Noodle - Node Package Manager for VS Code
Browse, install, update and uninstall npm packages from a Visual Studio-like panel, the npm counterpart of Nugget (NuGet Package Manager). NuGet had its nugget; Node gets its noodles. 🍜
Features
- Browse: search any registry (npmjs.com by default), with weekly downloads, trusted-publisher badge, README preview and package details.
- Installed: direct dependencies grouped by
dependencies / devDependencies, plus transitive packages read from the lock file (with "introduced by" tooltips on npm locks).
- Updates: update detection against the selected registry, with a badge counter and one-click update.
- Vulnerabilities (CVE): the whole dependency tree (direct + transitive) is checked against the npm security advisories (the same API
npm audit uses), enriched with CVE ids and fixed versions from OSV.dev. Vulnerable packages get a severity badge in the Installed tab, the version dropdown marks affected versions with ⚠, and a Vulnerabilities tab in the detail pane lists each advisory (severity, CVSS score, CVE links, affected range, fixed versions).
- Multi package manager: npm, pnpm, yarn (classic & berry) and bun. The manager is auto-detected per project from the
packageManager field and lock files (walking up to the monorepo root), and can be overridden from the toolbar or the npmManager.defaultPackageManager setting.
- Registries: private registries via the UI or the
npmManager.registries setting, scoped registries (@myorg mapped to a registry), .npmrc awareness (project + user level, including _authToken / _auth / username+_password entries), and secure per-registry credentials stored in VS Code secret storage.
- Monorepo friendly: every
package.json in the workspace is a selectable project; workspace roots get the right flags (pnpm -w, yarn -W).
Usage
- Command palette: Node Packages: Manage Packages, or
- Right-click a
package.json (or any folder containing one) in the explorer, or
- The package icon in the editor title of a
package.json.
Pick the target Project, the Registry to browse and, if needed, force a Manager, then search, select a package, choose a version and dependency type, and Install / Update / Uninstall. Commands are echoed in the Node Package Manager output channel.
Settings
| Setting |
Description |
npmManager.registries |
Additional registries: { name, url, scope? }. |
npmManager.defaultPackageManager |
auto (default), npm, pnpm, yarn or bun. |
Credentials added from the UI are used to browse the registry. For installation, your package manager reads credentials from your .npmrc, as usual.
Notes
- Transitive packages come from a best-effort parse of
package-lock.json, pnpm-lock.yaml, yarn.lock or bun.lock. The binary bun.lockb is not parsed.
- The Browse tab needs a search term (the npm search API rejects empty queries).
- Some private registries (e.g. certain Azure Artifacts feeds) do not implement the search endpoint; version lookup and install still work there.
- Vulnerability data always comes from registry.npmjs.org and OSV.dev (like
npm audit), regardless of the selected registry; packages that only exist on a private registry simply report no advisories.
License
MIT
| |