-workspace-root\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Include the workspace root when workspaces are enabled for a command.
.P
When false, specifying individual workspaces via the \fBworkspace\fR config, or all workspaces via the \fBworkspaces\fR flag, will cause npm to operate only on the specified workspaces, and not on the root project.
.P
This value is not exported to the environment for child processes.
.SS "\fBinit-author-email\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
The value \fBnpm init\fR should use by default for the package author's email.
.SS "\fBinit-author-name\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
The value \fBnpm init\fR should use by default for the package author's name.
.SS "\fBinit-author-url\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: "" or URL
.RE 0

.P
The value \fBnpm init\fR should use by default for the package author's homepage.
.SS "\fBinit-license\fR"
.RS 0
.IP \(bu 4
Default: "ISC"
.IP \(bu 4
Type: String
.RE 0

.P
The value \fBnpm init\fR should use by default for the package license.
.SS "\fBinit-module\fR"
.RS 0
.IP \(bu 4
Default: "~/.npm-init.js"
.IP \(bu 4
Type: Path
.RE 0

.P
A module that will be loaded by the \fBnpm init\fR command. See the documentation for the \fBinit-package-json\fR \fI\(lahttps://github.com/npm/init-package-json\(ra\fR module for more information, or npm help init.
.SS "\fBinit-version\fR"
.RS 0
.IP \(bu 4
Default: "1.0.0"
.IP \(bu 4
Type: SemVer string
.RE 0

.P
The value that \fBnpm init\fR should use by default for the package version number, if not already set in package.json.
.SS "\fBinstall-links\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
When set file: protocol dependencies will be packed and installed as regular dependencies instead of creating a symlink. This option has no effect on workspaces.
.SS "\fBinstall-strategy\fR"
.RS 0
.IP \(bu 4
Default: "hoisted"
.IP \(bu 4
Type: "hoisted", "nested", "shallow", or "linked"
.RE 0

.P
Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
.SS "\fBjson\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Whether or not to output JSON data, rather than the normal output.
.RS 0
.IP \(bu 4
In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR.
.RE 0

.P
Not supported by all npm commands.
.SS "\fBlegacy-peer-deps\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Causes npm to completely ignore \fBpeerDependencies\fR when building a package tree, as in npm versions 3 through 6.
.P
If a package cannot be installed because of overly strict \fBpeerDependencies\fR that collide, it provides a way to move forward resolving the situation.
.P
This differs from \fB--omit=peer\fR, in that \fB--omit=peer\fR will avoid unpacking \fBpeerDependencies\fR on disk, but will still design a tree such that \fBpeerDependencies\fR \fIcould\fR be unpacked in a correct place.
.P
Use of \fBlegacy-peer-deps\fR is not recommended, as it will not enforce the \fBpeerDependencies\fR contract that meta-dependencies may rely on.
.SS "\fBlibc\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
Override libc of native modules to install. Acceptable values are same as \fBlibc\fR field of package.json
.SS "\fBlink\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Used with \fBnpm ls\fR, limiting output to only those packages that are linked.
.SS "\fBlocal-address\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: IP Address
.RE 0

.P
The IP address of the local interface to use when making connections to the npm registry. Must be IPv4 in versions of Node prior to 0.12.
.SS "\fBlocation\fR"
.RS 0
.IP \(bu 4
Default: "user" unless \fB--global\fR is passed, which will also set this value to "global"
.IP \(bu 4
Type: "global", "user", or "project"
.RE 0

.P
When passed to \fBnpm config\fR this refers to which config file to use.
.P
When set to "global" mode, packages are installed into the \fBprefix\fR folder instead of the current working directory. See npm help folders for more on the differences in behavior.
.RS 0
.IP \(bu 4
packages are installed into the \fB{prefix}/lib/node_modules\fR folder, instead of the current working directory.
.IP \(bu 4
bin files are linked to \fB{prefix}/bin\fR
.IP \(bu 4
man pages are linked to \fB{prefix}/share/man\fR
.RE 0

.SS "\fBlockfile-version\fR"
.RS 0
.IP \(bu 4
Default: Version 3 if no lockfile, auto-converting v1 lockfiles to v3, otherwise maintain current lockfile version.
.IP \(bu 4
Type: null, 1, 2, 3, "1", "2", or "3"
.RE 0

.P
Set the lockfile format version to be used in package-lock.json and npm-shrinkwrap-json files. Possible options are:
.P
1: The lockfile version used by npm versions 5 and 6. Lacks some data that is used during the install, resulting in slower and possibly less deterministic installs. Prevents lockfile churn when interoperating with older npm versions.
.P
2: The default lockfile version used by npm version 7 and 8. Includes both the version 1 lockfile data and version 3 lockfile data, for maximum determinism and interoperability, at the expense of more bytes on disk.
.P
3: Only the new lockfile information introduced in npm version 7. Smaller on disk than lockfile version 2, but not interoperable with older npm versions. Ideal if all users are on npm version 7 and higher.
.SS "\fBloglevel\fR"
.RS 0
.IP \(bu 4
Default: "notice"
.IP \(bu 4
Type: "silent", "error", "warn", "notice", "http", "info", "verbose", or "silly"
.RE 0

.P
What level of logs to report. All logs are written to a debug log, with the path to that file printed if the execution of a command fails.
.P
Any logs of a higher level than the setting are shown. The default is "notice".
.P
See also the \fBforeground-scripts\fR config.
.SS "\fBlogs-dir\fR"
.RS 0
.IP \(bu 4
Default: A directory named \fB_logs\fR inside the cache
.IP \(bu 4
Type: null or Path
.RE 0

.P
The location of npm's log directory. See npm help logging for more information.
.SS "\fBlogs-max\fR"
.RS 0
.IP \(bu 4
Default: 10
.IP \(bu 4
Type: Number
.RE 0

.P
The maximum number of log files to store.
.P
If set to 0, no log files will be written for the current run.
.SS "\fBlong\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Show extended information in \fBls\fR, \fBsearch\fR, and \fBhelp-search\fR.
.SS "\fBmaxsockets\fR"
.RS 0
.IP \(bu 4
Default: 15
.IP \(bu 4
Type: Number
.RE 0

.P
The maximum number of connections to use per origin (protocol/host/port combination).
.SS "\fBmessage\fR"
.RS 0
.IP \(bu 4
Default: "%s"
.IP \(bu 4
Type: String
.RE 0

.P
Commit message which is used by \fBnpm version\fR when creating version commit.
.P
Any "%s" in the message will be replaced with the version number.
.SS "\fBnode-options\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
Options to pass through to Node.js via the \fBNODE_OPTIONS\fR environment variable. This does not impact how npm itself is executed but it does impact how lifecycle scripts are called.
.SS "\fBnoproxy\fR"
.RS 0
.IP \(bu 4
Default: The value of the NO_PROXY environment variable
.IP \(bu 4
Type: String (can be set multiple times)
.RE 0

.P
Domain extensions that should bypass any proxies.
.P
Also accepts a comma-delimited string.
.SS "\fBoffline\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Force offline mode: no network requests will be done during install. To allow the CLI to fill in missing cache data, see \fB--prefer-offline\fR.
.SS "\fBomit\fR"
.RS 0
.IP \(bu 4
Default: 'dev' if the \fBNODE_ENV\fR environment variable is set to 'production', otherwise empty.
.IP \(bu 4
Type: "dev", "optional", or "peer" (can be set multiple times)
.RE 0

.P
Dependency types to omit from the installation tree on disk.
.P
Note that these dependencies \fIare\fR still resolved and added to the \fBpackage-lock.json\fR or \fBnpm-shrinkwrap.json\fR file. They are just not physically installed on disk.
.P
If a package type appears in both the \fB--include\fR and \fB--omit\fR lists, then it will be included.
.P
If the resulting omit list includes \fB'dev'\fR, then the \fBNODE_ENV\fR environment variable will be set to \fB'production'\fR for all lifecycle scripts.
.SS "\fBomit-lockfile-registry-resolved\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
This option causes npm to create lock files without a \fBresolved\fR key for registry dependencies. Subsequent installs will need to resolve tarball endpoints with the configured registry, likely resulting in a longer install time.
.SS "\fBos\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
Override OS of native modules to install. Acceptable values are same as \fBos\fR field of package.json, which comes from \fBprocess.platform\fR.
.SS "\fBotp\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.RE 0

.P
This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with \fBnpm access\fR.
.P
If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
.SS "\fBpack-destination\fR"
.RS 0
.IP \(bu 4
Default: "."
.IP \(bu 4
Type: String
.RE 0

.P
Directory in which \fBnpm pack\fR will save tarballs.
.SS "\fBpackage\fR"
.RS 0
.IP \(bu 4
Default:
.IP \(bu 4
Type: String (can be set multiple times)
.RE 0

.P
The package or packages to install for npm help exec
.SS "\fBpackage-lock\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to false, then ignore \fBpackage-lock.json\fR files when installing. This will also prevent \fIwriting\fR \fBpackage-lock.json\fR if \fBsave\fR is true.
.SS "\fBpackage-lock-only\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to true, the current operation will only use the \fBpackage-lock.json\fR, ignoring \fBnode_modules\fR.
.P
For \fBupdate\fR this means only the \fBpackage-lock.json\fR will be updated, instead of checking \fBnode_modules\fR and downloading dependencies.
.P
For \fBlist\fR this means the output will be based on the tree described by the \fBpackage-lock.json\fR, rather than the contents of \fBnode_modules\fR.
.SS "\fBparseable\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Output parseable results from commands that write to standard output. For \fBnpm search\fR, this will be tab-separated table format.
.SS "\fBprefer-dedupe\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Prefer to deduplicate packages if possible, rather than choosing a newer version of a dependency.
.SS "\fBprefer-offline\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, staleness checks for cached data will be bypassed, but missing data will be requested from the server. To force full offline mode, use \fB--offline\fR.
.SS "\fBprefer-online\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, staleness checks for cached data will be forced, making the CLI look for updates immediately even for fresh package data.
.SS "\fBprefix\fR"
.RS 0
.IP \(bu 4
Default: In global mode, the folder where the node executable is installed. Otherwise, the nearest parent folder containing either a package.json file or a node_modules folder.
.IP \(bu 4
Type: Path
.RE 0

.P
The location to install global items. If set on the command line, then it forces non-global commands to run in the specified folder.
.SS "\fBpreid\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
The "prerelease identifier" to use as a prefix for the "prerelease" part of a semver. Like the \fBrc\fR in \fB1.2.0-rc.8\fR.
.SS "\fBprogress\fR"
.RS 0
.IP \(bu 4
Default: \fBtrue\fR unless running in a known CI system
.IP \(bu 4
Type: Boolean
.RE 0

.P
When set to \fBtrue\fR, npm will display a progress bar during time intensive operations, if \fBprocess.stderr\fR and \fBprocess.stdout\fR are a TTY.
.P
Set to \fBfalse\fR to suppress the progress bar.
.SS "\fBprovenance\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and published from.
.P
This config can not be used with: \fBprovenance-file\fR
.SS "\fBprovenance-file\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: Path
.RE 0

