HOWTO: Inspect, Download and Extract NPM Packages

Jan 11, 2018 • packagecloud

TL;DR

This post outlines how to inspect the registry information of an NPM package using the npm view command, download an NPM package directly from a registry using the npm pack command, and extract the contents of the package tarball.

Inspect an NPM package’s contents before downloading

npm CLI version used at the time of writing this post was 5.5.1.

npm view

The npm view command can be used to directly view registry information about a package without the need to download or install the package. We’re using the lodash package as an example.

$ npm view lodash

{ name: 'lodash',
  description: 'Lodash modular utilities.',
  'dist-tags': { latest: '4.17.4' },
  versions:
  ...
}

NOTE: The default version is “latest” if omitted from the npm view command.

Query package metadata

The npm view command can also query package metadata on the registry and return detailed information on a specific package.

For example, to see all the versions available for a package, pass versions as an option to the npm view lodash command:

$ npm view lodash versions
[ '0.1.0',
  '0.2.0',
  '0.2.1',
  ...
  '4.17.1',
  '4.17.2',
  '4.17.3',
  '4.17.4' ]

Or get the tarball URL:

$ npm view lodash dist.tarball
https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

To see all the available options for the npm view command, visit the CLI page on NPM’s website.

Download an NPM package

Download the package tarball directly from the public NPM registry using the npm pack command. We’re using the lodash package as an example.

$ npm pack lodash
lodash-4.17.4.tgz

NOTE: The default version is “latest” if omitted from the npm pack command.

Setup your own NPM registry for free.

Extract data from an NPM package

Once downloaded, the package tarball from the NPM registry can be extracted using the tar command:

$ tar -xzf lodash-4.17.4.tgz

The tar command will extract the contents of the package tarball downloaded from the NPM registry. The name of the extracted folder is package/ - this is likely because it’s the default behavior of npm pack when npm packs a package folder - link to source.

package.json

The package.json file contains the metadata used by npm and yarn to install packages and package dependencies. Lets inspect the package.json from the extracted lodash-4.17.4.tgz file downloaded from the public NPM registry:

$ cat package.json

{
  "name": "lodash",
  "version": "4.17.4",
  "description": "Lodash modular utilities.",
  "keywords": "modules, stdlib, util",
  "homepage": "https://lodash.com/",
  "repository": "lodash/lodash",
  "icon": "https://lodash.com/icon.svg",
  "license": "MIT",
  "main": "lodash.js",
  "author": "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
  "contributors": [
    "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
    "Mathias Bynens <mathias@qiwi.be> (https://mathiasbynens.be/)"
  ],
  "scripts": { "test": "echo \"See https://travis-ci.org/lodash/lodash-cli for testing details.\"" }
}

The package.json metadata above contains the following fields:

  1. name (required):
    • The name of the package.
  2. version (required):
    • The version number. Must adhere to the semver specification.
  3. description:
  4. keywords
    • Keywords to make your package discoverable on the public NPM registry.
  5. homepage
    • The project homepage
  6. repository
    • Should be a URL to a VCS program. Intended for use by computers, not humans.
  7. icon
    • Custom field containing an icon asset URL
  8. license:
  9. main:
    • The main entry point of a program. The field should point to a module ID, relative to the root of the package folder. This field allows the code to be loaded as a module via the require method if there’s a named export. NPM docs for the main field.
  10. author:
    • The name of the author. This field is intended for one person.
  11. contributors
  12. scripts:
    • A JSON object of commands to run at specific points of a package lifecycle, keyed with the lifecycle events of a package.

Conclusion

Extracting and reviewing NPM package data can be useful when debugging a dependency, auditing the validity and security of third-party libraries, or just verifying what a specific package looks like before using npm install <package> or yarn add <package> on your systems.

Use the npm CLI to directly inspect registry information using the npm view command and download the compressed tarball of an NPM package using the [npm pack <packagename>@<version>] command.

Related posts

Never miss an update!

Subscribe to our RSS feed