Carles Andres' avatarHomeBlogReferenceCheatsheets
Back to cheatsheets

First npm Package

Practical guide to create, test, and publish your first npm package with safe defaults.

Published on 2/26/2026

Initialize Package

Create package metadata correctly before writing code.

AnchorContentSource
npm initGenerate package.json interactively in the package root.
npm init --scope=@your-scopeInitialize a scoped package name like @your-scope/my-package.
name + version are mandatory for publishSet unique lowercase package name and semver version in package.json.
start at version 1.0.0Use semantic versioning; npm docs recommend starting public modules at 1.0.0.
license fieldUse an SPDX identifier (for example, MIT) so users know reuse terms.

Expose Your API

Make sure consumers can import your package predictably.

AnchorContentDetailsSource
"main": "./index.js"Classic entry point used by require() and older toolchains.-
"exports": "./index.js"Modern entry point map; preferred for new packages and controls public surface.
"type": "module"Treat .js files as ESM; use when your package uses import/export syntax.-
CommonJS starter fileUse module.exports in index.js if you want require('your-package') compatibility by default.-
ESM starter fileUse named/default exports in index.js when type is module.-

Package Contents And Local Test

Verify exactly what will ship and that install/import works.

AnchorContentDetailsSource
npm pack --dry-runPreview files included in the tarball before publishing.-
"files" in package.jsonWhitelist only distributable files (for example, dist and README) to avoid publishing junk.-
.npmignore vs .gitignoreIf .npmignore exists, npm uses it; otherwise npm falls back to .gitignore rules.-
Test from a separate folderCreate a new directory, install your package there, and run a tiny test script.
README and LICENSE are always includedEven with files rules, key metadata files are auto-included by npm pack/publish.-

Publish First Release

Publish safely and avoid common first-release mistakes.

AnchorContentSource
npm login + npm whoamiAuthenticate and confirm the account that will publish the package.
2FA or granular access token requiredPublishing requires account 2FA enabled or a granular token with bypass-2FA publishing rights.
npm publishPublish current package directory to npm registry.
npm publish --access publicRequired for first publish of a scoped package you want to be public.
name@version is immutableAfter publish, you cannot reuse the same package name and version, even if unpublished later.
npm version patch && npm publishFor fixes after first release, bump version before republishing.