This chapter explains what npm packages are and how they interact with ESM modules.
Required knowledge: I’m assuming that you are loosely familiar with the syntax of ECMAScript modules. If you are not, you can read chapter “modules” in “JavaScript for impatient programmers”.
In the JavaScripte ecosystem, a package is a way of organizing software projects: It is a directory with a standardized layout. A package can contain all kinds of files - for example:
A package can depend on other packages (which are called its dependencies) which contain:
The dependencies of a package are installed inside that package (we’ll see how soon).
One common distinction between packages is:
The next subsection explains how packages can be published.
The main way of publishing a package is to upload it to a package registry – an online software repository. The de facto standard is the npm registry but it is not the only option. For example, companies can host their own internal registries.
A package manager is a command line tool that downloads packages from a registry (or other sources) and installs them locally or globally. If a package contains bin scripts, it also makes those available locally or globally.
The most popular package manager is called npm and comes bundled with Node.js. Its name originally stood for “Node Package Manager”. Later, when npm and the npm registry were used not only for Node.js packages, the definition was changed to “npm is not a package manager” (source).
There are other popular package managers such as yarn and pnpm. All of these package managers use the npm registry by default.
Each package in the npm registry has a name. There are two kinds of names:
Global names are unique across the whole registry. These are two examples:
minimatch mocha
Scoped names consist of two parts: A scope and a name. Scopes are globally unique, names are unique per scope. These are two examples:
@babel/core
@rauschma/iterable
The scope starts with an @
symbol and is separated from the name with a slash.
Once a package my-package
is fully installed, it almost always looks like this:
my-package/
package.json
node_modules/
[More files]
What are the purposes of these file system entries?
package.json
is a file every package must have:
node_modules/
is a directory into which the dependencies of the package are installed. Each dependency also has a node_modules
folder with its dependencies, etc. The result is a tree of dependencies.Some packages also have the file package-lock.json
that sits next to package.json
: It records the exact versions of the dependencies that were installed and is kept up to date if we add more dependencies via npm.
package.json
This is a starter package.json
that can be created via npm:
{
"name": "my-package",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
What are the purposes of these properties?
Some properties are required for public packages (published on the npm registry):
name
specifies the name of this package.version
is used for version management and follows semantic versioning with three dot-separated numbers:
Other properties for public packages are optional:
description
, keywords
, author
are optional and make it easier to find packages.license
clarifies how this package can be used. It makes sense to provide this value if the package is public in any way. “Choose an open source license” can help with making this choice.main
is a property for packages with library code. It specifies the module that “is” the package (explained later in this chapter).
scripts
is a property for setting up package scripts – abbreviations for development-time shell commands. These can be executed via npm run
. For example, the script test
can be executed via npm run test
. For more on this topic, see §15 “Running cross-platform tasks via npm package scripts”.
Other useful properties:
dependencies
lists the dependencies of a package. Its format is explained soon.
devDependencies
are dependencies that are only needed during development.
The following setting means that all files with the name extension .js
are interpreted as ECMAScript modules. Unless we are dealing with legacy code, it makes sense to add it:
"type": "module"
bin
lists bin scripts, Node.js modules within the package that npm installs as shell scripts. Its format is explained soon.
license
specifies a license for the package. Its format is explained soon.
Normally, the properties name
and version
are required and npm warns us if they are missing. However, we can change that via the following setting:
"private": true
That prevents the package from accidentally being published and allows us to omit name and version.
For more information on package.json
, see the npm documentation.
"dependencies"
of package.json
This is what the dependencies in a package.json
file look like:
"dependencies": {
"minimatch": "^5.1.0",
"mocha": "^10.0.0"
}
The properties record both the names of packages and constraints for their versions.
