Last modified: January 11, 2017
Package managers are tools that automate the installation of software and their dependencies. They make it extremely easy to incorporate existing libraries/code into your own project. For example, you may want to write a web service but don't want to worry about constructing the http requests from scratch. In this case, you would use the Express framework, an extremely light-weight library that already does that for you. Rather than downloading the library yourself, you can use a package manager to quickly fetch a specific version of the library and include it in the project for you. This is the essence of npm and other package managers. It makes your life much easier as a developer and allows you to quickly bootstrap your own work onto what's already been figured out. Likewise, it's easy to upgrade and remove dependencies through package managers.
With npm, developers can easily share and update code. When developers find solutions to small but powerful problems, they submit their code to npm's central registry. Here anybody can download the code as well as receive future updates on the 'module' or 'package'. Some packages are widely used (such as Socket.io which had nearly 800,000 downloads in the last week). Others have never been used or tested. This is both a blessing and a curse. While developers can easily share code with a centralized community, they open the doors to anyone and create major security vulnerabilites.
There have been several incidents with npm since it's inception. Most notably was just last year (March 23, 2016), when a npm package (left-pad) was taken down by it's author. This package was used by thousands of developers and the entire community was brought down. Although the problem was fixed within 10 minutes, it demonstrates the disadvantages of such an open relationship between developers and a centralized community.
Earlier that year, Google also discovered an exploit involving the fact that node modules can act on user systems and republish malicient modules to the central registry. If hackers can get just one unsuspecting developer to install an npm module, they can republish and change packages from that user, potentially affecting thousands.