alanshaw / david Goto Github PK
View Code? Open in Web Editor NEW:eyeglasses: Node.js module that tells you when your package npm dependencies are out of date.
Home Page: https://david-dm.org
License: MIT License
:eyeglasses: Node.js module that tells you when your package npm dependencies are out of date.
Home Page: https://david-dm.org
License: MIT License
david update
will update all modules in your project, perhaps you only want one or two to be updated. Alter the CLI to allow a space separated list of module names of modules to update.
It would be great if the user was asked if they want to run the command to update dependencies that the CLI generates for them.
Let say you have a private dependency like
"dependencies": {
"request": "git+ssh://[email protected]:project/request.git"
}
David will issue a npm view request
however here it's not the publicly available request
that we want but the private one. And npm won't have any information about that.
Project like NSP ignore git dependency. I will send a pull-request later today to add an option like "--skip-git-deps"
Tests are currently failing when using semver ~2
My packages are definitely not up to date, yet when I run david
or david update
, it runs for a few seconds, and then doesn't output anything or do anything noticeable.
That's not enough to go off, so what else do you need to know?
~/path master
❯ david
~/path master
❯ david update
In directories without a package.json, it says "package.json does not exist", so it's definitely being called.
/usr/local/lib/node_modules/david/lib/david.js:176
return setImmediate(function () { cb(null, pkgs) })
^
ReferenceError: setImmediate is not defined
at getDependencies (/usr/local/lib/node_modules/david/lib/david.js:176:12)
at Object.module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:216:3)
at getDeps (/usr/local/lib/node_modules/david/bin/david.js:106:9)
at Object.<anonymous> (/usr/local/lib/node_modules/david/bin/david.js:199:3)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.runMain (module.js:492:10)
at process.startup.processNextTick.process._tickCallback (node.js:244:9)
node version: v0.8.16
npm version: 1.1.69
All version in my package.json
are correct semver versions in form x.y.z
, all latest versions of these packages are valid semver as well. However, I get the following:
$ david --version
v2.4.0
$ david
/usr/local/lib/node_modules/david/node_modules/semver/semver.js:271
throw new TypeError('Invalid Version: ' + version);
^
TypeError: Invalid Version: 0.4.0rc6
at new SemVer (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:271:11)
at compare (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:424:10)
at Function.gt (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:453:10)
at /usr/local/lib/node_modules/david/lib/david.js:81:22
at /usr/local/lib/node_modules/david/node_modules/npm/lib/view.js:92:26
at RegClient.get_ (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/lib/get.js:105:14)
at RegClient.<anonymous> (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/lib/get.js:41:12)
at fs.js:266:14
at /usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/node_modules/graceful-fs/graceful-fs.js:103:5
at /usr/local/lib/node_modules/david/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:103:5
david
shouldn't just completely break in such cases, I'd expect a warning at best and it should just go on.
npm supports -g for global, david might as well too
I usually only care about dependencies
when using David to check what I need to upgrade in my various modules. Would be nice to be able to remove all the noise of devDependencies
.
If a dependency is a URL, Git URL, or Github URL, can david be able to tell if it is outdated? If it's not currently supported, will there be a future support for this?
First of great work, I'm running into a problem and I may be missing something so apologies if that is the case.
I'm using David to track whether or not my project has out of date dependencies, now in the package.json
I have specified protractor: ~1.0
now as far as I am aware that would mean anything from 1.0 to 1.2 and allow 1.1.1 for example.
https://david-dm.org/apibyexample/abe-protractor
Now if that's the case and 1.2 is the latest it shouldn't be out of date?
If a dependency is red or yellow it would be nice to see the list of commits that have occured since the dependency I have listed (the one that is out of date) and the most current dependency.
This would be as simple as doing a range query from two version tags
For example gemnasium does something like this.
I checked the David page for my package imgurgitate https://david-dm.org/hickford/imgurgitate . All the dependencies are status green. This surprised me, because I know if you install the package, you get some old versions of dependencies (underscore is now at 1.6.0 for example)
npm install imgurgitate
[email protected] node_modules\imgurgitate
├── [email protected]
├── [email protected]
├── [email protected] ([email protected])
├── [email protected]
├── [email protected] ([email protected], [email protected])
└── [email protected] ([email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected])
Is David wrong?