.P
When publishing, the provenance bundle at the given path will be used.
.P
This config can not be used with: \fBprovenance\fR
.SS "\fBproxy\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null, false, or URL
.RE 0

.P
A proxy to use for outgoing http requests. If the \fBHTTP_PROXY\fR or \fBhttp_proxy\fR environment variables are set, proxy settings will be honored by the underlying \fBrequest\fR library.
.SS "\fBread-only\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
This is used to mark a token as unable to publish when configuring limited access tokens with the \fBnpm token create\fR command.
.SS "\fBrebuild-bundle\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Rebuild bundled dependencies after installation.
.SS "\fBregistry\fR"
.RS 0
.IP \(bu 4
Default: "https://registry.npmjs.org/"
.IP \(bu 4
Type: URL
.RE 0

.P
The base URL of the npm registry.
.SS "\fBreplace-registry-host\fR"
.RS 0
.IP \(bu 4
Default: "npmjs"
.IP \(bu 4
Type: "npmjs", "never", "always", or String
.RE 0

.P
Defines behavior for replacing the registry host in a lockfile with the configured registry.
.P
The default behavior is to replace package dist URLs from the default registry (https://registry.npmjs.org) to the configured registry. If set to "never", then use the registry value. If set to "always", then replace the registry host with the configured host every time.
.P
You may also specify a bare hostname (e.g., "registry.npmjs.org").
.SS "\fBsave\fR"
.RS 0
.IP \(bu 4
Default: \fBtrue\fR unless when using \fBnpm update\fR where it defaults to \fBfalse\fR
.IP \(bu 4
Type: Boolean
.RE 0

.P
Save installed packages to a \fBpackage.json\fR file as dependencies.
.P
When used with the \fBnpm rm\fR command, removes the dependency from \fBpackage.json\fR.
.P
Will also prevent writing to \fBpackage-lock.json\fR if set to \fBfalse\fR.
.SS "\fBsave-bundle\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If a package would be saved at install time by the use of \fB--save\fR, \fB--save-dev\fR, or \fB--save-optional\fR, then also put it in the \fBbundleDependencies\fR list.
.P
Ignored if \fB--save-peer\fR is set, since peerDependencies cannot be bundled.
.SS "\fBsave-dev\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Save installed packages to a package.json file as \fBdevDependencies\fR.
.SS "\fBsave-exact\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Dependencies saved to package.json will be configured with an exact version rather than using npm's default semver range operator.
.SS "\fBsave-optional\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Save installed packages to a package.json file as \fBoptionalDependencies\fR.
.SS "\fBsave-peer\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Save installed packages to a package.json file as \fBpeerDependencies\fR
.SS "\fBsave-prefix\fR"
.RS 0
.IP \(bu 4
Default: "^"
.IP \(bu 4
Type: String
.RE 0

.P
Configure how versions of packages installed to a package.json file via \fB--save\fR or \fB--save-dev\fR get prefixed.
.P
For example if a package has version \fB1.2.3\fR, by default its version is set to \fB^1.2.3\fR which allows minor upgrades for that package, but after \fBnpm
config set save-prefix='~'\fR it would be set to \fB~1.2.3\fR which only allows patch upgrades.
.SS "\fBsave-prod\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Save installed packages into \fBdependencies\fR specifically. This is useful if a package already exists in \fBdevDependencies\fR or \fBoptionalDependencies\fR, but you want to move it to be a non-optional production dependency.
.P
This is the default behavior if \fB--save\fR is true, and neither \fB--save-dev\fR or \fB--save-optional\fR are true.
.SS "\fBsbom-format\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: "cyclonedx" or "spdx"
.RE 0

.P
SBOM format to use when generating SBOMs.
.SS "\fBsbom-type\fR"
.RS 0
.IP \(bu 4
Default: "library"
.IP \(bu 4
Type: "library", "application", or "framework"
.RE 0

.P
The type of package described by the generated SBOM. For SPDX, this is the value for the \fBprimaryPackagePurpose\fR field. For CycloneDX, this is the value for the \fBtype\fR field.
.SS "\fBscope\fR"
.RS 0
.IP \(bu 4
Default: the scope of the current project, if any, or ""
.IP \(bu 4
Type: String
.RE 0

.P
Associate an operation with a scope for a scoped registry.
.P
Useful when logging in to or out of a private registry:
.P
.RS 2
.nf
# log in, linking the scope to the custom registry
npm login --scope=@mycorp --registry=https://registry.mycorp.com

# log out, removing the link and the auth token
npm logout --scope=@mycorp
.fi
.RE
.P
This will cause \fB@mycorp\fR to be mapped to the registry for future installation of packages specified according to the pattern \fB@mycorp/package\fR.
.P
This will also cause \fBnpm init\fR to create a scoped package.
.P
.RS 2
.nf
# accept all defaults, and create a package named "@foo/whatever",
# instead of just named "whatever"
npm init --scope=@foo --yes
.fi
.RE
.SS "\fBscript-shell\fR"
.RS 0
.IP \(bu 4
Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows
.IP \(bu 4
Type: null or String
.RE 0

.P
The shell to use for scripts run with the \fBnpm exec\fR, \fBnpm run\fR and \fBnpm
init <package-spec>\fR commands.
.SS "\fBsearchexclude\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
Space-separated options that limit the results from search.
.SS "\fBsearchlimit\fR"
.RS 0
.IP \(bu 4
Default: 20
.IP \(bu 4
Type: Number
.RE 0

.P
Number of items to limit search results to. Will not apply at all to legacy searches.
.SS "\fBsearchopts\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.RE 0

.P
Space-separated options that are always passed to search.
.SS "\fBsearchstaleness\fR"
.RS 0
.IP \(bu 4
Default: 900
.IP \(bu 4
Type: Number
.RE 0

.P
The age of the cache, in seconds, before another registry request is made if using legacy search endpoint.
.SS "\fBshell\fR"
.RS 0
.IP \(bu 4
Default: SHELL environment variable, or "bash" on Posix, or "cmd.exe" on Windows
.IP \(bu 4
Type: String
.RE 0

.P
The shell to run for the \fBnpm explore\fR command.
.SS "\fBsign-git-commit\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to true, then the \fBnpm version\fR command will commit the new package version using \fB-S\fR to add a signature.
.P
Note that git requires you to have set up GPG keys in your git configs for this to work properly.
.SS "\fBsign-git-tag\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to true, then the \fBnpm version\fR command will tag the version using \fB-s\fR to add a signature.
.P
Note that git requires you to have set up GPG keys in your git configs for this to work properly.
.SS "\fBstrict-peer-deps\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to \fBtrue\fR, and \fB--legacy-peer-deps\fR is not set, then \fIany\fR conflicting \fBpeerDependencies\fR will be treated as an install failure, even if npm could reasonably guess the appropriate resolution based on non-peer dependency relationships.
.P
By default, conflicting \fBpeerDependencies\fR deep in the dependency graph will be resolved using the nearest non-peer dependency specification, even if doing so will result in some packages receiving a peer dependency outside the range set in their package's \fBpeerDependencies\fR object.
.P
When such an override is performed, a warning is printed, explaining the conflict and the packages involved. If \fB--strict-peer-deps\fR is set, then this warning is treated as a failure.
.SS "\fBstrict-ssl\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Whether or not to do SSL key validation when making requests to the registry via https.
.P
See also the \fBca\fR config.
.SS "\fBtag\fR"
.RS 0
.IP \(bu 4
Default: "latest"
.IP \(bu 4
Type: String
.RE 0

.P
If you ask npm to install a package and don't tell it a specific version, then it will install the specified tag.
.P
It is the tag added to the package@version specified in the \fBnpm dist-tag
add\fR command, if no explicit tag is given.
.P
When used by the \fBnpm diff\fR command, this is the tag used to fetch the tarball that will be compared with the local files by default.
.P
If used in the \fBnpm publish\fR command, this is the tag that will be added to the package submitted to the registry.
.SS "\fBtag-version-prefix\fR"
.RS 0
.IP \(bu 4
Default: "v"
.IP \(bu 4
Type: String
.RE 0

.P
If set, alters the prefix used when tagging a new version when performing a version increment using \fBnpm version\fR. To remove the prefix altogether, set it to the empty string: \fB""\fR.
.P
Because other tools may rely on the convention that npm version tags look like \fBv1.0.0\fR, \fIonly use this property if it is absolutely necessary\fR. In particular, use care when overriding this setting for public packages.
.SS "\fBtiming\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, writes timing information to a process specific json file in the cache or \fBlogs-dir\fR. The file name ends with \fB-timing.json\fR.
.P
You can quickly view it with this \fBjson\fR \fI\(lahttps://npm.im/json\(ra\fR command line: \fBcat ~/.npm/_logs/*-timing.json | npm exec -- json -g\fR.
.P
Timing information will also be reported in the terminal. To suppress this while still writing the timing file, use \fB--silent\fR.
.SS "\fBumask\fR"
.RS 0
.IP \(bu 4
Default: 0
.IP \(bu 4
Type: Octal numeric string in range 0000..0777 (0..511)
.RE 0

.P
The "umask" value to use when setting the file creation mode on files and folders.
.P
Folders and executables are given a mode which is \fB0o777\fR masked against this value. Other files are given a mode which is \fB0o666\fR masked against this value.
.P
Note that the underlying system will \fIalso\fR apply its own umask value to files and folders that are created, and npm does not circumvent this, but rather adds the \fB--umask\fR config to it.
.P
Thus, the effective default umask value on most POSIX systems is 0o22, meaning that folders and executables are created with a mode of 0o755 and other files are created with a mode of 0o644.
.SS "\fBunicode\fR"
.RS 0
.IP \(bu 4
Default: false on windows, true on mac/unix systems with a unicode locale, as defined by the \fBLC_ALL\fR, \fBLC_CTYPE\fR, or \fBLANG\fR environment variables.
.IP \(bu 4
Type: Boolean
.RE 0

.P
When set to true, npm uses unicode characters in the tree output. When false, it uses ascii characters instead of unicode glyphs.
.SS "\fBupdate-notifier\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
Set to false to suppress the update notification when using an older version of npm than the latest.
.SS "\fBusage\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
Show short usage output about the command specified.
.SS "\fBuser-agent\fR"
.RS 0
.IP \(bu 4
Default: "npm/{npm-version} node/{node-version} {platform} {arch} workspaces/{workspaces} {ci}"
.IP \(bu 4
Type: String
.RE 0

.P
Sets the User-Agent request header. The following fields are replaced with their actual counterparts:
.RS 0
.IP \(bu 4
\fB{npm-version}\fR - The npm version in use
.IP \(bu 4
\fB{node-version}\fR - The Node.js version in use
.IP \(bu 4
\fB{platform}\fR - The value of \fBprocess.platform\fR
.IP \(bu 4
\fB{arch}\fR - The value of \fBprocess.arch\fR
.IP \(bu 4
\fB{workspaces}\fR - Set to \fBtrue\fR if the \fBworkspaces\fR or \fBworkspace\fR options are set.
.IP \(bu 4
\fB{ci}\fR - The value of the \fBci-name\fR config, if set, prefixed with \fBci/\fR, or an empty string if \fBci-name\fR is empty.
.RE 0

