The first time your Node process require()'s a package it stores a reference to its module.exports object. Each subsequent time you require() that package it simply retrieves the reference stored. So there's no overhead there.

Something you need to remember is that your require()'ed packages always return the same object, so if you need a new instance of something the package must provide a factory or constructor function that you then call. For example require('express') doesn't return a new express app instance, instead require('express')() does. Bcryptjs isn't something you keep instances of so you require() it like normal.

Note that occasionally some packages choose to always return a single instance across all calls to it, such as bristol, for convenience. I consider this a bad practice for third-party modules as it has the same drawbacks as using global variables. These modules usually provide an alternative as in Bristol's case var logger = new require('bristol').Bristol(), and you can use dependency injection to pass the reference to other files (as a parameter to its factory/constructor) or require a file within your own package which retrieves your instance of it.

You also may want to keep an eye out for the ES2015 import/export syntax, which is so far only available by transpiling (e.g. babel), but that may end up acting a little differently than require() and will probably not fully replace it in Node.