Versions themselves follow the semantic versioning standard. They are up to three numbers (the second and third number are optional and zero by default) separated by dots:
Node’s version ranges are explained in the semver
repository. Examples include:
A specific version without any extra characters means that the installed version must match the version exactly:
"pkg1": "2.0.1",
major.minor.x
or major.x
means that the components that are numbers must match, the components that are x
or omitted can have any values:
"pkg2": "2.x",
"pkg3": "3.3.x",
*
matches any version:
"pkg4": "*",
>=version
means that the installed version must be version
or higher:
"pkg5": ">=1.0.2",
<=version
means that the installed version must be version
or lower:
"pkg6": "<=2.3.4",
version1-version2
is the same as >=version1 <=version2
:
"pkg7": "1.0.0 - 2.9999.9999",
^version
(as used in the previous example) is a caret range and means that the installed version can be version
or higher but must not introduce breaking changes. That is, the major version must be the same:
"pkg8": "^4.17.21",
"bin"
of package.json
This is how we can tell npm to install modules as shell scripts:
"bin": {
"my-shell-script": "./src/shell/my-shell-script.mjs",
"another-script": "./src/shell/another-script.mjs"
}
If we install a package with this "bin"
value globally, Node.js ensures that the commands my-shell-script
and another-script
become available at the command line.
If we install the package locally, we can use the two commands in package scripts or via the npx
command.
A string is also allowed as the value of "bin"
:
{
"name": "my-package",
"bin": "./src/main.mjs"
}
This is an abbreviation for:
{
"name": "my-package",
"bin": {
"my-package": "./src/main.mjs"
}
}
"license"
of package.json
The value of property "license"
is always a string with a SPDX license ID. For example, the following value denies others the right to use a package under any terms (which is useful if a package is unpublished):
"license": "UNLICENSED"
The SPDX website lists all available license IDs. If you find it difficult to pick one, the website “Choose an open source license” can help – for example, this is the advice if you “want it simple and permissive”:
The MIT License is short and to the point. It lets people do almost anything they want with your project, like making and distributing closed source versions.
Babel, .NET, and Rails use the MIT License.
You can use that license like this:
"license": "MIT"
Packages in the npm registry are often archived in two different ways:
Either way, the package is archived without its dependencies – which we have to install before we can use it.
If a package is stored in a git repository:
package-lock.json
is usually included.If a package is published to the npm registry:
package-lock.json
is never uploaded to the npm registry.Dev dependencies (property devDependencies
in package.json
) are only installed during development but not when we install the package from the npm registry.
Note that unpublished packages in git repositories are handled similarly to published packages during development.
To install a package pkg
from git, we clone its repository and:
cd pkg/
npm install
Then the following steps are performed:
node_modules
is created and the dependencies are installed. Installing a dependency also means downloading that dependency and installing its dependencies (etc.).package.json
.If the root package doesn’t have a package-lock.json
file, it is created during installation (as mentioned, dependencies don’t have this file).
In a dependency tree, the same dependency may exist multiple times, possibly in different versions. There a ways to minimize duplication, but that is beyond the scope of this chapter.
This is a (slightly crude) way of fixing issues in a dependency tree:
cd pkg/
rm -rf node_modules/
rm package-lock.json
npm install
Note that that may result in different, newer, packages being installed. We can avoid that by not deleting package-lock.json
.
There are many tools and technique for setting up new packages. This is one simple way:
mkdir my-package
cd my-package/
npm init --yes
Afterward, the directory looks like this:
my-package/
package.json
This package.json
has the starter content that we have already seen.
Right now, my-package
doesn’t have any dependencies. Let’s say we want to use the library lodash-es
. This is how we install it into our package:
npm install lodash-es
This command performs the following steps:
The package is downloaded into my-package/node_modules/lodash-es
.
Its dependencies are also installed. Then the dependencies of its dependencies. Etc.
A new property is added to package.json
:
"dependencies": {
"lodash-es": "^4.17.21"
}
package-lock.json
is updated with the exact version that was installed.
Code in other ECMAScript modules is accessed via import
statements (line A and line B):
// Static import
import {namedExport} from 'https://example.com/some-module.js'; // (A)
console.log(namedExport);
// Dynamic import
import('https://example.com/some-module.js') // (B)
.then((moduleNamespace) => {
console.log(moduleNamespace.namedExport);
; })
Both static imports and dynamic imports use module specifiers to refer to modules:
from
in line A.There are three kinds of module specifiers:
Absolute specifiers are full URLs – for example:
'https://www.unpkg.com/browse/yargs@17.3.1/browser.mjs'
'file:///opt/nodejs/config.mjs'
Absolute specifiers are mostly used to access libraries that are directly hosted on the web.
