Log in
Upcoming Tech Conferences
JSNation US 2025JSNation US 2025

Demystifying npm: What Actually Happens When You Install and Publish

Karen Li
Karen Li
GitHub
This talk is confirmed. The time of the talk will be announced soon.
The recording will be published after editing. Multipass and Full ticket holders have early access.
Get Multipass
Bookmark
Rate this content

npm powers the JavaScript ecosystem, but many developers still treat it as a black box.

This talk aims to demystify core npm workflows and give developers with various levels of experience a clearer mental model of how npm works behind the scenes. With the rise of AI-assisted coding, many engineers are shipping code that depends on npm without deeply understanding it. Meanwhile, seasoned developers often struggle with subtleties around publishing, dependency resolution, and security.

This talk clarifies the install and publish lifecycle, surfaces modern best practices, and offers decision-making tools that help developers avoid surprises and regain control over their tooling.

This talk has been presented at JSNation US 2025, check out the latest edition of this JavaScript Conference.

npm
Karen Li
Karen Li
Video transcription, chapters and summary will be available later.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Levelling up Monorepos with npm Workspaces
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Levelling up Monorepos with npm Workspaces
Top Content
Ruy Adorno
Ruy Adorno
Open-source maintainer, Node.js contributor, npm cli team member at GitHub
NPM workspaces help manage multiple nested packages within a single top-level package, improving since the release of NPM CLI 7.0. You can easily add dependencies to workspaces and handle duplications. Running scripts and orchestration in a monorepo is made easier with NPM workspaces. The npm pkg command is useful for setting and retrieving keys and values from package.json files. NPM workspaces offer benefits compared to Lerna and future plans include better workspace linking and adding missing features.
devopsmonoreposnpm
Security Controls in the JavaScript Supply Chain
JSNation 2022JSNation 2022
28 min
Security Controls in the JavaScript Supply Chain
Liran Tal
Liran Tal
Snyk
This talk discusses the security challenges in the JavaScript ecosystem, including supply chain security, lock file tampering, and arbitrary command execution. It highlights the risks of blind upgrades and hidden comments in code. The talk also covers dependency confusion attacks and the importance of establishing a threat model for node applications.
yarnsecuritynpm
Package Management in Monorepos
DevOps.js Conf 2024DevOps.js Conf 2024
19 min
Package Management in Monorepos
Zoltan Kochan
Zoltan Kochan
Lead maintainer of pnpm
This Talk discusses pain points and effective package management in monorepos, including the use of hoisted or isolated layouts and the challenges of working with peer dependencies. It introduces the tool Bit, which addresses these issues and handles dependency management and version control. Bit enables automatic installation and management of dependencies, supports multiple versions of a peer dependency, and seamlessly updates components across different environments.
yarnpackagingmonoreposnpm
The Secret Life of Package Managers
Node Congress 2022Node Congress 2022
9 min
The Secret Life of Package Managers
Tally Barak
Tally Barak
Playwright Ambassador
npm install can be a mysterious process, but understanding how package managers work is essential. NPM solved problems like large node_modules, circular dependencies, and multiple instances of the same package. Managing package versions and conflicts is crucial for consistency across projects. Alternative approaches to package management, like PNPM and Yarn2, provide insights into the hidden complexities of package managers.
node.jsyarnpackagingnpm
Package-based Monorepos - Speed Up in Under 7 Minutes
JSNation 2023JSNation 2023
9 min
Package-based Monorepos - Speed Up in Under 7 Minutes
Juri Strumpflohner
Juri Strumpflohner
Nx Core Member
The Talk discusses speeding up MonrayBus in a pmpm workspace by organizing packages and considering dependencies. It covers installing and configuring the nx package, including choosing cacheable scripts. The nx-graph command is introduced for analyzing dependencies and optimizing the build process.
yarnmonoreposnpm
What's New in npm?
DevOps.js Conf 2021DevOps.js Conf 2021
26 min
What's New in npm?
Darcy Clarke
Darcy Clarke
Software Engineer, Founder, Mentor & UX Advocate
Welcome to my talk on what's new in the NPM CLI. NPMv7 introduced many new capabilities, including installing peer dependencies by default. npm v7 also introduced support for workspaces, allowing the definition of projects within your root project. The NPM team is continuously improving the CLI with weekly releases and is working on exciting features in collaboration with GitHub. NPM is not an acronym for Node Package Manager, and the CLI will continue to improve with the support of the growing team.
javascriptnode.jsdevopspackagingnpm

Workshops on related topic

Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
Workshop
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
case studyjavascriptnode.jssecuritynpm
Build Web3 apps with React
React Summit 2022React Summit 2022
51 min
Build Web3 apps with React
Workshop
Shain Dholakiya
Shain Dholakiya
The workshop is designed to help Web2 developers start building for Web3 using the Hyperverse. The Hyperverse is an open marketplace of community-built, audited, easy to discover smart modules. Our goal - to make it easy for React developers to build Web3 apps without writing a single line of smart contract code. Think “npm for smart contracts.”
Learn more about the Hyperverse here.
We will go over all the blockchain/crypto basics you need to know to start building on the Hyperverse, so you do not need to have any previous knowledge about the Web3 space. You just need to have React experience.
web appsnpmweb3