The npm registry contains packages, many of which are also Node modules, or contain Node modules.
A package is a file or directory that is described by a package.json file. A package must contain a package.json file in order to be published to the npm registry. For more information on creating a package.json file.
Packages can be unscoped or scoped to a user or Org, and scoped packages can be private or public.
A package is any of the following:
<name>@<version> that is published on the registry with (c).<name>@<tag> that points to (d).<name> that has a latest tag satisfying (e).git url that, when cloned, results in (a).Git URLs used for npm packages can be formatted in the following ways:
The commit-ish can be any tag, sha, or branch that can be supplied as an argument to git checkout. The default commit-ish is master
A module is any file or directory in the node_modules directory that can be loaded by the Node.js require() function.
To be loaded by the Node.js require() function, a module must be one of the following:
package.json file containing a "main" field.index.js file in it.Since modules are not required to have a package.json file, not all modules are packages. Only modules that have a package.json file are also packages. So if a folder contains package.json can be called either a module or a package. But if the folder doesn't contain any package.json file, it cannot be called a package. It is a module.
There are billions of packages in the NPM registry. So it is very common that your package name can match with others. To resolve this conflict, you can use scope that allows you to create package with the same name.
The scope name is everything between the @ and the slash:
// npm scope @npm/package-name // npmcorp @npmcorp/package-name
Your username is always the scope name.
As an npm user or Org member, you can create and publish public packages that anyone can download and use in their own projects.
Unscoped public packages exist in the global public registry namespace and can be referenced in a package.json file with the package name alone: package-name.Scoped public packages belong to a user or Org and must be preceded by the user or Org name when included as a dependency in a package.json file:
With npm private packages, you can use the npm registry to host code that is only visible to you and chosen collaborators, allowing you to manage and use private code alongside public code in your projects. To create or use private packages you must be a paid user.
Private packages always have a scope, and scoped packages are private by default.
User-scoped private packages can only be accessed by you and collaborators to whom you have granted read or read/write access.Org-scoped private packages can only be accessed by teams that have been granted read or read/write access.Visibility of npm packages depends on the scope (namespace) in which the package is contained, and the access level (private or public) set for the package.
| Scope | Access Level | Can view and download | Can Write(Publish) |
|---|---|---|---|
| Org | Private | Members of a team in the Org with read access to the package | Members of a team in the Org with read and write access to the package |
| Org | Public | Everyone | Members of a team in the Org with read and write access to the package |
| User | Private | The package owner and users who have been granted read access to the package. | The package owner and users who have been granted read and write access to the package. |
| User | Public | Everyone | The package owner and users who have been granted read and write access to the package. |
| Unscoped | Public | Everyone | The package owner and users who have been granted read and write access to the package. |