Relative specifiers are relative URLs (starting with '/'
, './'
or '../'
) – for example:
'./sibling-module.js'
'../module-in-parent-dir.mjs'
'../../dir/other-module.js'
Every module has a URL whose protocol depends on its location (file:
, https:
, etc.). If it uses a relative specifier, JavaScript turns that specifier into a full URL by resolving it against the module’s URL.
Relative specifiers are mostly used to access other modules within the same code base.
Bare specifiers are paths (without protocol and domain) that start with neither slashes nor dots. They begin with the names of packages. Those names can optionally be followed by subpaths:
'some-package'
'some-package/sync'
'some-package/util/files/path-tools.js'
Bare specifiers can also refer to packages with scoped names:
'@some-scope/scoped-name'
'@some-scope/scoped-name/async'
'@some-scope/scoped-name/dir/some-module.mjs'
Each bare specifier refers to exactly one module inside a package; if it has no subpath, it refers to the designated “main” module of its package. A bare specifier is never used directly but always resolved – translated to an absolute specifier. How resolution works depends on the platform. We’ll learn more soon.
.js
or .mjs
.Style 1: no subpath
Style 2: a subpath without a filename extension. In this case, the subpath works like a modifier for the package name:
'my-parser/sync'
'my-parser/async'
'assertions'
'assertions/strict'
Style 3: a subpath with a filename extension. In this case, the package is seen as a collection of modules and the subpath points to one of them:
'large-package/misc/util.js'
'large-package/main/parsing.js'
'large-package/main/printing.js'
Caveat of style 3 bare specifiers: How the filename extension is interpreted depends on the dependency and may differ from the importing package. For example, the importing package may use .mjs
for ESM modules and .js
for CommonJS modules, while the ESM modules exported by the dependency may have bare paths with the filename extension .js
.
Let’s see how module specifiers work in Node.js.
The Node.js resolution algorithm works as follows:
This is the algorithm:
If a specifier is absolute, resolution is already finished. Three protocols are most common:
file:
for local fileshttps:
for remote filesnode:
for built-in modules (discussed later)If a specifier is relative, it is resolved against the URL of the importing module.
If a specifier is bare:
If it starts with '#'
, it is resolved by looking it up among the package imports (which are explained later) and resolving the result.
Otherwise, it is a bare specifier that has one of these formats (the subpath is optional):
«package»/sub/path
@«scope»/«scoped-package»/sub/path
The resolution algorithm traverses the current directory and its ancestors until it finds a directory node_modules
that has a subdirectory matching the beginning of the bare specifier, i.e. either:
node_modules/«package»/
node_modules/@«scope»/«scoped-package»/
That directory is the directory of the package. By default, the (potentially empty) subpath after the package ID is interpreted as relative to the package directory. The default can be overridden via package exports which are explained next.
The result of the resolution algorithm must point to a file. That explains why absolute specifiers and relative specifiers always have filename extensions. Bare specifiers mostly don’t because they are abbreviations that are looked up in package exports.
Module files usually have these filename extensions:
.mjs
, it is always an ES module..js
is an ES module if the closest package.json
has this entry:
"type": "module"
If Node.js executes code provided via stdin, --eval
or --print
, we use the following command-line option so that it is interpreted as an ES module:
--input-type=module
In this subsection, we are working with a package that has the following file layout:
my-lib/
dist/
src/
main.js
util/
errors.js
internal/
internal-module.js
test/
Package exports are specified via property "exports"
in package.json
and support two important features:
Without property "exports"
, every module in package my-lib
can be accessed via a relative path after the package name – e.g.:
'my-lib/dist/src/internal/internal-module.js'
Once the property exists, only specifiers listed in it can be used. Everything else is hidden from the outside.
Recall the three styles of bare specifiers:
Package exports help us with all three styles
package.json
:
{
"main": "./dist/src/main.js",
"exports": {
".": "./dist/src/main.js"
}
}
We only provide "main"
for backward-compatibility (with older bundlers and Node.js 12 and older). Otherwise, the entry for "."
is enough.