.SS "\fBuserconfig\fR"
.RS 0
.IP \(bu 4
Default: "~/.npmrc"
.IP \(bu 4
Type: Path
.RE 0

.P
The location of user-level configuration settings.
.P
This may be overridden by the \fBnpm_config_userconfig\fR environment variable or the \fB--userconfig\fR command line option, but may \fInot\fR be overridden by settings in the \fBglobalconfig\fR file.
.SS "\fBversion\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, output the npm version and exit successfully.
.P
Only relevant when specified explicitly on the command line.
.SS "\fBversions\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.RE 0

.P
If true, output the npm version as well as node's \fBprocess.versions\fR map and the version in the current working directory's \fBpackage.json\fR file if one exists, and exit successfully.
.P
Only relevant when specified explicitly on the command line.
.SS "\fBviewer\fR"
.RS 0
.IP \(bu 4
Default: "man" on Posix, "browser" on Windows
.IP \(bu 4
Type: String
.RE 0

.P
The program to use to view help content.
.P
Set to \fB"browser"\fR to view html help content in the default web browser.
.SS "\fBwhich\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Number
.RE 0

.P
If there are multiple funding sources, which 1-indexed source URL to open.
.SS "\fBworkspace\fR"
.RS 0
.IP \(bu 4
Default:
.IP \(bu 4
Type: String (can be set multiple times)
.RE 0

.P
Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option.
.P
Valid values for the \fBworkspace\fR config are either:
.RS 0
.IP \(bu 4
Workspace names
.IP \(bu 4
Path to a workspace directory
.IP \(bu 4
Path to a parent workspace directory (will result in selecting all workspaces within that folder)
.RE 0

.P
When set for the \fBnpm init\fR command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project.
.P
This value is not exported to the environment for child processes.
.SS "\fBworkspaces\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Boolean
.RE 0

.P
Set to true to run the command in the context of \fBall\fR configured workspaces.
.P
Explicitly setting this to false will cause commands like \fBinstall\fR to ignore workspaces altogether. When not set explicitly:
.RS 0
.IP \(bu 4
Commands that operate on the \fBnode_modules\fR tree (install, update, etc.) will link workspaces into the \fBnode_modules\fR folder. - Commands that do other things (test, exec, publish, etc.) will operate on the root project, \fIunless\fR one or more workspaces are specified in the \fBworkspace\fR config.
.RE 0

.P
This value is not exported to the environment for child processes.
.SS "\fBworkspaces-update\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.RE 0

.P
If set to true, the npm cli will run an update after operations that may possibly change the workspaces installed to the \fBnode_modules\fR folder.
.SS "\fByes\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Boolean
.RE 0

.P
Automatically answer "yes" to any prompts that npm might print on the command line.
.SS "\fBalso\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null, "dev", or "development"
.IP \(bu 4
DEPRECATED: Please use --include=dev instead.
.RE 0

.P
When set to \fBdev\fR or \fBdevelopment\fR, this is an alias for \fB--include=dev\fR.
.SS "\fBcache-max\fR"
.RS 0
.IP \(bu 4
Default: Infinity
.IP \(bu 4
Type: Number
.IP \(bu 4
DEPRECATED: This option has been deprecated in favor of \fB--prefer-online\fR
.RE 0

.P
\fB--cache-max=0\fR is an alias for \fB--prefer-online\fR
.SS "\fBcache-min\fR"
.RS 0
.IP \(bu 4
Default: 0
.IP \(bu 4
Type: Number
.IP \(bu 4
DEPRECATED: This option has been deprecated in favor of \fB--prefer-offline\fR.
.RE 0

.P
\fB--cache-min=9999 (or bigger)\fR is an alias for \fB--prefer-offline\fR.
.SS "\fBcert\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.IP \(bu 4
DEPRECATED: \fBkey\fR and \fBcert\fR are no longer used for most registry operations. Use registry scoped \fBkeyfile\fR and \fBcertfile\fR instead. Example: //other-registry.tld/:keyfile=/path/to/key.pem //other-registry.tld/:certfile=/path/to/cert.crt
.RE 0

.P
A client certificate to pass when accessing the registry. Values should be in PEM format (Windows calls it "Base-64 encoded X.509 (.CER)") with newlines replaced by the string "\[rs]n". For example:
.P
.RS 2
.nf
cert="-----BEGIN CERTIFICATE-----\[rs]nXXXX\[rs]nXXXX\[rs]n-----END CERTIFICATE-----"
.fi
.RE
.P
It is \fInot\fR the path to a certificate file, though you can set a registry-scoped "certfile" path like "//other-registry.tld/:certfile=/path/to/cert.pem".
.SS "\fBdev\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.IP \(bu 4
DEPRECATED: Please use --include=dev instead.
.RE 0

.P
Alias for \fB--include=dev\fR.
.SS "\fBglobal-style\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.IP \(bu 4
DEPRECATED: This option has been deprecated in favor of \fB--install-strategy=shallow\fR
.RE 0

.P
Only install direct dependencies in the top level \fBnode_modules\fR, but hoist on deeper dependencies. Sets \fB--install-strategy=shallow\fR.
.SS "\fBinit.author.email\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.IP \(bu 4
DEPRECATED: Use \fB--init-author-email\fR instead.
.RE 0

.P
Alias for \fB--init-author-email\fR
.SS "\fBinit.author.name\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: String
.IP \(bu 4
DEPRECATED: Use \fB--init-author-name\fR instead.
.RE 0

.P
Alias for \fB--init-author-name\fR
.SS "\fBinit.author.url\fR"
.RS 0
.IP \(bu 4
Default: ""
.IP \(bu 4
Type: "" or URL
.IP \(bu 4
DEPRECATED: Use \fB--init-author-url\fR instead.
.RE 0

.P
Alias for \fB--init-author-url\fR
.SS "\fBinit.license\fR"
.RS 0
.IP \(bu 4
Default: "ISC"
.IP \(bu 4
Type: String
.IP \(bu 4
DEPRECATED: Use \fB--init-license\fR instead.
.RE 0

.P
Alias for \fB--init-license\fR
.SS "\fBinit.module\fR"
.RS 0
.IP \(bu 4
Default: "~/.npm-init.js"
.IP \(bu 4
Type: Path
.IP \(bu 4
DEPRECATED: Use \fB--init-module\fR instead.
.RE 0

.P
Alias for \fB--init-module\fR
.SS "\fBinit.version\fR"
.RS 0
.IP \(bu 4
Default: "1.0.0"
.IP \(bu 4
Type: SemVer string
.IP \(bu 4
DEPRECATED: Use \fB--init-version\fR instead.
.RE 0

.P
Alias for \fB--init-version\fR
.SS "\fBkey\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or String
.IP \(bu 4
DEPRECATED: \fBkey\fR and \fBcert\fR are no longer used for most registry operations. Use registry scoped \fBkeyfile\fR and \fBcertfile\fR instead. Example: //other-registry.tld/:keyfile=/path/to/key.pem //other-registry.tld/:certfile=/path/to/cert.crt
.RE 0

.P
A client key to pass when accessing the registry. Values should be in PEM format with newlines replaced by the string "\[rs]n". For example:
.P
.RS 2
.nf
key="-----BEGIN PRIVATE KEY-----\[rs]nXXXX\[rs]nXXXX\[rs]n-----END PRIVATE KEY-----"
.fi
.RE
.P
It is \fInot\fR the path to a key file, though you can set a registry-scoped "keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
Default: false
.IP \(bu 4
Type: Boolean
.IP \(bu 4
DEPRECATED: This option has been deprecated in favor of \fB--install-strategy=nested\fR
.RE 0

.P
Instead of hoisting package installs in \fBnode_modules\fR, install packages in the same manner that they are depended on. This may cause very deep directory structures and duplicate package installs as there is no de-duplicating. Sets \fB--install-strategy=nested\fR.
.SS "\fBonly\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null, "prod", or "production"
.IP \(bu 4
DEPRECATED: Use \fB--omit=dev\fR to omit dev dependencies from the install.
.RE 0

.P
When set to \fBprod\fR or \fBproduction\fR, this is an alias for \fB--omit=dev\fR.
.SS "\fBoptional\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Boolean
.IP \(bu 4
DEPRECATED: Use \fB--omit=optional\fR to exclude optional dependencies, or \fB--include=optional\fR to include them.
.RE 0

.P
Default value does install optional deps unless otherwise omitted.
.P
Alias for --include=optional or --omit=optional
.SS "\fBproduction\fR"
.RS 0
.IP \(bu 4
Default: null
.IP \(bu 4
Type: null or Boolean
.IP \(bu 4
DEPRECATED: Use \fB--omit=dev\fR instead.
.RE 0

.P
Alias for \fB--omit=dev\fR
.SS "\fBshrinkwrap\fR"
.RS 0
.IP \(bu 4
Default: true
.IP \(bu 4
Type: Boolean
.IP \(bu 4
DEPRECATED: Use the --package-lock setting instead.
.RE 0

.P
Alias for --package-lock
.SS "See also"
.RS 0
.IP \(bu 4
npm help config
.IP \(bu 4
npm help npmrc
.IP \(bu 4
npm help scripts
.IP \(bu 4
npm help folders
.IP \(bu 4
npm help npm
.RE 0
registry.7000064400000007302151701453040006506 0ustar00.TH "REGISTRY" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBregistry\fR - The JavaScript Package Registry
.SS "Description"
.P
To resolve packages by name and version, npm talks to a registry website that implements the CommonJS Package Registry specification for reading package info.
.P
npm is configured to use the \fBnpm public registry\fR at \fI\(lahttps://registry.npmjs.org\(ra\fR by default. Use of the npm public registry is subject to terms of use available at \fI\(lahttps://docs.npmjs.com/policies/terms\(ra\fR.
.P
You can configure npm to use any compatible registry you like, and even run your own registry. Use of someone else's registry may be governed by their terms of use.
.P
npm's package registry implementation supports several write APIs as well, to allow for publishing packages and managing user account information.
.P
The npm public registry is powered by a CouchDB database, of which there is a public mirror at \fI\(lahttps://skimdb.npmjs.com/registry\(ra\fR.
.P
The registry URL used is determined by the scope of the package (see npm help scope. If no scope is specified, the default registry is used, which is supplied by the \fB\fBregistry\fR config\fR \fI\(la/using-npm/config#registry\(ra\fR parameter. See npm help config, npm help npmrc, and npm help config for more on managing npm's configuration. Authentication configuration such as auth tokens and certificates are configured specifically scoped to an individual registry. See \fBAuth Related Configuration\fR \fI\(la/configuring-npm/npmrc#auth-related-configuration\(ra\fR
.P
When the default registry is used in a package-lock or shrinkwrap it has the special meaning of "the currently configured registry". If you create a lock file while using the default registry you can switch to another registry and npm will install packages from the new registry, but if you create a lock file while using a custom registry packages will be installed from that registry even after you change to another registry.
.SS "Does npm send any information about me back to the registry?"
.P
Yes.
.P
When making requests of the registry npm adds two headers with information about your environment:
.RS 0
.IP \(bu 4
\fBNpm-Scope\fR \[en] If your project is scoped, this header will contain its scope. In the future npm hopes to build registry features that use this information to allow you to customize your experience for your organization.
.IP \(bu 4
\fBNpm-In-CI\fR \[en] Set to "true" if npm believes this install is running in a continuous integration environment, "false" otherwise. This is detected by looking for the following environment variables: \fBCI\fR, \fBTDDIUM\fR, \fBJENKINS_URL\fR, \fBbamboo.buildKey\fR. If you'd like to learn more you may find the \fBoriginal PR\fR \fI\(lahttps://github.com/npm/npm-registry-client/pull/129\(ra\fR interesting. This is used to gather better metrics on how npm is used by humans, versus build farms.
.RE 0

