npm module maintainer must-haves

Maintaining a module on npm can be a little daunting. For modules with lots of dependencies, the task of keeping them up-to-date can be time consuming. These two handy modules are must-haves for making the process quick and easy, install them globally to get the best effect:

nsp audit

  • npm install -g nsp
  • nsp audit-package

The node security project maintains a database of security vulnerabilities in modules on npm. The nsp module will audit your package.json (or npm-shrinkwrap.json) file to check if any of your current dependencies have known vulnerabilities.

Vulnerabilities tend to get patched up pretty quick. Knowing about them gives you the choice to upgrade, or find an alternative dependency to keep your code secure.


  • npm install -g npm-check
  • npm-check

This is the missing module for maintainers. npm-check uses semver to output how far out-of-date your dependencies are, and also reports on modules that seem to be unused.

If you've reviewed your dependencies and decided it's time to do some updates you can run npm-check -u to get an interactive upgrade experience! Mark the modules you want to upgrade with a space, then hit enter and npm-check will fix up your package.json, as well as run npm install AND finally, it reminds you to run your test suite at the end. Pure awesome.

npm check
npm-check -ups updates all production dependencies, skipping any seemingly unused ones (in Ghost's case, they are used)

Bonus tips...

Back in February, I watched Dan Hough's talk on npm module maintenance best practice at LNUG. The talk was also distilled into a handy blog post. There were two key take-aways that I wanted to reiterate:

Don't overlook

GitHub's file is a much under-used feature. It's the first thing I look for when I visit a new repo and usually I'm hunting for info on the project's preferred medium for questions, as every project is different. It's always worth taking two minutes to include one, even if it just says 'Please contribute'. It really helps to give new would-be-contributors like me confidence to get involved.

shrinkwrap for releases

The importance and usefulness of npm-shrinkwrap cannot be understated. I recently started shipping an npm-shrinkwrap.json file with the released versions of Ghost, which helps to ensure everyone gets the same experience. Most importantly, it eliminates tricky bugs caused by dependencies getting accidental breaking changes.

Admittedly, we still don't use it in the master branch because managing the checked-in file is a bit clunky, especially with a fast-moving codebase. However, we'll likely review this as the project matures.