npm Introduction

Package Management System: Software that automates installing and updating packages/libraries/frameworks, including their dependencies.
npm: npm Package Manager, previously Node package manager (npm is now used for many software projects besides Node).
npm package: A package is a file or directory that is described by a package.json file.
Dependency: Code that your app needs to function properly. Each dependency will most likely have their own list of dependencies, which npm also manages.
Development dependency: An npm package that's only needed during development (i.e. nodemon to help reload new code). These dependencies should be ignored when the app is in production.
Global npm package: A package that is installed globally on your machine so that it's available to every npm project. Global packages will not show up in your node_modules directory.
Semantic versioning: A three number versioning system (major.minor.patch => 2.3.1) for software. See Semantic Versioning using npm.

Why do we use `npm`?

Dependency management: any npm package you install into your project becomes a dependency. Chances are, that package comes with its own set of dependencies, and so on. npm manages these interactions.
Development and deployment: npm includes many tools that help developers create and deploy software projects.
Project collaboration: npm ensures that multiple developers can reliably replicate a software project in their development environments.

npm is the largest software package registry in the world. According to the npm Wikipedia page and this Linux.com article

npm, Inc. is a subsidiary of GitHub, which is itself a subsidiary of Microsoft.
Over 477,000 packages are available in the main npm registry.
In May 2016, users installed 18 billion packages, translating into 6 billion downloads, "because approximately 66 percent of the installs are now being served from the cache."
The registry does not have any vetting process for submission, which means that packages found there can be low quality, insecure, or malicious. Registry quality is dependant on user reviews and moderation.
status.npmjs.org shows the historical uptime of the registry.
Every week roughly 160 people publish their first package in the registry

my-project-root
├── node_modules
│   └── dependency-1
│   ├── dependency-2
    └── dependency-3
└── app.js
├── package-lock.json
└── package.json

Don't initialize projects within projects.
You no longer need to use the --save flag when installing packages.
Add node_modules to your .gitignore file. This directory stores all your dependencies (often lots of files) which should not be committed to your repository.
Commit package.json and package-lock.json to your repository (unless you're specifically told not to).
Don't manually edit package-lock.json. This is auto-generated by npm.
Update package.json by the command line (or other tool) unless you're comfortable editing the file manually.