.P
The npm registry does not try to correlate the information in these headers with any authenticated accounts that may be used in the same requests.
.SS "How can I prevent my package from being published in the official registry?"
.P
Set \fB"private": true\fR in your \fBpackage.json\fR to prevent it from being published at all, or \fB"publishConfig":{"registry":"http://my-internal-registry.local"}\fR to force it to be published only to your internal/private registry.
.P
See \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json\(ra\fR for more info on what goes in the package.json file.
.SS "Where can I find my (and others') published packages?"
.P
\fI\(lahttps://www.npmjs.com/\(ra\fR
.SS "See also"
.RS 0
.IP \(bu 4
npm help config
.IP \(bu 4
npm help config
.IP \(bu 4
npm help npmrc
.IP \(bu 4
npm help developers
.RE 0
workspaces.7000064400000014736151701453040007030 0ustar00.TH "WORKSPACES" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBworkspaces\fR - Working with workspaces
.SS "Description"
.P
\fBWorkspaces\fR is a generic term that refers to the set of features in the npm cli that provides support for managing multiple packages from your local file system from within a singular top-level, root package.
.P
This set of features makes up for a much more streamlined workflow handling linked packages from the local file system. It automates the linking process as part of \fBnpm install\fR and removes the need to manually use \fBnpm link\fR in order to add references to packages that should be symlinked into the current \fBnode_modules\fR folder.
.P
We also refer to these packages being auto-symlinked during \fBnpm install\fR as a single \fBworkspace\fR, meaning it's a nested package within the current local file system that is explicitly defined in the \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json#workspaces\(ra\fR \fBworkspaces\fR configuration.
.SS "Defining workspaces"
.P
Workspaces are usually defined via the \fBworkspaces\fR property of the \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json#workspaces\(ra\fR file, e.g:
.P
.RS 2
.nf
{
  "name": "my-workspaces-powered-project",
  "workspaces": \[lB]
    "packages/a"
  \[rB]
}
.fi
.RE
.P
Given the above \fBpackage.json\fR example living at a current working directory \fB.\fR that contains a folder named \fBpackages/a\fR that itself contains a \fBpackage.json\fR inside it, defining a Node.js package, e.g:
.P
.RS 2
.nf
.
+-- package.json
`-- packages
   +-- a
   |   `-- package.json
.fi
.RE
.P
The expected result once running \fBnpm install\fR in this current working directory \fB.\fR is that the folder \fBpackages/a\fR will get symlinked to the \fBnode_modules\fR folder of the current working dir.
.P
Below is a post \fBnpm install\fR example, given that same previous example structure of files and folders:
.P
.RS 2
.nf
.
+-- node_modules
|  `-- a -> ../packages/a
+-- package-lock.json
+-- package.json
`-- packages
   +-- a
   |   `-- package.json
.fi
.RE
.SS "Getting started with workspaces"
.P
You may automate the required steps to define a new workspace using npm help init. For example in a project that already has a \fBpackage.json\fR defined you can run:
.P
.RS 2
.nf
npm init -w ./packages/a
.fi
.RE
.P
This command will create the missing folders and a new \fBpackage.json\fR file (if needed) while also making sure to properly configure the \fB"workspaces"\fR property of your root project \fBpackage.json\fR.
.SS "Adding dependencies to a workspace"
.P
It's possible to directly add/remove/update dependencies of your workspaces using the \fB\fBworkspace\fR config\fR \fI\(la/using-npm/config#workspace\(ra\fR.
.P
For example, assuming the following structure:
.P
.RS 2
.nf
.
+-- package.json
`-- packages
   +-- a
   |   `-- package.json
   `-- b
       `-- package.json
.fi
.RE
.P
If you want to add a dependency named \fBabbrev\fR from the registry as a dependency of your workspace \fBa\fR, you may use the workspace config to tell the npm installer that package should be added as a dependency of the provided workspace:
.P
.RS 2
.nf
npm install abbrev -w a
.fi
.RE
.P
Note: other installing commands such as \fBuninstall\fR, \fBci\fR, etc will also respect the provided \fBworkspace\fR configuration.
.SS "Using workspaces"
.P
Given the \fBspecifics of how Node.js handles module resolution\fR \fI\(lahttps://nodejs.org/dist/latest-v14.x/docs/api/modules.html#modules_all_together\(ra\fR it's possible to consume any defined workspace by its declared \fBpackage.json\fR \fBname\fR. Continuing from the example defined above, let's also create a Node.js script that will require the workspace \fBa\fR example module, e.g:
.P
.RS 2
.nf
// ./packages/a/index.js
module.exports = 'a'

// ./lib/index.js
const moduleA = require('a')
console.log(moduleA) // -> a
.fi
.RE
.P
When running it with:
.P
\fBnode lib/index.js\fR
.P
This demonstrates how the nature of \fBnode_modules\fR resolution allows for \fBworkspaces\fR to enable a portable workflow for requiring each \fBworkspace\fR in such a way that is also easy to npm help publish these nested workspaces to be consumed elsewhere.
.SS "Running commands in the context of workspaces"
.P
You can use the \fBworkspace\fR configuration option to run commands in the context of a configured workspace. Additionally, if your current directory is in a workspace, the \fBworkspace\fR configuration is implicitly set, and \fBprefix\fR is set to the root workspace.
.P
Following is a quick example on how to use the \fBnpm run\fR command in the context of nested workspaces. For a project containing multiple workspaces, e.g:
.P
.RS 2
.nf
.
+-- package.json
`-- packages
   +-- a
   |   `-- package.json
   `-- b
       `-- package.json
.fi
.RE
.P
By running a command using the \fBworkspace\fR option, it's possible to run the given command in the context of that specific workspace. e.g:
.P
.RS 2
.nf
npm run test --workspace=a
.fi
.RE
.P
You could also run the command within the workspace.
.P
.RS 2
.nf
cd packages/a && npm run test
.fi
.RE
.P
Either will run the \fBtest\fR script defined within the \fB./packages/a/package.json\fR file.
.P
Please note that you can also specify this argument multiple times in the command-line in order to target multiple workspaces, e.g:
.P
.RS 2
.nf
npm run test --workspace=a --workspace=b
.fi
.RE
.P
Or run the command for each workspace within the 'packages' folder:
.P
.RS 2
.nf
npm run test --workspace=packages
.fi
.RE
.P
It's also possible to use the \fBworkspaces\fR (plural) configuration option to enable the same behavior but running that command in the context of \fBall\fR configured workspaces. e.g:
.P
.RS 2
.nf
npm run test --workspaces
.fi
.RE
.P
Will run the \fBtest\fR script in both \fB./packages/a\fR and \fB./packages/b\fR.
.P
Commands will be run in each workspace in the order they appear in your \fBpackage.json\fR
.P
.RS 2
.nf
{
  "workspaces": \[lB] "packages/a", "packages/b" \[rB]
}
.fi
.RE
.P
Order of run is different with:
.P
.RS 2
.nf
{
  "workspaces": \[lB] "packages/b", "packages/a" \[rB]
}
.fi
.RE
.SS "Ignoring missing scripts"
.P
It is not required for all of the workspaces to implement scripts run with the \fBnpm run\fR command.
.P
By running the command with the \fB--if-present\fR flag, npm will ignore workspaces missing target script.
.P
.RS 2
.nf
npm run test --workspaces --if-present
.fi
.RE
.SS "See also"
.RS 0
.IP \(bu 4
npm help install
.IP \(bu 4
npm help publish
.IP \(bu 4
npm help run-script
.IP \(bu 4
npm help config
.RE 0
scope.7000064400000012441151701453040005747 0ustar00.TH "SCOPE" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBscope\fR - Scoped packages
.SS "Description"
.P
All npm packages have a name. Some package names also have a scope. A scope follows the usual rules for package names (URL-safe characters, no leading dots or underscores). When used in package names, scopes are preceded by an \fB@\fR symbol and followed by a slash, e.g.
.P
.RS 2
.nf
@somescope/somepackagename
.fi
.RE
.P
Scopes are a way of grouping related packages together, and also affect a few things about the way npm treats the package.
.P
Each npm user/organization has their own scope, and only you can add packages in your scope. This means you don't have to worry about someone taking your package name ahead of you. Thus it is also a good way to signal official packages for organizations.
.P
Scoped packages can be published and installed as of \fBnpm@2\fR and are supported by the primary npm registry. Unscoped packages can depend on scoped packages and vice versa. The npm client is backwards-compatible with unscoped registries, so it can be used to work with scoped and unscoped registries at the same time.
.SS "Installing scoped packages"
.P
Scoped packages are installed to a sub-folder of the regular installation folder, e.g. if your other packages are installed in \fBnode_modules/packagename\fR, scoped modules will be installed in \fBnode_modules/@myorg/packagename\fR. The scope folder (\fB@myorg\fR) is simply the name of the scope preceded by an \fB@\fR symbol, and can contain any number of scoped packages.
.P
A scoped package is installed by referencing it by name, preceded by an \fB@\fR symbol, in \fBnpm install\fR:
.P
.RS 2
.nf
npm install @myorg/mypackage
.fi
.RE
.P
Or in \fBpackage.json\fR:
.P
.RS 2
.nf
"dependencies": {
  "@myorg/mypackage": "^1.3.0"
}
.fi
.RE
.P
Note that if the \fB@\fR symbol is omitted, in either case, npm will instead attempt to install from GitHub; see npm help install.
.SS "Requiring scoped packages"
.P
Because scoped packages are installed into a scope folder, you have to include the name of the scope when requiring them in your code, e.g.
.P
.RS 2
.nf
require('@myorg/mypackage')
.fi
.RE
.P
There is nothing special about the way Node treats scope folders. This simply requires the \fBmypackage\fR module in the folder named \fB@myorg\fR.
.SS "Publishing scoped packages"
.P
Scoped packages can be published from the CLI as of \fBnpm@2\fR and can be published to any registry that supports them, including the primary npm registry.
.P
(As of 2015-04-19, and with npm 2.0 or better, the primary npm registry \fBdoes\fR support scoped packages.)
.P
If you wish, you may associate a scope with a registry; see below.
.SS "Publishing public scoped packages to the primary npm registry"
.P
Publishing to a scope, you have two options:
.RS 0
.IP \(bu 4
Publishing to your user scope (example: \fB@username/module\fR)
.IP \(bu 4
Publishing to an organization scope (example: \fB@org/module\fR)
.RE 0

