By Long Nguyen | **Nov 30th, 2025

Software Engineers spend a surprising amount of time installing, updating, and managing dependencies. Yet very few β€” from asking around β€” fully understand what happens under the hood when running a simple command like: npm install

This post started with wondering about the naming of the below whilst reviewing vscode-pets

package.nls.it.json

…and turned into a deep dive on how npm, lockfiles, dependency management and content-addressable caching actually work.

πŸ‡―πŸ‡΅ 1. What is package.nls.it.json ?

πŸ“„ 2. package.json vs package-lock.json

πŸ”’ 3. Resolved URLs & Integrity Hashes

🌲 4. How npm Builds Dependency Trees

⚑ 5. npm ci: determinism, ci-friendly

πŸ’΅ 6. Where Does npm Actually Store Packages?