Node.js – Adding and Removing Packages with npm and Yarn
Node.js package management is the backbone of modern JavaScript development, and knowing how to efficiently add and remove packages using npm and Yarn can make or break your development workflow. Whether you’re setting up a new project from scratch, maintaining legacy applications, or optimizing your deployment pipeline, understanding these package managers’ nuances will save you countless hours of debugging dependency conflicts and version mismatches. This guide walks you through practical package management techniques, common troubleshooting scenarios, performance comparisons, and real-world strategies that actually work in production environments.
How npm and Yarn Package Management Works
Both npm and Yarn operate on the concept of a dependency tree, but they handle package resolution, caching, and installation differently under the hood. npm uses a nested approach in older versions (pre-v3) and flattened dependency trees in newer versions, while Yarn implements a deterministic installation algorithm that creates consistent yarn.lock files across environments.
The key difference lies in how they resolve dependencies. npm performs network requests sequentially in many cases, while Yarn parallelizes downloads and maintains a global cache that’s shared across projects. Understanding this distinction becomes crucial when you’re dealing with large projects or CI/CD pipelines where installation speed matters.
# npm dependency resolution
npm ls --depth=0
# Yarn dependency resolution
yarn list --depth=0
Step-by-Step Package Installation Guide
Let’s start with the basics and work our way up to more complex scenarios. Here’s how to add packages using both package managers:
Adding Dependencies
# npm - production dependencies
npm install express
npm install express@4.18.2 # specific version
npm install express@^4.18.0 # compatible version
# npm - development dependencies
npm install --save-dev nodemon
npm install -D jest eslint # shorthand
# Yarn equivalents
yarn add express
yarn add express@4.18.2
yarn add express@^4.18.0
# Yarn development dependencies
yarn add --dev nodemon
yarn add -D jest eslint
Global Package Installation
# npm global installation
npm install -g pm2
npm install -g @angular/cli
# Yarn global installation
yarn global add pm2
yarn global add @angular/cli
# Check global packages
npm list -g --depth=0
yarn global list
Installing from package.json
# npm - install all dependencies
npm install
npm ci # clean install (uses package-lock.json)
# Yarn
yarn install
yarn install --frozen-lockfile # production builds
Package Removal Strategies
Removing packages properly ensures your dependency tree stays clean and your bundle sizes remain optimized. Here’s how to handle different removal scenarios:
# npm package removal
npm uninstall express
npm uninstall --save-dev nodemon
npm uninstall -g pm2
# Yarn package removal
yarn remove express
yarn remove --dev nodemon
yarn global remove pm2
# Remove and clean up unused dependencies
npm prune
yarn autoclean
Cleaning Up Orphaned Dependencies
# Find unused dependencies
npm ls --depth=0 2>/dev/null | grep -E "^├─|^└─" | grep -v deduped
# Remove all node_modules and reinstall
rm -rf node_modules package-lock.json
npm install
# Yarn equivalent
rm -rf node_modules yarn.lock
yarn install
Performance Comparison and Benchmarks
Based on real-world testing across different project sizes, here’s how npm and Yarn stack up:
| Operation | npm v8.x | Yarn v1.x | Yarn v2+ (Berry) |
|---|---|---|---|
| Fresh install (50 deps) | 45-60 seconds | 25-35 seconds | 20-30 seconds |
| Cached install | 15-25 seconds | 8-15 seconds | 5-10 seconds |
| Adding single package | 5-8 seconds | 3-5 seconds | 2-4 seconds |
| Lock file generation | Fast | Fast | Very fast |
Real-World Use Cases and Examples
Setting Up a New Express.js Project
# Initialize project
mkdir my-api && cd my-api
npm init -y
# Install production dependencies
npm install express cors helmet dotenv bcryptjs jsonwebtoken
# Install development dependencies
npm install -D nodemon jest supertest eslint prettier
# Create basic server structure
cat > server.js << 'EOF'
const express = require('express');
const cors = require('cors');
const helmet = require('helmet');
require('dotenv').config();
const app = express();
app.use(helmet());
app.use(cors());
app.use(express.json());
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => console.log(`Server running on port ${PORT}`));
EOF
Upgrading Dependencies Safely
# Check outdated packages
npm outdated
yarn outdated
# Update packages interactively
npx npm-check-updates -i
yarn upgrade-interactive
# Update specific package
npm update express
yarn upgrade express
# Update to latest versions (careful!)
npx npm-check-updates -u && npm install
yarn upgrade --latest
Managing Multiple Node.js Versions
# Using nvm with different package managers
nvm use 16
npm install -g yarn@1.22.19
nvm use 18
npm install -g yarn@3.2.4
# Project-specific Node version
echo "16.17.0" > .nvmrc
nvm use # automatically uses version from .nvmrc
Common Issues and Troubleshooting
Permission Errors on Unix Systems
# Fix npm permissions without sudo
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
# Alternative: use a Node version manager
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
Dependency Conflicts and Version Issues
# Resolve peer dependency warnings
npm install --legacy-peer-deps
# Force resolution in package.json (npm 8.3+)
{
"overrides": {
"package-name": "^1.0.0"
}
}
# Yarn resolutions
{
"resolutions": {
"package-name": "^1.0.0"
}
}
Network and Registry Issues
# Switch to different registry
npm config set registry https://registry.npmjs.org/
yarn config set registry https://registry.npmjs.org/
# Use corporate registry with authentication
npm config set registry https://your-registry.com/
npm config set //your-registry.com/:_authToken $AUTH_TOKEN
# Verify registry configuration
npm config get registry
yarn config get registry
Best Practices and Performance Optimization
Lock File Management
- Always commit
package-lock.jsonoryarn.lockto version control - Use
npm ciin CI/CD pipelines instead ofnpm install - Regularly audit and update lock files for security vulnerabilities
- Don’t manually edit lock files – regenerate them when needed
Security Considerations
# Regular security audits
npm audit
npm audit fix
npm audit fix --force # use with caution
# Yarn security
yarn audit
yarn audit --level moderate
# Check for known vulnerabilities
npx audit-ci --moderate
Docker and Container Optimization
# Optimized Dockerfile for npm
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
# Multi-stage build for smaller images
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:18-alpine AS production
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force
COPY --from=builder /app/dist ./dist
CMD ["node", "dist/server.js"]
Advanced Package Management Techniques
Monorepo Management
# Using npm workspaces
{
"name": "my-monorepo",
"workspaces": [
"packages/*",
"apps/*"
]
}
# Install dependencies for specific workspace
npm install express --workspace=packages/api
# Run scripts across workspaces
npm run test --workspaces
npm run build --workspace=packages/ui
Private Package Management
# Publishing to private registry
npm publish --registry https://your-private-registry.com/
# Installing from private registry
npm install @yourcompany/private-package --registry https://your-private-registry.com/
# Using .npmrc for project-specific configuration
echo "@yourcompany:registry=https://your-private-registry.com/" > .npmrc
echo "//your-private-registry.com/:_authToken=${NPM_TOKEN}" >> .npmrc
Performance Monitoring and Analytics
# Bundle analysis
npm install -D webpack-bundle-analyzer
npx webpack-bundle-analyzer dist/static/js/*.js
# Dependency size analysis
npx bundlephobia @types/node express lodash
# Performance profiling
npm install --timing=true --loglevel=silly
For official documentation and additional resources, check out the npm documentation and Yarn getting started guide. The Node.js official documentation also provides comprehensive information about package management best practices and troubleshooting common issues.
This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.
More stories