.P
If publishing a public module to an organization scope, you must first either create an organization with the name of the scope that you'd like to publish to or be added to an existing organization with the appropriate permissions. For example, if you'd like to publish to \fB@org\fR, you would need to create the \fBorg\fR organization on npmjs.com prior to trying to publish.
.P
Scoped packages are not public by default. You will need to specify \fB--access public\fR with the initial \fBnpm publish\fR command. This will publish the package and set access to \fBpublic\fR as if you had run \fBnpm access public\fR after publishing. You do not need to do this when publishing new versions of an existing scoped package.
.SS "Publishing private scoped packages to the npm registry"
.P
To publish a private scoped package to the npm registry, you must have an \fBnpm Private Modules\fR \fI\(lahttps://docs.npmjs.com/private-modules/intro\(ra\fR account.
.P
You can then publish the module with \fBnpm publish\fR or \fBnpm publish
--access restricted\fR, and it will be present in the npm registry, with restricted access. You can then change the access permissions, if desired, with \fBnpm access\fR or on the npmjs.com website.
.SS "Associating a scope with a registry"
.P
Scopes can be associated with a separate registry. This allows you to seamlessly use a mix of packages from the primary npm registry and one or more private registries, such as \fBGitHub Packages\fR \fI\(lahttps://github.com/features/packages\(ra\fR or the open source \fBVerdaccio\fR \fI\(lahttps://verdaccio.org\(ra\fR project.
.P
You can associate a scope with a registry at login, e.g.
.P
.RS 2
.nf
npm login --registry=http://reg.example.com --scope=@myco
.fi
.RE
.P
Scopes have a many-to-one relationship with registries: one registry can host multiple scopes, but a scope only ever points to one registry.
.P
You can also associate a scope with a registry using \fBnpm config\fR:
.P
.RS 2
.nf
npm config set @myco:registry=http://reg.example.com
.fi
.RE
.P
Once a scope is associated with a registry, any \fBnpm install\fR for a package with that scope will request packages from that registry instead. Any \fBnpm publish\fR for a package name that contains the scope will be published to that registry instead.
.SS "See also"
.RS 0
.IP \(bu 4
npm help install
.IP \(bu 4
npm help publish
.IP \(bu 4
npm help access
.IP \(bu 4
npm help registry
.RE 0
package-spec.7000064400000006760151701453040007170 0ustar00.TH "PACKAGE-SPEC" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBpackage-spec\fR - Package name specifier
.SS "Description"
.P
Commands like \fBnpm install\fR and the dependency sections in the \fBpackage.json\fR use a package name specifier. This can be many different things that all refer to a "package". Examples include a package name, git url, tarball, or local directory. These will generally be referred to as \fB<package-spec>\fR in the help output for the npm commands that use this package name specifier.
.SS "Package name"
.RS 0
.IP \(bu 4
\fB\[lB]<@scope>/\[rB]<pkg>\fR
.IP \(bu 4
\fB\[lB]<@scope>/\[rB]<pkg>@<tag>\fR
.IP \(bu 4
\fB\[lB]<@scope>/\[rB]<pkg>@<version>\fR
.IP \(bu 4
\fB\[lB]<@scope>/\[rB]<pkg>@<version range>\fR
.RE 0

.P
Refers to a package by name, with or without a scope, and optionally tag, version, or version range. This is typically used in combination with the \fBregistry\fR \fI\(la/using-npm/config#registry\(ra\fR config to refer to a package in a registry.
.P
Examples:
.RS 0
.IP \(bu 4
\fBnpm\fR
.IP \(bu 4
\fB@npmcli/arborist\fR
.IP \(bu 4
\fB@npmcli/arborist@latest\fR
.IP \(bu 4
\fBnpm@6.13.1\fR
.IP \(bu 4
\fBnpm@^4.0.0\fR
.RE 0

.SS "Aliases"
.RS 0
.IP \(bu 4
\fB<alias>@npm:<name>\fR
.RE 0

.P
Primarily used by commands like \fBnpm install\fR and in the dependency sections in the \fBpackage.json\fR, this refers to a package by an alias. The \fB<alias>\fR is the name of the package as it is reified in the \fBnode_modules\fR folder, and the \fB<name>\fR refers to a package name as found in the configured registry.
.P
See \fBPackage name\fR above for more info on referring to a package by name, and \fBregistry\fR \fI\(la/using-npm/config#registry\(ra\fR for configuring which registry is used when referring to a package by name.
.P
Examples:
.RS 0
.IP \(bu 4
\fBsemver:@npm:@npmcli/semver-with-patch\fR
.IP \(bu 4
\fBsemver:@npm:semver@7.2.2\fR
.IP \(bu 4
\fBsemver:@npm:semver@legacy\fR
.RE 0

.SS "Folders"
.RS 0
.IP \(bu 4
\fB<folder>\fR
.RE 0

.P
This refers to a package on the local filesystem. Specifically this is a folder with a \fBpackage.json\fR file in it. This \fIshould\fR always be prefixed with a \fB/\fR or \fB./\fR (or your OS equivalent) to reduce confusion. npm currently will parse a string with more than one \fB/\fR in it as a folder, but this is legacy behavior that may be removed in a future version.
.P
Examples:
.RS 0
.IP \(bu 4
\fB./my-package\fR
.IP \(bu 4
\fB/opt/npm/my-package\fR
.RE 0

.SS "Tarballs"
.RS 0
.IP \(bu 4
\fB<tarball file>\fR
.IP \(bu 4
\fB<tarball url>\fR
.RE 0

.P
Examples:
.RS 0
.IP \(bu 4
\fB./my-package.tgz\fR
.IP \(bu 4
\fBhttps://registry.npmjs.org/semver/-/semver-1.0.0.tgz\fR
.RE 0

.P
Refers to a package in a tarball format, either on the local filesystem or remotely via url. This is the format that packages exist in when uploaded to a registry.
.SS "git urls"
.RS 0
.IP \(bu 4
\fB<git:// url>\fR
.IP \(bu 4
\fB<github username>/<github project>\fR
.RE 0

.P
Refers to a package in a git repo. This can be a full git url, git shorthand, or a username/package on GitHub. You can specify a git tag, branch, or other git ref by appending \fB#ref\fR.
.P
Examples:
.RS 0
.IP \(bu 4
\fBhttps://github.com/npm/cli.git\fR
.IP \(bu 4
\fBgit@github.com:npm/cli.git\fR
.IP \(bu 4
\fBgit+ssh://git@github.com/npm/cli#v6.0.0\fR
.IP \(bu 4
\fBgithub:npm/cli#HEAD\fR
.IP \(bu 4
\fBnpm/cli#c12ea07\fR
.RE 0

.SS "See also"
.RS 0
.IP \(bu 4
\fBnpm-package-arg\fR \fI\(lahttps://npm.im/npm-package-arg\(ra\fR
.IP \(bu 4
npm help scope
.IP \(bu 4
npm help config
.RE 0
dependency-selectors.7000064400000034041151701453040010755 0ustar00.TH "QUERYING" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBQuerying\fR - Dependency Selector Syntax & Querying
.SS "Description"
.P
The npm help query command exposes a new dependency selector syntax (informed by & respecting many aspects of the \fBCSS Selectors 4 Spec\fR \fI\(lahttps://dev.w3.org/csswg/selectors4/#relational\(ra\fR) which:
.RS 0
.IP \(bu 4
Standardizes the shape of, & querying of, dependency graphs with a robust object model, metadata & selector syntax
.IP \(bu 4
Leverages existing, known language syntax & operators from CSS to make disparate package information broadly accessible
.IP \(bu 4
Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata
.IP \(bu 4
Consolidates redundant logic of similar query commands in \fBnpm\fR (ex. \fBnpm fund\fR, \fBnpm ls\fR, \fBnpm outdated\fR, \fBnpm audit\fR ...)
.RE 0

.SS "Dependency Selector Syntax"
.SS "Overview:"
.RS 0
.IP \(bu 4
there is no "type" or "tag" selectors (ex. \fBdiv, h1, a\fR) as a dependency/target is the only type of \fBNode\fR that can be queried
.IP \(bu 4
the term "dependencies" is in reference to any \fBNode\fR found in a \fBtree\fR returned by \fBArborist\fR
.RE 0

.SS "Combinators"
.RS 0
.IP \(bu 4
\fB>\fR direct descendant/child
.IP \(bu 4
\fB \fR any descendant/child
.IP \(bu 4
\fB~\fR sibling
.RE 0

.SS "Selectors"
.RS 0
.IP \(bu 4
\fB*\fR universal selector
.IP \(bu 4
\fB#<name>\fR dependency selector (equivalent to \fB\[lB]name="..."\[rB]\fR)
.IP \(bu 4
\fB#<name>@<version>\fR (equivalent to \fB\[lB]name=<name>\[rB]:semver(<version>)\fR)
.IP \(bu 4
\fB,\fR selector list delimiter
.IP \(bu 4
\fB.\fR dependency type selector
.IP \(bu 4
\fB:\fR pseudo selector
.RE 0

.SS "Dependency Type Selectors"
.RS 0
.IP \(bu 4
\fB.prod\fR dependency found in the \fBdependencies\fR section of \fBpackage.json\fR, or is a child of said dependency
.IP \(bu 4
\fB.dev\fR dependency found in the \fBdevDependencies\fR section of \fBpackage.json\fR, or is a child of said dependency
.IP \(bu 4
\fB.optional\fR dependency found in the \fBoptionalDependencies\fR section of \fBpackage.json\fR, or has \fB"optional": true\fR set in its entry in the \fBpeerDependenciesMeta\fR section of \fBpackage.json\fR, or a child of said dependency
.IP \(bu 4
\fB.peer\fR dependency found in the \fBpeerDependencies\fR section of \fBpackage.json\fR
.IP \(bu 4
\fB.workspace\fR dependency found in the \fB\fBworkspaces\fR\fR \fI\(lahttps://docs.npmjs.com/cli/v8/using-npm/workspaces\(ra\fR section of \fBpackage.json\fR
.IP \(bu 4
\fB.bundled\fR dependency found in the \fBbundleDependencies\fR section of \fBpackage.json\fR, or is a child of said dependency
.RE 0

