Installing and Managing npm Packages

📚 MERN Stack 📂 Chapter 4: npm, package.json and Node Modules 📄 Lesson 4020 Beginner 🕒 April 23, 2025
📋 Table of Contents
  1. The Core npm Packages Every MERN Project Needs
  2. Installing Packages
  3. Updating and Removing Packages
  4. Security Auditing
  5. Useful Inspection Commands
  6. Common Mistakes
  7. Quick Reference

npm (Node Package Manager) is the world’s largest software registry, hosting over two million packages. Every package you install in your MERN project — Express, Mongoose, React, Axios, bcryptjs, jsonwebtoken — comes from npm. Knowing how to install, update, remove, and audit packages correctly is a daily skill. A MERN developer who understands the npm workflow spends less time debugging mysterious errors caused by version mismatches, missing packages, or bloated dependencies.

The Core npm Packages Every MERN Project Needs

Package Layer Purpose Install command
express Server HTTP server and routing framework npm install express
mongoose Server MongoDB ODM — schemas, models, queries npm install mongoose
dotenv Server Load .env file into process.env npm install dotenv
cors Server Enable cross-origin requests from React npm install cors
bcryptjs Server Hash passwords securely npm install bcryptjs
jsonwebtoken Server Create and verify JWT tokens npm install jsonwebtoken
nodemailer Server Send emails from Node.js npm install nodemailer
multer Server Handle multipart file uploads npm install multer
helmet Server Set security HTTP headers npm install helmet
react Client UI library Included via Vite scaffold
react-router-dom Client Client-side routing npm install react-router-dom
axios Client HTTP client for API calls npm install axios
Note: npm installs packages into the nearest node_modules folder relative to where you run the command. Always cd into the correct project directory (server/ or client/) before running npm install. Running it from the project root installs into the root node_modules — not inside the sub-project where you need it.
Tip: Use npm install package1 package2 package3 to install multiple packages in one command instead of running npm install separately for each one. This is faster because npm resolves and downloads all dependencies in a single pass: npm install express mongoose dotenv cors helmet bcryptjs jsonwebtoken
Warning: Always run npm audit before deploying to production. npm audits check all your installed packages against a database of known security vulnerabilities. Run npm audit fix to automatically patch safe-to-update vulnerabilities. For vulnerabilities that require a major version bump (potentially breaking changes), review them manually before updating.

Installing Packages 

# ── Install a production dependency ──────────────────────────────────────────
npm install express
# Adds to "dependencies" in package.json
# Installs into node_modules/

# ── Install a dev-only dependency ─────────────────────────────────────────────
npm install -D nodemon
# Adds to "devDependencies" in package.json
# Short form: npm install --save-dev nodemon

# ── Install multiple packages at once ─────────────────────────────────────────
npm install express mongoose dotenv cors helmet bcryptjs jsonwebtoken nodemailer multer

# ── Install all dependencies from an existing package.json ───────────────────
npm install
# Use this after cloning a project — installs everything listed in package.json

# ── Install a specific version ────────────────────────────────────────────────
npm install express@4.18.2     # exact version
npm install express@^4.18.0    # caret range
npm install --save-exact express  # installs latest but pins exact version in package.json

Updating and Removing Packages 

# ── Check which packages have updates available ───────────────────────────────
npm outdated
# Output:
# Package    Current  Wanted   Latest
# mongoose   8.0.0    8.1.3    8.1.3
# express    4.18.2   4.18.3   5.0.0   ← Latest is 5.x (major bump — may break things)

# ── Update all packages within their semver range ─────────────────────────────
npm update
# Updates to "Wanted" version (respects ^ and ~ ranges in package.json)
# Does NOT update across major versions

# ── Update a single package ───────────────────────────────────────────────────
npm update mongoose

# ── Remove a package ──────────────────────────────────────────────────────────
npm uninstall express
# Removes from node_modules AND from package.json dependencies

# ── Remove a dev dependency ───────────────────────────────────────────────────
npm uninstall -D nodemon

Security Auditing 

# ── Run a security audit ──────────────────────────────────────────────────────
npm audit
# Output:
# found 3 vulnerabilities (1 low, 1 moderate, 1 high)
# Run `npm audit fix` to fix them, or `npm audit` for details.

# ── Auto-fix safe vulnerabilities (stays within semver range) ─────────────────
npm audit fix

# ── Fix including major version bumps (potentially breaking) ─────────────────
npm audit fix --force
# Use with caution — test thoroughly after running this

# ── View detailed vulnerability report ───────────────────────────────────────
npm audit --json   # machine-readable JSON output

Useful Inspection Commands 

# List all installed top-level packages
npm list --depth=0

# See all versions of a package available on npm
npm view express versions

# See the latest stable version of a package
npm view mongoose version

# See full package details (dependencies, homepage, repository)
npm view express

# Find where a package is installed
npm root       # shows node_modules path
npm bin        # shows .bin path (where CLI tools are installed)

Common Mistakes

Mistake 1 — Running npm install from the wrong directory

❌ Wrong — installing server packages from the project root:

cd mern-blog             # project root
npm install mongoose     # installs in mern-blog/node_modules — NOT in server/node_modules
# server/index.js: Cannot find module 'mongoose'

✅ Correct — always cd into the sub-project first:

cd mern-blog/server
npm install mongoose     # correctly installed in server/node_modules ✓

Mistake 2 — Deleting node_modules to “fix” an issue without reinstalling

❌ Wrong — deleting node_modules and thinking the problem is resolved:

rm -rf node_modules   # deleted
node index.js         # Error: Cannot find module 'express' — nothing is installed!

✅ Correct — after deleting node_modules always run npm install to restore everything:

rm -rf node_modules
npm install           # reinstalls everything from package.json ✓

Mistake 3 — Ignoring npm audit warnings before deployment

❌ Wrong — deploying with known high-severity vulnerabilities:

npm audit
# 1 high severity vulnerability
# → Prototype pollution in package X — allows arbitrary code execution
# Developer ignores this and deploys anyway

✅ Correct — treat high-severity audit findings as blockers before any production deployment. Run npm audit fix and verify the fix does not break your application.

Quick Reference

Task Command
Install prod dependency npm install package-name
Install dev dependency npm install -D package-name
Install all from package.json npm install
Remove a package npm uninstall package-name
Check for updates npm outdated
Update within semver range npm update
Security audit npm audit
Auto-fix vulnerabilities npm audit fix
List installed packages npm list --depth=0
View package details npm view package-name

🧠 Test Yourself

You run npm audit before deploying your MERN app to production and find 1 high-severity vulnerability in a package. What is the correct response?





📚 More in this Tutorial Series

What is the MERN Stack? Architecture, Technologies and Why It Works
Understanding MongoDB — Documents, Collections and JSON Data
Understanding Express.js — The Node.js Web Framework
Understanding React — Components, the Virtual DOM and State
Understanding Node.js — JavaScript on the Server and How It Fits
Installing Node.js and npm — nvm, Versions and Verification