What npm Actually Does (And Why It's Frustrating)

npm does three things: it stores packages in a giant registry, gives you CLI commands to download them, and creates package.json files to track the chaos.

The Three Parts That Make Your Life Complicated

The Registry: A massive database at npmjs.com with over 3.6 million packages. Most are useful, some are complete garbage, and a few mine Bitcoin in the background. Finding the right package is like searching for a needle in a haystack of abandoned repos from 2018.

The CLI Tool: Commands that come with Node.js. npm install downloads packages and their 47 dependencies. npm audit finds 23 "critical" vulnerabilities in your Hello World app. npm run executes scripts that someone else wrote and you're too afraid to read.

package.json: The file that controls everything and breaks constantly. One wrong character and your entire build pipeline dies. Package-lock.json is supposed to make this deterministic, but somehow every team member gets different versions.

How Installations Go Wrong

npm comes with Node.js, which sounds convenient until you realize it installs globally and fights with your system permissions. On Mac/Linux, you'll spend your first day fixing permission errors. On Windows, it just doesn't work half the time.

Want the latest version? npm install -g npm@latest - but prepare for mysterious failures because your old version cached something wrong.

The node_modules Black Hole

npm creates a node_modules folder that starts small and grows like cancer. Install one package? Congratulations, you now have 247 packages eating 500MB of disk space. Need lodash? Great, now you have 15 different versions because every dependency uses a slightly different one.

The "nested dependency model" sounds fancy but really means "download the entire internet and hope your hard drive survives." Each package gets its own copy of everything, which is why your simple React app weighs more than Microsoft Office.

Fun fact: deleting node_modules and running npm install again fixes 90% of npm problems. The other 10% require deleting your entire project and starting over.

The complexity of npm's dependency resolution is like a fractal - zoom into any dependency and you'll find more dependencies, each with their own dependencies, creating an infinite spiral of code you never asked for.

This is why developers constantly evaluate alternatives. The question isn't whether npm is perfect (it's not), but whether the alternatives are worth the switching cost.

npm vs The Competition (Honest Assessment)

Feature

npm

Yarn Classic

pnpm

Bun

Speed

Slow but reliable

Faster, sometimes breaks

Actually fast

Lightning fast when it works

Disk Space

Eats your hard drive

Also eats your hard drive

Saves space with symlinks

Efficient but new

Stability

Works everywhere

Works most places

Works if you understand symlinks

Beta software, expect bugs

Learning Curve

Everyone knows it

Same commands

Different workflow

Different everything

Lock File

package-lock.json

yarn.lock

pnpm-lock.yaml

bun.lockb

Debugging

Stack Overflow has answers

Good luck

Symlink hell when it breaks

You're on your own

Enterprise

Boring but safe

Facebook uses it

Good for monorepos

Too new for production

The Reality

Default choice

"npm but better"

Actually good tech

The future maybe

npm 11: Slightly Less Broken Than npm 10

npm 11.5.2 was released July 30, 2025. It's faster than npm 10, which isn't saying much since npm 10 was slow as molasses. They fixed some stuff, broke other stuff, and the cycle continues.

npm release timeline

Security Theater Gets an Upgrade

npm audit is still mostly useless: It now gives you more detailed explanations of why your Hello World app has 47 "critical" vulnerabilities. Most are in dev dependencies you don't use, but npm audit doesn't care. At least the error messages are longer now.

Package verification: They added signature checking, which sounds great until a popular package breaks because the maintainer forgot to sign it properly. This happened twice in the first month after release.

"Automated security updates": npm will now suggest fixes that break your build in new and creative ways. npm audit fix --force is still the nuclear option that updates everything and prays it works.

Performance: From Terrible to Bad

30% faster installations: npm 11 is indeed faster than npm 10. Your 5-minute install now takes 3.5 minutes. Revolutionary.

Better caching: The cache works better now, which means fewer trips to the registry when you blow away node_modules for the third time today. It still doesn't work offline half the time.

Memory usage: Uses less RAM during installs, so your laptop fans might not sound like a jet engine. Small wins.

Error Messages: Now With More Words

"Improved error messages": They're longer now. Instead of ERESOLVE, you get a paragraph explaining why your package versions are incompatible, followed by the same unhelpful suggestions to delete node_modules.

Dependency conflicts: npm now suggests specific fixes like npm install package@exact-version that work 60% of the time. The other 40% still require Stack Overflow.

Better workspace support: If you're brave enough to use npm workspaces in a monorepo, it breaks slightly less often. pnpm still does this better.