.SS "Pseudo Selectors"
.RS 0
.IP \(bu 4
\fB\fB:not(<selector>)\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:not\(ra\fR
.IP \(bu 4
\fB\fB:has(<selector>)\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:has\(ra\fR
.IP \(bu 4
\fB\fB:is(<selector list>)\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:is\(ra\fR
.IP \(bu 4
\fB\fB:root\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:root\(ra\fR matches the root node/dependency
.IP \(bu 4
\fB\fB:scope\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:scope\(ra\fR matches node/dependency it was queried against
.IP \(bu 4
\fB\fB:empty\fR\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/:empty\(ra\fR when a dependency has no dependencies
.IP \(bu 4
\fB\fB:private\fR\fR \fI\(lahttps://docs.npmjs.com/cli/v8/configuring-npm/package-json#private\(ra\fR when a dependency is private
.IP \(bu 4
\fB:link\fR when a dependency is linked (for instance, workspaces or packages manually \fB\fBlinked\fR\fR \fI\(lahttps://docs.npmjs.com/cli/v8/commands/npm-link\(ra\fR
.IP \(bu 4
\fB:deduped\fR when a dependency has been deduped (note that this does \fInot\fR always mean the dependency has been hoisted to the root of node_modules)
.IP \(bu 4
\fB:overridden\fR when a dependency has been overridden
.IP \(bu 4
\fB:extraneous\fR when a dependency exists but is not defined as a dependency of any node
.IP \(bu 4
\fB:invalid\fR when a dependency version is out of its ancestors specified range
.IP \(bu 4
\fB:missing\fR when a dependency is not found on disk
.IP \(bu 4
\fB:semver(<spec>, \[lB]selector\[rB], \[lB]function\[rB])\fR match a valid \fB\fBnode-semver\fR\fR \fI\(lahttps://github.com/npm/node-semver\(ra\fR version or range to a selector
.IP \(bu 4
\fB:path(<path>)\fR \fBglob\fR \fI\(lahttps://www.npmjs.com/package/glob\(ra\fR matching based on dependencies path relative to the project
.IP \(bu 4
\fB:type(<type>)\fR \fBbased on currently recognized types\fR \fI\(lahttps://github.com/npm/npm-package-arg#result-object\(ra\fR
.IP \(bu 4
\fB:outdated(<type>)\fR when a dependency is outdated
.IP \(bu 4
\fB:vuln(<selector>)\fR when a dependency has a known vulnerability
.RE 0

.SS "\fB:semver(<spec>, \[lB]selector\[rB], \[lB]function\[rB])\fR"
.P
The \fB:semver()\fR pseudo selector allows comparing fields from each node's \fBpackage.json\fR using \fBsemver\fR \fI\(lahttps://github.com/npm/node-semver#readme\(ra\fR methods. It accepts up to 3 parameters, all but the first of which are optional.
.RS 0
.IP \(bu 4
\fBspec\fR a semver version or range
.IP \(bu 4
\fBselector\fR an attribute selector for each node (default \fB\[lB]version\[rB]\fR)
.IP \(bu 4
\fBfunction\fR a semver method to apply, one of: \fBsatisfies\fR, \fBintersects\fR, \fBsubset\fR, \fBgt\fR, \fBgte\fR, \fBgtr\fR, \fBlt\fR, \fBlte\fR, \fBltr\fR, \fBeq\fR, \fBneq\fR or the special function \fBinfer\fR (default \fBinfer\fR)
.RE 0

.P
When the special \fBinfer\fR function is used the \fBspec\fR and the actual value from the node are compared. If both are versions, according to \fBsemver.valid()\fR, \fBeq\fR is used. If both values are ranges, according to \fB!semver.valid()\fR, \fBintersects\fR is used. If the values are mixed types \fBsatisfies\fR is used.
.P
Some examples:
.RS 0
.IP \(bu 4
\fB:semver(^1.0.0)\fR returns every node that has a \fBversion\fR satisfied by the provided range \fB^1.0.0\fR
.IP \(bu 4
\fB:semver(16.0.0, :attr(engines, \[lB]node\[rB]))\fR returns every node which has an \fBengines.node\fR property satisfying the version \fB16.0.0\fR
.IP \(bu 4
\fB:semver(1.0.0, \[lB]version\[rB], lt)\fR every node with a \fBversion\fR less than \fB1.0.0\fR
.RE 0

.SS "\fB:outdated(<type>)\fR"
.P
The \fB:outdated\fR pseudo selector retrieves data from the registry and returns information about which of your dependencies are outdated. The type parameter may be one of the following:
.RS 0
.IP \(bu 4
\fBany\fR (default) a version exists that is greater than the current one
.IP \(bu 4
\fBin-range\fR a version exists that is greater than the current one, and satisfies at least one if its parent's dependencies
.IP \(bu 4
\fBout-of-range\fR a version exists that is greater than the current one, does not satisfy at least one of its parent's dependencies
.IP \(bu 4
\fBmajor\fR a version exists that is a semver major greater than the current one
.IP \(bu 4
\fBminor\fR a version exists that is a semver minor greater than the current one
.IP \(bu 4
\fBpatch\fR a version exists that is a semver patch greater than the current one
.RE 0

.P
In addition to the filtering performed by the pseudo selector, some extra data is added to the resulting objects. The following data can be found under the \fBqueryContext\fR property of each node.
.RS 0
.IP \(bu 4
\fBversions\fR an array of every available version of the given node
.IP \(bu 4
\fBoutdated.inRange\fR an array of objects, each with a \fBfrom\fR and \fBversions\fR, where \fBfrom\fR is the on-disk location of the node that depends on the current node and \fBversions\fR is an array of all available versions that satisfies that dependency. This is only populated if \fB:outdated(in-range)\fR is used.
.IP \(bu 4
\fBoutdated.outOfRange\fR an array of objects, identical in shape to \fBinRange\fR, but where the \fBversions\fR array is every available version that does not satisfy the dependency. This is only populated if \fB:outdated(out-of-range)\fR is used.
.RE 0

.P
Some examples:
.RS 0
.IP \(bu 4
\fB:root > :outdated(major)\fR returns every direct dependency that has a new semver major release
.IP \(bu 4
\fB.prod:outdated(in-range)\fR returns production dependencies that have a new release that satisfies at least one of its parent's dependencies
.RE 0

.SS "\fB:vuln\fR"
.P
The \fB:vuln\fR pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability. Only dependencies whose current version matches a vulnerability will be returned. For example if you have \fBsemver@7.6.0\fR in your tree, a vulnerability for \fBsemver\fR which affects versions \fB<=6.3.1\fR will not match.
.P
You can also filter results by certain attributes in advisories. Currently that includes \fBseverity\fR and \fBcwe\fR. Note that severity filtering is done per severity, it does not include severities "higher" or "lower" than the one specified.
.P
In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the \fBqueryContext\fR attribute of each node under the \fBadvisories\fR attribute.
.P
Some examples:
.RS 0
.IP \(bu 4
\fB:root > .prod:vuln\fR returns direct production dependencies with any known vulnerability
.IP \(bu 4
\fB:vuln(\[lB]severity=high\[rB])\fR returns only dependencies with a vulnerability with a \fBhigh\fR severity.
.IP \(bu 4
\fB:vuln(\[lB]severity=high\[rB],\[lB]severity=moderate\[rB])\fR returns only dependencies with a vulnerability with a \fBhigh\fR or \fBmoderate\fR severity.
.IP \(bu 4
\fB:vuln(\[lB]cwe=1333\[rB])\fR returns only dependencies with a vulnerability that includes CWE-1333 (ReDoS)
.RE 0

.SS "\fBAttribute Selectors\fR \fI\(lahttps://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors\(ra\fR"
.P
The attribute selector evaluates the key/value pairs in \fBpackage.json\fR if they are \fBString\fRs.
.RS 0
.IP \(bu 4
\fB\[lB]\[rB]\fR attribute selector (ie. existence of attribute)
.IP \(bu 4
\fB\[lB]attribute=value\[rB]\fR attribute value is equivalent...
.IP \(bu 4
\fB\[lB]attribute~=value\[rB]\fR attribute value contains word...
.IP \(bu 4
\fB\[lB]attribute*=value\[rB]\fR attribute value contains string...
.IP \(bu 4
\fB\[lB]attribute|=value\[rB]\fR attribute value is equal to or starts with...
.IP \(bu 4
\fB\[lB]attribute^=value\[rB]\fR attribute value starts with...
.IP \(bu 4
\fB\[lB]attribute$=value\[rB]\fR attribute value ends with...
.RE 0

.SS "\fBArray\fR & \fBObject\fR Attribute Selectors"
.P
The generic \fB:attr()\fR pseudo selector standardizes a pattern which can be used for attribute selection of \fBObject\fRs, \fBArray\fRs or \fBArrays\fR of \fBObject\fRs accessible via \fBArborist\fR's \fBNode.package\fR metadata. This allows for iterative attribute selection beyond top-level \fBString\fR evaluation. The last argument passed to \fB:attr()\fR must be an \fBattribute\fR selector or a nested \fB:attr()\fR. See examples below:
.SS "\fBObjects\fR"
.P
.RS 2
.nf
/* return dependencies that have a `scripts.test` containing `"tap"` */
*:attr(scripts, \[lB]test~=tap\[rB])
.fi
.RE
.SS "Nested \fBObjects\fR"
.P
Nested objects are expressed as sequential arguments to \fB:attr()\fR.
.P
.RS 2
.nf
/* return dependencies that have a testling config for opera browsers */
*:attr(testling, browsers, \[lB]~=opera\[rB])
.fi
.RE
.SS "\fBArrays\fR"
.P
\fBArray\fRs specifically uses a special/reserved \fB.\fR character in place of a typical attribute name. \fBArrays\fR also support exact \fBvalue\fR matching when a \fBString\fR is passed to the selector.
.SS "Example of an \fBArray\fR Attribute Selection:"
.P
.RS 2
.nf
/* removes the distinction between properties & arrays */
/* ie. we'd have to check the property & iterate to match selection */
*:attr(\[lB]keywords^=react\[rB])
*:attr(contributors, :attr(\[lB]name~=Jordan\[rB]))
.fi
.RE
.SS "Example of an \fBArray\fR matching directly to a value:"
.P
.RS 2
.nf
/* return dependencies that have the exact keyword "react" */
/* this is equivalent to `*:keywords(\[lB]value="react"\[rB])` */
*:attr(\[lB]keywords=react\[rB])
.fi
.RE
.SS "Example of an \fBArray\fR of \fBObject\fRs:"
.P
.RS 2
.nf
/* returns */
*:attr(contributors, \[lB]email=ruyadorno@github.com\[rB])
.fi
.RE
.SS "Groups"
.P
Dependency groups are defined by the package relationships to their ancestors (ie. the dependency types that are defined in \fBpackage.json\fR). This approach is user-centric as the ecosystem has been taught to think about dependencies in these groups first-and-foremost. Dependencies are allowed to be included in multiple groups (ex. a \fBprod\fR dependency may also be a \fBdev\fR dependency (in that it's also required by another \fBdev\fR dependency) & may also be \fBbundled\fR - a selector for that type of dependency would look like: \fB*.prod.dev.bundled\fR).
.RS 0
.IP \(bu 4
\fB.prod\fR
.IP \(bu 4
\fB.dev\fR
.IP \(bu 4
\fB.optional\fR
.IP \(bu 4
\fB.peer\fR
.IP \(bu 4
\fB.bundled\fR
.IP \(bu 4
\fB.workspace\fR
.RE 0

