LanguageBeginner3h

Package management.

npm/pnpm, semver, lockfiles, and dependency hygiene.

What is package management?

Package management is how your service declares, installs, and pins the code it depends on. package.json lists what you want, the lockfile records exactly what you got, and the package manager makes the two agree on every machine.

Why it matters

Dependencies are most of the code that runs in production, and most of the security surface. A sloppy setup gives you "works on my machine," surprise breakages on deploy, and silent vulnerable versions. Reproducible installs are the floor for shipping anything reliably.

What to learn

  • package.json: dependencies vs devDependencies vs scripts
  • Semver ranges: ^, ~, and exact pins
  • The lockfile and why it must be committed
  • npm vs pnpm vs yarn, and why pnpm saves disk and time
  • npm ci / pnpm install --frozen-lockfile for clean installs
  • Auditing for vulnerabilities and updating safely
  • Avoiding unnecessary dependencies

Common pitfall

Not committing the lockfile, or deleting it to "fix" an install. The lockfile is what guarantees every machine and the production server install the exact same versions. Without it, a transitive dependency can quietly update between your test and your deploy, and the bug only shows up in production.

Resources

Primary (free):

Practice

In a fresh project, install one runtime dependency and one dev dependency, then open the lockfile and find the exact resolved versions. Change a ^ range to an exact pin and reinstall. Run the frozen-lockfile install and confirm it fails if the lockfile is out of date. Done when you can explain what the lockfile guards.

Outcomes

  • Explain the difference between package.json ranges and the lockfile.
  • Read a semver range and predict which updates it allows.
  • Run a reproducible, frozen-lockfile install for CI.
  • Decide whether a new dependency is worth adding.
Back to Backend roadmap