npm is the package manager that ships with Node.js, and it is the gateway to a public registry of JavaScript code. The project’s own documentation describes npm as “the world’s largest software registry” and explains that the system is made of three parts: the website, the command line interface (CLI), and the registry itself, which it calls “a large public database of JavaScript software and the meta-information surrounding it.”
The practical effect of npm was to give JavaScript a single, default place to publish and install reusable code. A developer types a command, and npm resolves the requested package together with everything that package itself depends on, downloading the whole tree. That convenience let the Node.js ecosystem grow with extraordinary speed, since any small piece of useful code could be shared and pulled in by name.
That same convenience also concentrated risk. Because so many projects depend, directly or indirectly, on packages from the one registry, an event affecting a single popular package can ripple across the ecosystem. npm’s own post-mortem on the 2016 left-pad incident records what that looks like in practice: after one widely used package was removed, the registry “began observing hundreds of failures per minute.”
npm matters because it defined the shape of the modern JavaScript dependency world. The pattern it normalized, a public registry plus a command line installer that pulls deep dependency trees, became the model that later tools for other languages were measured against.