.P
Please note that currently \fBworkspace\fR deps are always \fBprod\fR dependencies. Additionally the \fB.root\fR dependency is also considered a \fBprod\fR dependency.
.SS "Programmatic Usage"
.RS 0
.IP \(bu 4
\fBArborist\fR's \fBNode\fR Class has a \fB.querySelectorAll()\fR method
.RS 4
.IP \(bu 4
this method will return a filtered, flattened dependency Arborist \fBNode\fR list based on a valid query selector
.RE 0

.RE 0

.P
.RS 2
.nf
const Arborist = require('@npmcli/arborist')
const arb = new Arborist({})
.fi
.RE
.P
.RS 2
.nf
// root-level
arb.loadActual().then(async (tree) => {
  // query all production dependencies
  const results = await tree.querySelectorAll('.prod')
  console.log(results)
})
.fi
.RE
.P
.RS 2
.nf
// iterative
arb.loadActual().then(async (tree) => {
  // query for the deduped version of react
  const results = await tree.querySelectorAll('#react:not(:deduped)')
  // query the deduped react for git deps
  const deps = await results\[lB]0\[rB].querySelectorAll(':type(git)')
  console.log(deps)
})
.fi
.RE
.SH "SEE ALSO"
.RS 0
.IP \(bu 4
npm help query
.IP \(bu 4
\fB@npmcli/arborist\fR \fI\(lahttps://npm.im/@npmcli/arborist\(ra\fR
.RE 0
scripts.7000064400000033006151701453040006325 0ustar00.TH "SCRIPTS" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBscripts\fR - How npm handles the "scripts" field
.SS "Description"
.P
The \fB"scripts"\fR property of your \fBpackage.json\fR file supports a number of built-in scripts and their preset life cycle events as well as arbitrary scripts. These all can be executed by running \fBnpm run-script <stage>\fR or \fBnpm run <stage>\fR for short. \fIPre\fR and \fIpost\fR commands with matching names will be run for those as well (e.g. \fBpremyscript\fR, \fBmyscript\fR, \fBpostmyscript\fR). Scripts from dependencies can be run with \fBnpm explore <pkg> -- npm run <stage>\fR.
.SS "Pre & Post Scripts"
.P
To create "pre" or "post" scripts for any scripts defined in the \fB"scripts"\fR section of the \fBpackage.json\fR, simply create another script \fIwith a matching name\fR and add "pre" or "post" to the beginning of them.
.P
.RS 2
.nf
{
  "scripts": {
    "precompress": "{{ executes BEFORE the `compress` script }}",
    "compress": "{{ run command to compress files }}",
    "postcompress": "{{ executes AFTER `compress` script }}"
  }
}
.fi
.RE
.P
In this example \fBnpm run compress\fR would execute these scripts as described.
.SS "Life Cycle Scripts"
.P
There are some special life cycle scripts that happen only in certain situations. These scripts happen in addition to the \fBpre<event>\fR, \fBpost<event>\fR, and \fB<event>\fR scripts.
.RS 0
.IP \(bu 4
\fBprepare\fR, \fBprepublish\fR, \fBprepublishOnly\fR, \fBprepack\fR, \fBpostpack\fR, \fBdependencies\fR
.RE 0

.P
\fBprepare\fR (since \fBnpm@4.0.0\fR)
.RS 0
.IP \(bu 4
Runs BEFORE the package is packed, i.e. during \fBnpm publish\fR and \fBnpm pack\fR
.IP \(bu 4
Runs on local \fBnpm install\fR without any arguments
.IP \(bu 4
Runs AFTER \fBprepublish\fR, but BEFORE \fBprepublishOnly\fR
.IP \(bu 4
NOTE: If a package being installed through git contains a \fBprepare\fR script, its \fBdependencies\fR and \fBdevDependencies\fR will be installed, and the prepare script will be run, before the package is packaged and installed.
.IP \(bu 4
As of \fBnpm@7\fR these scripts run in the background. To see the output, run with: \fB--foreground-scripts\fR.
.RE 0

.P
\fBprepublish\fR (DEPRECATED)
.RS 0
.IP \(bu 4
Does not run during \fBnpm publish\fR, but does run during \fBnpm ci\fR and \fBnpm install\fR. See below for more info.
.RE 0

.P
\fBprepublishOnly\fR
.RS 0
.IP \(bu 4
Runs BEFORE the package is prepared and packed, ONLY on \fBnpm publish\fR.
.RE 0

.P
\fBprepack\fR
.RS 0
.IP \(bu 4
Runs BEFORE a tarball is packed (on "\fBnpm pack\fR", "\fBnpm publish\fR", and when installing a git dependency).
.IP \(bu 4
NOTE: "\fBnpm run pack\fR" is NOT the same as "\fBnpm pack\fR". "\fBnpm run pack\fR" is an arbitrary user defined script name, where as, "\fBnpm pack\fR" is a CLI defined command.
.RE 0

.P
\fBpostpack\fR
.RS 0
.IP \(bu 4
Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)
.RE 0

.P
\fBdependencies\fR
.RS 0
.IP \(bu 4
Runs AFTER any operations that modify the \fBnode_modules\fR directory IF changes occurred.
.IP \(bu 4
Does NOT run in global mode
.RE 0

.SS "Prepare and Prepublish"
.P
\fBDeprecation Note: prepublish\fR
.P
Since \fBnpm@1.1.71\fR, the npm CLI has run the \fBprepublish\fR script for both \fBnpm publish\fR and \fBnpm install\fR, because it's a convenient way to prepare a package for use (some common use cases are described in the section below). It has also turned out to be, in practice, \fBvery confusing\fR \fI\(lahttps://github.com/npm/npm/issues/10074\(ra\fR. As of \fBnpm@4.0.0\fR, a new event has been introduced, \fBprepare\fR, that preserves this existing behavior. A \fInew\fR event, \fBprepublishOnly\fR has been added as a transitional strategy to allow users to avoid the confusing behavior of existing npm versions and only run on \fBnpm publish\fR (for instance, running the tests one last time to ensure they're in good shape).
.P
See \fI\(lahttps://github.com/npm/npm/issues/10074\(ra\fR for a much lengthier justification, with further reading, for this change.
.P
\fBUse Cases\fR
.P
If you need to perform operations on your package before it is used, in a way that is not dependent on the operating system or architecture of the target system, use a \fBprepublish\fR script. This includes tasks such as:
.RS 0
.IP \(bu 4
Compiling CoffeeScript source code into JavaScript.
.IP \(bu 4
Creating minified versions of JavaScript source code.
.IP \(bu 4
Fetching remote resources that your package will use.
.RE 0

.P
The advantage of doing these things at \fBprepublish\fR time is that they can be done once, in a single place, thus reducing complexity and variability. Additionally, this means that:
.RS 0
.IP \(bu 4
You can depend on \fBcoffee-script\fR as a \fBdevDependency\fR, and thus your users don't need to have it installed.
.IP \(bu 4
You don't need to include minifiers in your package, reducing the size for your users.
.IP \(bu 4
You don't need to rely on your users having \fBcurl\fR or \fBwget\fR or other system tools on the target machines.
.RE 0

.SS "Dependencies"
.P
The \fBdependencies\fR script is run any time an \fBnpm\fR command causes changes to the \fBnode_modules\fR directory. It is run AFTER the changes have been applied and the \fBpackage.json\fR and \fBpackage-lock.json\fR files have been updated.
.SS "Life Cycle Operation Order"
.SS "npm help \"cache add\""
.RS 0
.IP \(bu 4
\fBprepare\fR
.RE 0

.SS "npm help ci"
.RS 0
.IP \(bu 4
\fBpreinstall\fR
.IP \(bu 4
\fBinstall\fR
.IP \(bu 4
\fBpostinstall\fR
.IP \(bu 4
\fBprepublish\fR
.IP \(bu 4
\fBpreprepare\fR
.IP \(bu 4
\fBprepare\fR
.IP \(bu 4
\fBpostprepare\fR
.RE 0

.P
These all run after the actual installation of modules into \fBnode_modules\fR, in order, with no internal actions happening in between
.SS "npm help diff"
.RS 0
.IP \(bu 4
\fBprepare\fR
.RE 0

.SS "npm help install"
.P
These also run when you run \fBnpm install -g <pkg-name>\fR
.RS 0
.IP \(bu 4
\fBpreinstall\fR
.IP \(bu 4
\fBinstall\fR
.IP \(bu 4
\fBpostinstall\fR
.IP \(bu 4
\fBprepublish\fR
.IP \(bu 4
\fBpreprepare\fR
.IP \(bu 4
\fBprepare\fR
.IP \(bu 4
\fBpostprepare\fR
.RE 0

.P
If there is a \fBbinding.gyp\fR file in the root of your package and you haven't defined your own \fBinstall\fR or \fBpreinstall\fR scripts, npm will default the \fBinstall\fR command to compile using node-gyp via \fBnode-gyp
rebuild\fR
.P
These are run from the scripts of \fB<pkg-name>\fR
.SS "npm help pack"
.RS 0
.IP \(bu 4
\fBprepack\fR
.IP \(bu 4
\fBprepare\fR
.IP \(bu 4
\fBpostpack\fR
.RE 0

.SS "npm help publish"
.RS 0
.IP \(bu 4
\fBprepublishOnly\fR
.IP \(bu 4
\fBprepack\fR
.IP \(bu 4
\fBprepare\fR
.IP \(bu 4
\fBpostpack\fR
.IP \(bu 4
\fBpublish\fR
.IP \(bu 4
\fBpostpublish\fR
.RE 0

.SS "npm help rebuild"
.RS 0
.IP \(bu 4
\fBpreinstall\fR
.IP \(bu 4
\fBinstall\fR
.IP \(bu 4
\fBpostinstall\fR
.IP \(bu 4
\fBprepare\fR
.RE 0

.P
\fBprepare\fR is only run if the current directory is a symlink (e.g. with linked packages)
.SS "npm help restart"
.P
If there is a \fBrestart\fR script defined, these events are run, otherwise \fBstop\fR and \fBstart\fR are both run if present, including their \fBpre\fR and \fBpost\fR iterations)
.RS 0
.IP \(bu 4
\fBprerestart\fR
.IP \(bu 4
\fBrestart\fR
.IP \(bu 4
\fBpostrestart\fR
.RE 0

.SS "\fB\fBnpm run <user defined>\fR\fR \fI\(la/commands/npm-run-script\(ra\fR"
.RS 0
.IP \(bu 4
\fBpre<user-defined>\fR
.IP \(bu 4
\fB<user-defined>\fR
.IP \(bu 4
\fBpost<user-defined>\fR
.RE 0

.SS "npm help start"
.RS 0
.IP \(bu 4
\fBprestart\fR
.IP \(bu 4
\fBstart\fR
.IP \(bu 4
\fBpoststart\fR
.RE 0