The Bottom Line

npm 11 is npm 10 but with fewer obvious bugs. It's still slow, your node_modules folder still weighs 500MB, and npm audit still thinks everything is a critical security issue. But hey, at least it crashes less often.

The error messages are wordier, the caching works better, and it's marginally faster. If you're stuck with npm (and you probably are), version 11 is an improvement. Just don't expect miracles.

Even with all the improvements, npm is still painfully slow compared to alternatives. Every benchmark shows the same story: npm comes in dead last. The "improved" error messages are longer but not more helpful - you still end up on Stack Overflow looking for someone who's seen ERESOLVE before.

Which brings us to the real npm experience: figuring out what went wrong when it inevitably breaks.

Real npm Problems and How to Actually Fix Them

Q

Why does npm need sudo and how do I fix this clusterfuck?

A

Because npm tries to install globally in system directories and your OS rightfully tells it to fuck off.

Don't use sudo

  • it breaks everything. Install nvm instead and stop fighting permissions.

Five minutes of setup saves hours of pain. The official npm docs explain this too, but nvm is easier.

Q

Should I commit node_modules to Git?

A

God no. That's like committing your entire hard drive to git. Use package-lock.json like a normal person. If someone on your team commits node_modules, make them delete it and question their life choices.

Q

What's the difference between npm install and npm ci?

A

npm install can update your lock file and surprise you with different versions. npm ci uses exactly what's in package-lock.json and won't randomly break your build. Always use npm ci in production unless you enjoy debugging mystery failures.

Q

Why is my node_modules folder 500MB for a Hello World app?

A

Because every package author thinks they're special and needs their own copy of lodash. You installed one package, it installed 247 dependencies. This is normal and terrible. Welcome to JavaScript development.

Q

Why does npm audit show 47 critical vulnerabilities in my empty project?

A

Because npm audit is broken by design. Most "vulnerabilities" are in dev dependencies or transitive dependencies you can't even access. npm audit fix usually breaks more than it fixes. Ignore it unless you actually use the vulnerable code.

Q

How do I fix "ERESOLVE unable to resolve dependency tree"?

A

Delete node_modules and package-lock.json, then run npm install again. If that doesn't work, try npm install --legacy-peer-deps. If that doesn't work, find the conflicting packages and update them manually. If that doesn't work, start drinking. This Medium article explains dependency resolution better than the official docs, but it still won't help you at 3am.

Q

Why did npm audit fix --force break my entire application?

A

Because you told npm to update everything to fix security issues and it did exactly that. It updated your carefully pinned dependencies to breaking changes. Next time read what it's going to change first, or better yet, just ignore the audit warnings.

Q

How do I handle package-lock.json merge conflicts?

A

Delete package-lock.json, run npm install, commit the new lock file. Don't try to manually merge it

  • you'll fuck it up and spend three hours debugging. Just regenerate it.
Q

Why does npm install take forever and can I speed it up?

A

Because npm is slow and downloads everything sequentially.

Use pnpm instead

  • it's actually fast and uses disk space efficiently.

Or switch to Bun if you like living dangerously.

Q

My build worked yesterday, now it's broken. What happened?

A

Someone published a new version of a dependency and npm picked it up despite your lock file. Or your colleague updated something. Or the stars aligned wrong. Delete node_modules, run npm ci, and if that doesn't work, check what changed in your dependencies with npm ls.

Q

How do I publish a package without screwing it up?

A

Test it locally with npm pack first. Don't publish version 1.0.0 on your first try

  • you'll want to unpublish it but npm won't let you after 24 hours. Start with 0.0.1 and increment carefully. Read the docs about what files get included, because you will accidentally publish your .env file.
Q

When should I use --save-dev vs regular dependencies?

A

If it runs in production, it's a dependency. If it's only for development (testing, building, linting), it's dev

Dependencies. When in doubt, use regular dependencies

  • your production build might need it and you'll spend two hours debugging why your app crashes because a build tool is missing.

Actually Useful npm Resources

Related Tools & Recommendations

howto
Similar content

Install Node.js & NVM on Mac M1/M2/M3: A Complete Guide

My M1 Mac setup broke at 2am before a deployment. Here's how I fixed it so you don't have to suffer.

