npm & yarn Cheat Sheet

Project Init

npm	yarn	Description
`npm init`	`yarn init`	Create package.json interactively
`npm init -y`	`yarn init -y`	Create with defaults (skip prompts)
`npm create vite@latest`	`yarn create vite`	Create project from initializer
`npx create-react-app app`	`yarn dlx create-react-app app`	Run package without installing

Installing Packages

npm	yarn	Description
`npm install`	`yarn`	Install all dependencies from package.json
`npm install pkg`	`yarn add pkg`	Add package as dependency
`npm install pkg@2.0`	`yarn add pkg@2.0`	Install specific version
`npm install -D pkg`	`yarn add -D pkg`	Add as dev dependency
`npm install -g pkg`	`yarn global add pkg`	Install globally
`npm ci`	`yarn install --frozen-lockfile`	Clean install (CI/CD, exact lockfile)
`npm install --legacy-peer-deps`	—	Ignore peer dependency conflicts

Tip: Use npm ci (or yarn --frozen-lockfile) in CI/CD pipelines. It's faster and ensures exact versions from the lock file are used.

Removing & Updating

npm	yarn	Description
`npm uninstall pkg`	`yarn remove pkg`	Remove package
`npm uninstall -g pkg`	`yarn global remove pkg`	Remove global package
`npm update`	`yarn upgrade`	Update all packages
`npm update pkg`	`yarn upgrade pkg`	Update specific package
`npm outdated`	`yarn outdated`	List outdated packages
`npx npm-check-updates -u`	—	Update all versions in package.json
`npm audit`	`yarn audit`	Check for vulnerabilities
`npm audit fix`	—	Auto-fix vulnerabilities
`npm dedupe`	`yarn dedupe`	Remove duplicate packages

Scripts

npm	yarn	Description
`npm run dev`	`yarn dev`	Run custom script
`npm start`	`yarn start`	Run "start" script
`npm test`	`yarn test`	Run "test" script
`npm run build`	`yarn build`	Run "build" script
`npx pkg`	`yarn dlx pkg`	Execute package binary

// package.json scripts section
{
  "scripts": {
    "dev": "vite",
    "build": "vite build",
    "preview": "vite preview",
    "lint": "eslint src/",
    "test": "vitest",
    "preinstall": "npx only-allow pnpm"   // lifecycle hook
  }
}

Tip: npm start, npm test, and npm stop don't need the run keyword. All other scripts need npm run <script>.

Package Info

npm	Description
`npm list`	List installed packages (tree)
`npm list --depth=0`	List top-level packages only
`npm list -g --depth=0`	List global packages
`npm info pkg`	Show package info from registry
`npm info pkg versions`	List all available versions
`npm search keyword`	Search npm registry
`npm docs pkg`	Open package documentation
`npm repo pkg`	Open package repository
`npm explain pkg`	Show why a package is installed

Versioning

Range	Meaning	Example
`1.2.3`	Exact version	Only 1.2.3
`^1.2.3`	Compatible (same major)	>=1.2.3 <2.0.0
`~1.2.3`	Approximately (same minor)	>=1.2.3 <1.3.0
`>=1.2.3`	Greater than or equal	>=1.2.3
`1.x`	Any minor/patch in major 1	>=1.0.0 <2.0.0
`*`	Any version	Latest
`latest`	Latest published version	Tag-based

# Bump version
npm version patch   # 1.0.0 → 1.0.1
npm version minor   # 1.0.0 → 1.1.0
npm version major   # 1.0.0 → 2.0.0

SemVer: MAJOR.MINOR.PATCH — Major = breaking changes, Minor = new features (backward compatible), Patch = bug fixes.

Publishing

Command	Description
`npm login`	Log in to npm registry
`npm whoami`	Show current logged-in user
`npm publish`	Publish package to registry
`npm publish --access public`	Publish scoped package as public
`npm unpublish pkg@1.0.0`	Unpublish specific version
`npm deprecate pkg "message"`	Mark package as deprecated
`npm pack`	Create tarball without publishing
`npm link`	Symlink package for local development

Configuration

Command	Description
`npm config list`	Show current config
`npm config set key value`	Set config value
`npm config get registry`	Get registry URL
`npm cache clean --force`	Clear npm cache
`npm root -g`	Show global packages directory

# .npmrc (project or user config)
registry=https://registry.npmjs.org/
save-exact=true
engine-strict=true

pnpm (Alternative)

pnpm	Equivalent
`pnpm install`	`npm install` / `yarn`
`pnpm add pkg`	`npm install pkg` / `yarn add pkg`
`pnpm add -D pkg`	`npm install -D pkg`
`pnpm remove pkg`	`npm uninstall pkg`
`pnpm run dev`	`npm run dev`
`pnpm dlx pkg`	`npx pkg`

Tip: pnpm uses a content-addressable store and hard links, making it faster and more disk-efficient than npm. It also enforces strict dependency isolation.

package.json Key Fields

Field	Description
`name`	Package name (lowercase, no spaces)
`version`	SemVer version string
`description`	Short description
`main`	Entry point for CommonJS
`module`	Entry point for ES modules
`type`	`"module"` for ESM, `"commonjs"` for CJS
`scripts`	Runnable commands
`dependencies`	Production dependencies
`devDependencies`	Development-only dependencies
`peerDependencies`	Required by host package
`engines`	Required Node.js / npm versions
`files`	Files to include when publishing
`private`	`true` prevents accidental publishing
`license`	SPDX license identifier