The npx command is a powerful tool in the Node.js ecosystem, often overshadowed by its one-trick pony usability. While npm is primarily used for package management, npx excels at executing Node.js packages without the need for global installations.

This article serves as a cheatsheet for developers looking to harness the full potential of npx, including some lesser-known commands that can streamline your workflow.

Table of Contents

• Introduction to NPX
• Running Packages with NPX
• Finding Executable Paths
• Using NPX with Specific Node Versions
• Executing GitHub Gists
• NPX and Environment Variables
• Security Considerations
• FAQ

Introduction to NPX

NPX is a command-line tool that comes bundled with npm. It allows developers to execute packages directly from the npm registry without installing them globally. This is particularly useful for running one-off commands or testing packages without polluting your global namespace.

Running Packages with NPX

The primary use case for NPX is to run Node.js packages. For example, if you want to run a package like create-react-app without installing it globally, you can use:

npx create-react-app my-new-app

This command will download the package, execute it, and then remove it from the cache, keeping your system clean.

Finding Executable Paths

Sometimes, you need to know where npx is running a package from. I found this to be especially useful if you maintain several versions of Node.js runtime via fnm or nvm. This can be achieved using the -p flag in conjunction with which or command -v. For Unix-like systems, the command looks like this:

npx -p <package-name> which <executable-name>

Example:

To find the location of the shellcheck executable:

npx -p shellcheck which shellcheck

This command installs shellcheck into a temporary location in the NPX cache and reports the path to its executable.

Using NPX with Specific Node Versions

NPX can be used to run packages with a specific version of Node.js. This is particularly useful when testing compatibility across different Node.js versions. You can specify the Node.js version using the -p flag:

This command will run the specified command using Node.js version 14.

Executing GitHub Gists

NPX can execute scripts directly from GitHub Gists, which is a handy feature for running small scripts shared by the community. To execute a Gist, use the following command:

Replace <gist-id> with the actual ID of the Gist you want to run.

Security disclaimer: Be cautious when executing code from untrusted sources, as it may contain malicious code.

NPX and Environment Variables

You can pass environment variables to NPX commands, which is useful for configuring the behavior of the executed package. For example:

MY_VAR=value npx <package-name>

This sets MY_VAR to value for the duration of the command execution.

Security Considerations

While NPX is a convenient tool, it also introduces some security risks. Running packages directly from the npm registry means you are executing code that hasn’t been vetted by you. Always ensure that the packages you run are from trusted sources. Consider using tools like npq to audit packages before execution.

FAQ

Q1: What is the difference between NPX and npm?

NPX is used for executing packages, while npm is used for installing and managing them. NPX allows you to run packages without installing them globally.

Q2: Can NPX be used with private packages?

Yes, NPX can run private packages if you have the necessary authentication set up in your npm configuration.

Q3: How does NPX handle package caching?

NPX caches packages temporarily in a directory, which is cleared after the command execution. This ensures that your system remains clean.

—

For more insights and updates, follow me on Twitter and explore my work on GitHub.