Node Version Manager (NVM)
/howto/install-nodejs-nvm-mac-m1/complete-installation-guide
100%
troubleshoot
Similar content

npm Threw ERESOLVE Errors Again? Here's What Actually Works

Skip the theory bullshit - these fixes work when npm breaks at the worst possible time

npm
/troubleshoot/npm-install-error/dependency-conflicts-resolution
82%
tool
Similar content

Cargo: Rust's Build System, Package Manager & Common Issues

The package manager and build tool that powers production Rust at Discord, Dropbox, and Cloudflare

Cargo
/tool/cargo/overview
76%
troubleshoot
Similar content

npm ELIFECYCLE Error: Debug, Fix & Prevent Common Issues

When npm decides to shit the bed and your deploy is fucked at 2am

npm
/troubleshoot/npm-err-code-elifecycle/common-fixes-guide
67%
tool
Similar content

Node.js Security Hardening Guide: Protect Your Apps

Master Node.js security hardening. Learn to manage npm dependencies, fix vulnerabilities, implement secure authentication, HTTPS, and input validation.

Node.js
/tool/node.js/security-hardening
64%
review
Recommended

Vite vs Webpack vs Turbopack: Which One Doesn't Suck?

I tested all three on 6 different projects so you don't have to suffer through webpack config hell

Vite
/review/vite-webpack-turbopack/performance-benchmark-review
61%
tool
Similar content

Node.js Overview: JavaScript Runtime, Production Tips & FAQs

Explore Node.js: understand this powerful JavaScript runtime, learn essential production best practices, and get answers to common questions about its performan

Node.js
/tool/node.js/overview
60%
tool
Similar content

npm Enterprise Troubleshooting: Fix Corporate IT & Dev Problems

Production failures, proxy hell, and the CI/CD problems that actually cost money

npm
/tool/npm/enterprise-troubleshooting
59%
troubleshoot
Similar content

Solve npm EACCES Permission Errors with NVM & Debugging

Learn how to fix frustrating npm EACCES permission errors. Discover why npm's permissions are broken, the best solution using NVM, and advanced debugging techni

npm
/troubleshoot/npm-eacces-permission-denied/eacces-permission-errors-solutions
59%
integration
Recommended

Jenkins + Docker + Kubernetes: How to Deploy Without Breaking Production (Usually)

The Real Guide to CI/CD That Actually Works

Jenkins
/integration/jenkins-docker-kubernetes/enterprise-ci-cd-pipeline
53%
review
Recommended

Which JavaScript Runtime Won't Make You Hate Your Life

Two years of runtime fuckery later, here's the truth nobody tells you

Bun
/review/bun-nodejs-deno-comparison/production-readiness-assessment
53%
tool
Similar content

Debugging Broken Truffle Projects: Emergency Fix Guide

Debugging Broken Truffle Projects - Emergency Guide

Truffle Suite
/tool/truffle/debugging-broken-projects
52%
tool
Similar content

Helm: Simplify Kubernetes Deployments & Avoid YAML Chaos

Package manager for Kubernetes that saves you from copy-pasting deployment configs like a savage. Helm charts beat maintaining separate YAML files for every dam

Helm
/tool/helm/overview
52%
tool
Similar content

Docker: Package Code, Run Anywhere - Fix 'Works on My Machine'

No more "works on my machine" excuses. Docker packages your app with everything it needs so it runs the same on your laptop, staging, and prod.

Docker Engine
/tool/docker/overview
49%
tool
Similar content

Express.js - The Web Framework Nobody Wants to Replace

It's ugly, old, and everyone still uses it

Express.js
/tool/express/overview
49%
tool
Similar content

Node.js Memory Leaks & Debugging: Stop App Crashes

Learn to identify and debug Node.js memory leaks, prevent 'heap out of memory' errors, and keep your applications stable. Explore common patterns, tools, and re

Node.js
/tool/node.js/debugging-memory-leaks
49%
troubleshoot
Similar content

Fix npm EACCES Permission Errors in Node.js 22 & Beyond

EACCES permission denied errors that make you want to throw your laptop out the window

npm
/troubleshoot/npm-eacces-permission-denied/latest-permission-fixes-2025
46%
tool
Similar content

Express.js Middleware Patterns - Stop Breaking Things in Production

Middleware is where your app goes to die. Here's how to not fuck it up.

Express.js
/tool/express/middleware-patterns-guide
44%
tool
Similar content

Node.js Microservices: Avoid Pitfalls & Build Robust Systems

Learn why Node.js microservices projects often fail and discover practical strategies to build robust, scalable distributed systems. Avoid common pitfalls and e

Node.js
/tool/node.js/microservices-architecture
41%
tool
Similar content

Node.js ESM Migration: Upgrade CommonJS to ES Modules Safely

How to migrate from CommonJS to ESM without your production apps shitting the bed

Node.js
/tool/node.js/modern-javascript-migration
41%

Recommendations combine user behavior, content similarity, research intelligence, and SEO optimization