Skip to content
| Marketplace
Sign in
Visual Studio Code>Programming Languages>Noodle - Node Package Manager (npm, pnpm, yarn, bun)New to Visual Studio Code? Get it now.
Noodle - Node Package Manager (npm, pnpm, yarn, bun)

Noodle - Node Package Manager (npm, pnpm, yarn, bun)

ItsKarmaOff

|
3 installs
| (0) | Free
Browse, install, update and uninstall npm packages from a Visual Studio-like panel. Auto-detects npm, pnpm, yarn and bun per project, supports npmjs.com and private registries (.npmrc aware), with README preview, update detection and secure per-registry credentials.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Noodle - Node Package Manager for VS Code

Browse, install, update and uninstall npm packages from a Visual Studio-like panel, the npm counterpart of Nugget (NuGet Package Manager). NuGet had its nugget; Node gets its noodles. 🍜

Features

  • Browse: search any registry (npmjs.com by default), with weekly downloads, trusted-publisher badge, README preview and package details.
  • Installed: direct dependencies grouped by dependencies / devDependencies, plus transitive packages read from the lock file (with "introduced by" tooltips on npm locks).
  • Updates: update detection against the selected registry, with a badge counter and one-click update.
  • Vulnerabilities (CVE): the whole dependency tree (direct + transitive) is checked against the npm security advisories (the same API npm audit uses), enriched with CVE ids and fixed versions from OSV.dev. Vulnerable packages get a severity badge in the Installed tab, the version dropdown marks affected versions with ⚠, and a Vulnerabilities tab in the detail pane lists each advisory (severity, CVSS score, CVE links, affected range, fixed versions).
  • Multi package manager: npm, pnpm, yarn (classic & berry) and bun. The manager is auto-detected per project from the packageManager field and lock files (walking up to the monorepo root), and can be overridden from the toolbar or the npmManager.defaultPackageManager setting.
  • Registries: private registries via the UI or the npmManager.registries setting, scoped registries (@myorg mapped to a registry), .npmrc awareness (project + user level, including _authToken / _auth / username+_password entries), and secure per-registry credentials stored in VS Code secret storage.
  • Monorepo friendly: every package.json in the workspace is a selectable project; workspace roots get the right flags (pnpm -w, yarn -W).

Usage

  • Command palette: Node Packages: Manage Packages, or
  • Right-click a package.json (or any folder containing one) in the explorer, or
  • The package icon in the editor title of a package.json.

Pick the target Project, the Registry to browse and, if needed, force a Manager, then search, select a package, choose a version and dependency type, and Install / Update / Uninstall. Commands are echoed in the Node Package Manager output channel.

Settings

Setting Description
npmManager.registries Additional registries: { name, url, scope? }.
npmManager.defaultPackageManager auto (default), npm, pnpm, yarn or bun.

Credentials added from the UI are used to browse the registry. For installation, your package manager reads credentials from your .npmrc, as usual.

Notes

  • Transitive packages come from a best-effort parse of package-lock.json, pnpm-lock.yaml, yarn.lock or bun.lock. The binary bun.lockb is not parsed.
  • The Browse tab needs a search term (the npm search API rejects empty queries).
  • Some private registries (e.g. certain Azure Artifacts feeds) do not implement the search endpoint; version lookup and install still work there.
  • Vulnerability data always comes from registry.npmjs.org and OSV.dev (like npm audit), regardless of the selected registry; packages that only exist on a private registry simply report no advisories.

License

MIT

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft