docs on npm

Author: basarat

SUMMARY.md

@@ -78,6 +78,7 @@
  * [Prettier](docs/tools/prettier.md)
  * [Husky](docs/tools/husky.md)
  * [Changelog](docs/tools/changelog.md)
+* [NPM](docs/npm/index.md)
 * [TIPs](docs/tips/main.md)
  * [String Based Enums](docs/tips/stringEnums.md)
  * [Nominal Typing](docs/tips/nominalTyping.md)

docs/npm/index.md

@@ -0,0 +1,73 @@
+# NPM 
+
+> Fun fact `npm` is [not an acronym](https://twitter.com/npmjs/status/347057301401763840) so it doesn't expand to anything, but among friends it is commonly called `node package manager`.
+
+`npm` is a binary that comes with default `node` installations used to manage community shared JavaScript / TypeScript packages.
+
+
+* NPM packages are hosted at (and installed from) https://www.npmjs.com/
+
+## Quick common setup
+
+* npm packages are configured using `package.json` file. You can generate a quick file using `npm init -y`.
+* packages get installed into a `./node_modules` folder. You normally have this folder in your `.gitignore`.
+
+Even though you might be building an application, having a `package.json` essentially makes your project a package as well. So the terms your `project | package` can be used interchangably.
+ 
+## Installing a package
+You can run `npm install <something>`. Most people will use the shorthand `npm i <something>` e.g. 
+
+```ts
+// Install react
+npm i react
+```
+
+> This will also automatically add `react` into your `package.json`'s `dependencies`.
+
+## Installing a devDependency
+`devDependencies` are dependencies that are only required during *development* if your project and not required after deployment. 
+
+`typescript` is common in `devDependencies` as its only required to build `.ts -> .js`. You normally deploy the built `.js` files:
+
+* into production 
+* OR for consumption by other other npm packages
+
+## Security
+The public `npm` packages are scanned by security team worldwide and issues get reported to npm team. They then release security advisories detailing the issue and potential fixes. Commonly the fix is simply updating the package. 
+
+You can run an audit on your node project by simply running `npm audit`. This will highlight any vulnerabilities that might exist in the package / dependencies of the package. e.g. 
+
+```
+┌───────────────┬──────────────────────────────────────────────────────────────┐
+│ Low │ Regular Expression Denial of Service │
+├───────────────┼──────────────────────────────────────────────────────────────┤
+│ Package │ debug │
+├───────────────┼──────────────────────────────────────────────────────────────┤
+│ Dependency of │ jest [dev] │
+├───────────────┼──────────────────────────────────────────────────────────────┤
+│ Path │ jest > jest-cli > istanbul-lib-source-maps > debug │
+├───────────────┼──────────────────────────────────────────────────────────────┤
+│ More info │ https://nodesecurity.io/advisories/534 │
+└───────────────┴──────────────────────────────────────────────────────────────┘
+```
+
+Note that commonly the issues are found in *development* dependencies (e.g. jest in this case). Since these aren't are a part of your production deployments, most likely your production application is not vulnerable. But still good practice to keep vulnerabilities to `0`.
+
+## Public vs. Private packages
+You don't need this when *using* any of the common public npm packages. Just know its there for enterprise / commercial customers.
+
+### Public packages
+* Packages are public by default. 
+* Anyone can deploy a package to npm. 
+* You just need an account (which you can get for free).
+ 
+No one needs an account to download a public package. 
+
+This free sharing of packages is one of the key reasons of success for npm 🌹.
+
+### Private packages 
+
+If you want a private package for your company / team / enterprise you need to sign up to a paid plan, details here : https://www.npmjs.com/pricing
+
+Of-course you need an account with the right permissions to download a private package.
+