NPM, or the Node Package Manager, is a powerful tool that allows you to easily manage dependencies, run scripts, and organize project metadata. Its main purpose, however, is to help you download and install Node packages from its repository to your project.
Downloading and installing a package is done using NPM's install command:
$ npm install express
+ [email protected]
added 50 packages from 37 contributors and audited 126 packages in 3.262s
found 0 vulnerabilities
When you run the install command like this, by default it retrieves the latest version of the specified package, which in this case is v4.17.1 (at the time of this writing).
But what if we need a different version? Maybe this latest version breaks a feature that we need, or maybe it has a security vulnerability that the maintainer hasn't gotten around to fixing yet. In cases like this you'd probably want to install a specific version of the package that you know works, or that you know is "safe".
To do this, we can specify the version using the syntax npm install [package]@[version]. Continuing with our example above, we would execute something like this:
$ npm install [email protected]
+ [email protected]
added 48 packages from 36 contributors and audited 121 packages in 2.986s
found 0 vulnerabilities
As you can see, NPM has installed the package we specified.
With NPM we also have other options for specifying the version of a package. Using either a caret (^) or a tilde (~) we can specify the latest minor or patch version, respectively. This way you can specify a compatible package version, but still get the latest.
So, for example, if you want to use Express version 4.16, but the patch version isn't important, you can use the tilde to tell NPM to retrieve the latest patch version:
$ npm install express@~4.16.1
+ [email protected]
added 48 packages from 36 contributors and audited 121 packages in 3.02s
found 0 vulnerabilities
Since we prefixed the version with ~, NPM retrieved the latest patch version under the 4.16 minor version, which turned out to be 4.16.4.
This is good for when you don't need a very specific version, but you want to keep your dependencies up to date with the latest patches and security vulnerability fixes.
For more info, check out Caret vs Tilde in package.json.
