[5] npm was developed by Isaac Z. Schlueter as a result of having "seen module packaging done terribly" and with inspiration from other similar projects such as PEAR (PHP) and CPAN (Perl).

[16] In npm version 6, the audit feature was introduced to help developers identify and fix security vulnerabilities in installed packages.

[20] The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.

In March 2016, a package called left-pad was unpublished as the result of a naming dispute between Azer Koçulu, an individual software engineer, and Kik.

[27] Although the package was republished three hours later,[28] it caused widespread disruption, leading npm to change its policies regarding unpublishing to prevent a similar event in the future.

[34] In May 2021, pac-resolver, an npm package that received over 3 million downloads per week, was discovered to have a remote code execution vulnerability.

"[37] In May 2023, several npm packages including bignum were found to be exploited, stealing user credentials and information from affected machines.

Researchers discovered that these packages had been compromised through an exploit involving Amazon S3 buckets and the node-gyp command line tool.

[38] There are a number of open-source alternatives to npm for installing modular JavaScript, including pnpm, Yarn,[39] Bun and Deno.