.P
If there is a \fBserver.js\fR file in the root of your package, then npm will default the \fBstart\fR command to \fBnode server.js\fR. \fBprestart\fR and \fBpoststart\fR will still run in this case.
.SS "npm help stop"
.RS 0
.IP \(bu 4
\fBprestop\fR
.IP \(bu 4
\fBstop\fR
.IP \(bu 4
\fBpoststop\fR
.RE 0

.SS "npm help test"
.RS 0
.IP \(bu 4
\fBpretest\fR
.IP \(bu 4
\fBtest\fR
.IP \(bu 4
\fBposttest\fR
.RE 0

.SS "npm help version"
.RS 0
.IP \(bu 4
\fBpreversion\fR
.IP \(bu 4
\fBversion\fR
.IP \(bu 4
\fBpostversion\fR
.RE 0

.SS "A Note on a lack of npm help uninstall scripts"
.P
While npm v6 had \fBuninstall\fR lifecycle scripts, npm v7 does not. Removal of a package can happen for a wide variety of reasons, and there's no clear way to currently give the script enough context to be useful.
.P
Reasons for a package removal include:
.RS 0
.IP \(bu 4
a user directly uninstalled this package
.IP \(bu 4
a user uninstalled a dependant package and so this dependency is being uninstalled
.IP \(bu 4
a user uninstalled a dependant package but another package also depends on this version
.IP \(bu 4
this version has been merged as a duplicate with another version
.IP \(bu 4
etc.
.RE 0

.P
Due to the lack of necessary context, \fBuninstall\fR lifecycle scripts are not implemented and will not function.
.SS "User"
.P
When npm is run as root, scripts are always run with the effective uid and gid of the working directory owner.
.SS "Environment"
.P
Package scripts run in an environment where many pieces of information are made available regarding the setup of npm and the current state of the process.
.SS "path"
.P
If you depend on modules that define executable scripts, like test suites, then those executables will be added to the \fBPATH\fR for executing the scripts. So, if your package.json has this:
.P
.RS 2
.nf
{
  "name" : "foo",
  "dependencies" : {
    "bar" : "0.1.x"
  },
  "scripts": {
    "start" : "bar ./test"
  }
}
.fi
.RE
.P
then you could run \fBnpm start\fR to execute the \fBbar\fR script, which is exported into the \fBnode_modules/.bin\fR directory on \fBnpm install\fR.
.SS "package.json vars"
.P
The package.json fields are tacked onto the \fBnpm_package_\fR prefix. So, for instance, if you had \fB{"name":"foo", "version":"1.2.5"}\fR in your package.json file, then your package scripts would have the \fBnpm_package_name\fR environment variable set to "foo", and the \fBnpm_package_version\fR set to "1.2.5". You can access these variables in your code with \fBprocess.env.npm_package_name\fR and \fBprocess.env.npm_package_version\fR, and so on for other fields.
.P
See \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json\(ra\fR for more on package configs.
.SS "current lifecycle event"
.P
Lastly, the \fBnpm_lifecycle_event\fR environment variable is set to whichever stage of the cycle is being executed. So, you could have a single script used for different parts of the process which switches based on what's currently happening.
.P
Objects are flattened following this format, so if you had \fB{"scripts":{"install":"foo.js"}}\fR in your package.json, then you'd see this in the script:
.P
.RS 2
.nf
process.env.npm_package_scripts_install === "foo.js"
.fi
.RE
.SS "Examples"
.P
For example, if your package.json contains this:
.P
.RS 2
.nf
{
  "scripts" : {
    "install" : "scripts/install.js",
    "postinstall" : "scripts/install.js"
  }
}
.fi
.RE
.P
then \fBscripts/install.js\fR will be called for the install and post-install stages of the lifecycle. Since \fBscripts/install.js\fR is running for two different phases, it would be wise in this case to look at the \fBnpm_lifecycle_event\fR environment variable.
.P
If you want to run a make command, you can do so. This works just fine:
.P
.RS 2
.nf
{
  "scripts" : {
    "preinstall" : "./configure",
    "install" : "make && make install",
    "test" : "make test"
  }
}
.fi
.RE
.SS "Exiting"
.P
Scripts are run by passing the line as a script argument to \fBsh\fR.
.P
If the script exits with a code other than 0, then this will abort the process.
.P
Note that these script files don't have to be Node.js or even JavaScript programs. They just have to be some kind of executable file.
.SS "Best Practices"
.RS 0
.IP \(bu 4
Don't exit with a non-zero error code unless you \fIreally\fR mean it. If the failure is minor or only will prevent some optional features, then it's better to just print a warning and exit successfully.
.IP \(bu 4
Try not to use scripts to do what npm can do for you. Read through \fB\fBpackage.json\fR\fR \fI\(la/configuring-npm/package-json\(ra\fR to see all the things that you can specify and enable by simply describing your package appropriately. In general, this will lead to a more robust and consistent state.
.IP \(bu 4
Inspect the env to determine where to put things. For instance, if the \fBnpm_config_binroot\fR environment variable is set to \fB/home/user/bin\fR, then don't try to install executables into \fB/usr/local/bin\fR. The user probably set it up that way for a reason.
.IP \(bu 4
Don't prefix your script commands with "sudo". If root permissions are required for some reason, then it'll fail with that error, and the user will sudo the npm command in question.
.IP \(bu 4
Don't use \fBinstall\fR. Use a \fB.gyp\fR file for compilation, and \fBprepare\fR for anything else. You should almost never have to explicitly set a preinstall or install script. If you are doing this, please consider if there is another option. The only valid use of \fBinstall\fR or \fBpreinstall\fR scripts is for compilation which must be done on the target architecture.
.IP \(bu 4
Scripts are run from the root of the package folder, regardless of what the current working directory is when \fBnpm\fR is invoked. If you want your script to use different behavior based on what subdirectory you're in, you can use the \fBINIT_CWD\fR environment variable, which holds the full path you were in when you ran \fBnpm run\fR.
.RE 0

.SS "See Also"
.RS 0
.IP \(bu 4
npm help run-script
.IP \(bu 4
\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR
.IP \(bu 4
npm help developers
.IP \(bu 4
npm help install
.RE 0
logging.7000064400000010513151701453040006262 0ustar00.TH "LOGGING" "7" "May 2024" "NPM@10.8.1" ""
.SH "NAME"
\fBLogging\fR - Why, What & How We Log
.SS "Description"
.P
The \fBnpm\fR CLI has various mechanisms for showing different levels of information back to end-users for certain commands, configurations & environments.
.SS "Setting Log File Location"
.P
All logs are written to a debug log, with the path to that file printed if the execution of a command fails.
.P
The default location of the logs directory is a directory named \fB_logs\fR inside the npm cache. This can be changed with the \fBlogs-dir\fR config option.
.P
For example, if you wanted to write all your logs to the current working directory, you could run: \fBnpm install --logs-dir=.\fR. This is especially helpful in debugging a specific \fBnpm\fR issue as you can run a command multiple times with different config values and then diff all the log files.
.P
Log files will be removed from the \fBlogs-dir\fR when the number of log files exceeds \fBlogs-max\fR, with the oldest logs being deleted first.
.P
To turn off logs completely set \fB--logs-max=0\fR.
.SS "Setting Log Levels"
.SS "\fBloglevel\fR"
.P
\fBloglevel\fR is a global argument/config that can be set to determine the type of information to be displayed.
.P
The default value of \fBloglevel\fR is \fB"notice"\fR but there are several levels/types of logs available, including:
.RS 0
.IP \(bu 4
\fB"silent"\fR
.IP \(bu 4
\fB"error"\fR
.IP \(bu 4
\fB"warn"\fR
.IP \(bu 4
\fB"notice"\fR
.IP \(bu 4
\fB"http"\fR
.IP \(bu 4
\fB"info"\fR
.IP \(bu 4
\fB"verbose"\fR
.IP \(bu 4
\fB"silly"\fR
.RE 0

.P
All logs pertaining to a level proceeding the current setting will be shown.
.SS "Aliases"
.P
The log levels listed above have various corresponding aliases, including:
.RS 0
.IP \(bu 4
\fB-d\fR: \fB--loglevel info\fR
.IP \(bu 4
\fB--dd\fR: \fB--loglevel verbose\fR
.IP \(bu 4
\fB--verbose\fR: \fB--loglevel verbose\fR
.IP \(bu 4
\fB--ddd\fR: \fB--loglevel silly\fR
.IP \(bu 4
\fB-q\fR: \fB--loglevel warn\fR
.IP \(bu 4
\fB--quiet\fR: \fB--loglevel warn\fR
.IP \(bu 4
\fB-s\fR: \fB--loglevel silent\fR
.IP \(bu 4
\fB--silent\fR: \fB--loglevel silent\fR
.RE 0

.SS "\fBforeground-scripts\fR"
.P
The \fBnpm\fR CLI began hiding the output of lifecycle scripts for \fBnpm install\fR as of \fBv7\fR. Notably, this means you will not see logs/output from packages that may be using "install scripts" to display information back to you or from your own project's scripts defined in \fBpackage.json\fR. If you'd like to change this behavior & log this output you can set \fBforeground-scripts\fR to \fBtrue\fR.
.SS "Timing Information"
.P
The \fB\fB--timing\fR config\fR \fI\(la/using-npm/config#timing\(ra\fR can be set which does a few things:
.RS 0
.IP 1. 4
Always shows the full path to the debug log regardless of command exit status
.IP 2. 4
Write timing information to a process specific timing file in the cache or \fBlogs-dir\fR
.IP 3. 4
Output timing information to the terminal
.RE 0

.P
This file contains a \fBtimers\fR object where the keys are an identifier for the portion of the process being timed and the value is the number of milliseconds it took to complete.
.P
Sometimes it is helpful to get timing information without outputting anything to the terminal. For example, the performance might be affected by writing to the terminal. In this case you can use \fB--timing --silent\fR which will still write the timing file, but not output anything to the terminal while running.
.SS "Registry Response Headers"
.SS "\fBnpm-notice\fR"
.P
The \fBnpm\fR CLI reads from & logs any \fBnpm-notice\fR headers that are returned from the configured registry. This mechanism can be used by third-party registries to provide useful information when network-dependent requests occur.
.P
This header is not cached, and will not be logged if the request is served from the cache.
.SS "Logs and Sensitive Information"
.P
The \fBnpm\fR CLI makes a best effort to redact the following from terminal output and log files:
.RS 0
.IP \(bu 4
Passwords inside basic auth URLs
.IP \(bu 4
npm tokens
.RE 0

.P
However, this behavior should not be relied on to keep all possible sensitive information redacted. If you are concerned about secrets in your log file or terminal output, you can use \fB--loglevel=silent\fR and \fB--logs-max=0\fR to ensure no logs are written to your terminal or filesystem.
.SS "See also"
.RS 0
.IP \(bu 4
npm help config
.RE 0

/home/emeraadmin/www/uploads/../node_modules/../node_modules/function-bind/../../4d695/man7.tar