Installing Packages with NPM

Learn about packages and configuring files that Git should ignore.

Box Cat

As we previously learned, Express is a framework for Node that will handle our web server.

Thus far, we have initialized NPM but haven't installed any packages. So the first order of business is to install Express via NPM. However, installing packages results in a directory that Git should not track, so let's also look at ignoring things in Git. In addition, you'll learn there are different types of packages and dependencies.

The commands you need to know here on a day-to-day basis are pretty simple. However, understanding the options and what's going on is more complex. As a result, most of this article goes into detail to prevent future confusion.

Install Express

First, open VS Code, then open the integrated Terminal.

View > Terminal or Control + ` (grave accent)

In the Terminal, type npm i -S express or npm install --save express.

You can learn more about the package you're installing on the NPM website.

Express is a "Fast, unopinionated, minimalist web framework for node."

If you don't install Express, down the road, you'll see:

Error: Cannot find module 'express'

After installing, you should see a change to the package.json file.

  "dependencies": {
    "express": "^4.17.1"

Let's also install a tool called nodemon that will save time in development. "nodemon is a tool that helps develop node.js based applications by automatically restarting the node application when file changes in the directory are detected."

npm i -D nodemon or npm install --save-dev nodemon

  "dependencies": {
    "express": "^4.17.1"
  "devDependencies": {
    "nodemon": "^2.0.12"

After installing Express in your project directory, you should see the following folder and file.



Node modules

"Package is a term used by npm to denote tools that developers can use for their projects... The packages will come in a folder typically called node_modules, which will also contain a package.json file. This file contains information regarding all the packages including any dependencies, which are additional modules needed to use a particular package."

Package lock

"package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates."

Global or local packages

We could have installed nodemon as a global package like this.

npm install -g nodemon

"The main difference between local and global packages is this:

  • local packages are installed in the directory where you run npm install <package-name>, and they are put in the node_modules folder under this directory
  • global packages are all put in a single place in your system (exactly where depends on your setup), regardless of where you run npm install -g <package-name>"

"In general, the rule of thumb is:

  • If you’re installing something that you want to use in your program, using require('whatever'), then install it locally, at the root of your project.
  • If you’re installing something that you want to use in your shell, on the command line or something, install it globally, so that its binaries end up in your PATH environment variable."

The problem with npm install --global. "It's certainly quick and easy to start using a new tool that's globally installed, which is why a lot of "getting started" guides recommend it. Also, the problems you'll experience might take you weeks or months to notice."

"If your project depends on a package, it should be listed in your package.json file as a dependency and installed locally in your project, rather than globally."

"What are the pros and cons of installing all npm modules globally?"

"With a local installation, nodemon will not be available in your system path or you can't use it directly from the command line."

For the sake of example, let's leave nodemon as a local install. We'll tackle this problem in the following article.


Look in package.json again and notice dependencies and devDependencies.

"When you install an npm package using npm install <package-name>, you are installing it as a dependency.

The package is automatically listed in the package.json file, under the dependencies list (as of npm 5: before you had to manually specify --save).

When you add the -D flag, or --save-dev, you are installing it as a development dependency, which adds it to the devDependencies list.

Development dependencies are intended as development-only packages, that are unneeded in production."

For example, when we deploy our back-end code to a server, our application will be running all the time; we won't need to apply new changes or automatically restart the server with nodemon. There are exceptions shown in the FAQ.

It's ok to install some packages globally. For example, scaffolding tools you use once for a setup like create-react-app and utility tools like nodemon are ok because they don't know anything about your project.

Configuring NPM

Guidance on configuring package.json is available on NPM.

Uninstall a package

"To remove a package from your node_modules directory, on the command line, use the uninstall command. Include the scope if the package is scoped."

npm uninstall <package_name>

"To remove a package from the dependencies in package.json, use the --save flag. Include the scope if the package is scoped."

npm uninstall --save <package_name>

You can also delete dependencies from your package.json file, save, and run npm i again.

Git ignore

"A gitignore file specifies intentionally untracked files that Git should ignore."

It's a best practice not to track changes to irrelevant files. You don't want to push unnecessary garbage to a shared repository on GitHub. Also, not tracking specific files like a .env file is crucial for maintaining security when publishing your work to GitHub.

"You can create a .gitignore file in your repository's root directory to tell Git which files and directories to ignore when you make a commit."

touch .gitignore (Note that this is a hidden file, so it begins with a period.)

There are many .gitignore resources and generators. Unfortunately, many of these preconfigured lists make many assumptions about what tools you'll be using, your operating system, testing settings, server environment for deployment, and continuous delivery. The result is a lot of unnecessary noise. In addition, most of these long lists don't explain anything about why you need to exclude tracking. Finally, keep in mind that an open-source project will likely have contributors who use different operating systems.,node

For now, let's start by adding the following to our .gitignore file and saving it.

# macOS

# Dependency directories

".DS_Store is a hidden file that gets generated whenever someone opens a directory in the finder."

"Ignored files are usually build artifacts and machine generated files that can be derived from your repository source or should otherwise not be committed. Some common examples are: dependency caches, such as the contents of /node_modules or /packages"

In other words, developers use a list of NPM package dependencies in package.json to install the project locally. After downloading or cloning any project, the first step is to run install (i.e., npm install or npm i).

When deploying our back-end code to a server, we invoke npm i to install packages on that remote computer. Developer dependencies are extraneous.


In this article, the main lessons are using npm i <package_name> to install third-party packages and creating a .gitignore file to exclude the node_modules folder from Git.

We'll continue working with NPM and Express in the following article.