With these package exports, we can now import from my-lib
as follows.
import {someFunction} from 'my-lib';
This imports someFunction()
from this file:
my-lib/dist/src/main.js
package.json
:
{
"exports": {
"./util/errors": "./dist/src/util/errors.js"
}
}
We are mapping the specifier subpath 'util/errors'
to a module file. That enables the following import:
import {UserError} from 'my-lib/util/errors';
The previous subsection explained how to create a single mapping for an extension-less subpath. There is also a way to create multiple such mappings via a single entry:
package.json
:
{
"exports": {
"./lib/*": "./dist/src/*.js"
}
}
Any file that is a descendant of ./dist/src/
can now be imported without a filename extension:
import {someFunction} from 'my-lib/lib/main';
import {UserError} from 'my-lib/lib/util/errors';
Note the asterisks in this "exports"
entry:
"./lib/*": "./dist/src/*.js"
These are more instructions for how to map subpaths to actual paths than wildcards that match fragments of file paths.
package.json
:
{
"exports": {
"./util/errors.js": "./dist/src/util/errors.js"
}
}
We are mapping the specifier subpath 'util/errors.js'
to a module file. That enables the following import:
import {UserError} from 'my-lib/util/errors.js';
package.json
:
{
"exports": {
"./*": "./dist/src/*"
}
}
Here, we shorten the module specifiers of the whole subtree under my-package/dist/src
:
import {InternalError} from 'my-package/util/errors.js';
Without the exports, the import statement would be:
import {InternalError} from 'my-package/dist/src/util/errors.js';
Note the asterisks in this "exports"
entry:
"./*": "./dist/src/*"
These are not filesystem globs but instructions for how to map external module specifiers to internal ones.
With the following trick, we expose everything in directory my-package/dist/src/
with the exception of my-package/dist/src/internal/
"exports": {
"./*": "./dist/src/*",
"./internal/*": null
}
Note that this trick also works when exporting subtrees without filename extensions.
We can also make exports conditional: Then a given path maps to different values depending on the context in which a package is used.
Node.js vs. browsers. For example, we could provide different implementations for Node.js and for browsers:
"exports": {
".": {
"node": "./main-node.js",
"browser": "./main-browser.js",
"default": "./main-browser.js"
}
}
The "default"
condition matches when no other key matches and must come last. Having one is recommended whenever we are distinguishing between platforms because it takes care of new and/or unknown platforms.
Development vs. production. Another use case for conditional package exports is switching between “development” and “production” environments:
"exports": {
".": {
"development": "./main-development.js",
"production": "./main-production.js",
}
}
In Node.js we can specify an environment like this:
node --conditions development app.mjs
Package imports let a package define abbreviations for module specifiers that it can use itself, internally (where package exports define abbreviations for other packages). This is an example:
package.json
:
{
"imports": {
"#some-pkg": {
"node": "some-pkg-node-native",
"default": "./polyfills/some-pkg-polyfill.js"
}
},
"dependencies": {
"some-pkg-node-native": "^1.2.3"
}
}
The package import #
is conditional (with the same features as conditional package exports):
If the current package is used on Node.js, the module specifier '#some-pkg'
refers to package some-pkg-node-native
.
Elsewhere, '#some-pkg'
refers to the file ./polyfills/some-pkg-polyfill.js
inside the current package.
(Only package imports can refer to external packages, package exports can’t do that.)
What are the use cases for package imports?
Be careful when using package imports with a bundler: This feature is relatively new and your bundler may not support it.
node:
protocol importsNode.js has many built-in modules such as 'path'
and 'fs'
. All of them are available as both ES modules and CommonJS modules. One issue with them is that they can be overridden by modules installed in node_modules
which is both a security risk (if it happens accidentally) and a problem if Node.js wants to introduce new built-in modules in the future and their names are already taken by npm packages.
We can use the node:
protocol to make it clear that we want to import a built-in module. For example, the following two import statements are mostly equivalent (if no npm module is installed that has the name 'fs'
):
import * as fs from 'node:fs/promises';
import * as fs from 'fs/promises';
An additional benefit of using the node:
protocol is that we immediately see that an imported module is built-in. Given how many built-in modules there are, that helps when reading code.
Due to node:
specifiers having a protocol, they are considered absolute. That’s why they are not looked up in node_modules
.