What's really going on is the package has both a package.json
and a npm-shrinkwrapped.json
. Read https://www.npmjs.org/doc/cli/npm-shrinkwrap.html and http://blog.nodejs.org/2012/02/27/managing-node-js-dependencies-with-shrinkwrap/ for explanations
The package.json says "I don't require old software", but the shrinkwrap says "these are the versions of dependencies I was developed and tested against and I suggest you use". They happen to be old.
How David should treat that depends on its purpose. Is it always bad to install old software? Or only to mandate it? I don't know. What do you think?
You know when you checkout a project and it builds fine for all the incumbent developers and is all build errors for you. Like when someone drops a patch release that meets the requirements of your package.json, but actually changes something fairly major.
All your fellow devs look at you like a newb, while you insist meekly that you followed the readme.
DAVID TO THE RESCUE... "David, based on my package.json show me all deps that published updates recently, that meet our declared semver range requirements. WHICH SEMVER TORPEDO HAS BESMIRCHED OUR PROJECT?"
david blame --month
where the default is "changes in the last week" and flags allow you to alter the amount of history you wanna blame against.
Leaderboards of most projects besmirched by module is a nice to have extension.
It would be nice to deal with unique package names but they are only unique when published to NPM. Packages submitted to David by users may be clones of existing repos.
npm
lets you use git urls like this:
"devDependencies": {
"grunt": "~0.4",
"test-project": "https://github.private.server/dylang/test-project/archive/1.2.3.tar.gz"
}
This produces this error:
$ david
Failed to get dependency test-project { [Error: 404 Not Found: test-project] code: 'E404', pkgid: 'test-project' }
I think ideally it would use a regex to figure out that this is a github url and attempt to figure out if the latest tag in git.
Tarballs are something we have to do when using npm to depend on repos not in github, such as internal projects that aren't open source (yet).
Hello
I'm trying to use the david
command in Jenkins, to integrate it with the CI workflow.
I noticed that it always returns 0, even though some dependencies (in my case devDependencies) are out of date.
Unless I am missing something, david
returns an error when there is a repo linked (with npm link
):
❯ david -g
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: my-secret-module] pkgid: 'my-secret-module', statusCode: 404, code: 'E404' }
Is there a way to not make it fail / bypass locally linked modules?
I'm curious as to why you're not using gittip shields. For me it's the sole reason I'm not switching to David since I like to keep a consistent look between my DM / CI / coverage / complexity badges.
Currently the CLI simply exists when all dependencies are up to date. It should log a message saying something along the lines of "All dependencies up to date".
It would be awesome to have a branch option on the image, although I'm not sure if integrating branch-based testing is a much bigger architectural change (I feel like it might be). So for example, you could run:
https://david-dm.org/foo/bar.png?branch=testing
Travis has this option, if it helps at all. Either way, let me know if this is something you might want help with, and thanks so much for an absolutely fantastic tool!
david
shouldn't give me ANSI color on a non-TTY output without some kind of --color
flag defaulting to !process.stdout.isTTY
.
$ david
optionalDependencies
┌────────────────────────┬─────────┬────────┐
│ Name │ Package │ Latest │
├────────────────────────┼─────────┼────────┤
│ grunt-contrib-imagemin │ 0.9.2 │ 0.9.3 │
└────────────────────────┴─────────┴────────┘
npm install --save [email protected]
It should say --save-optional
, not --save
.
david 6.1.4.
Migrated from alanshaw/david-www#177
i updated to the last version and now david doesn't print any output.
i downgraded to an older version and the same problem happened making me wonder if it's a problem with one of the dependencies.
This was recently changed in npm as it more accurately adheres to semver.
Relevant npm ticket: npm/npm#4587
David should default to it. Right now it switches my ^
back to ~
.
Assume project depends on xxx, version ~0.6.1-1. Version 0.6.1-1 is the latest and 0.6.0 is latest stable.
When asking David for updated dependencies specifying onlyStable, David will return xxx because 0.6.0 does not satisfy ~0.6.1-1.
semver 2.2.0 now includes gtr function from semverext.
Since you're only using npm.commands.view
it would be better to just use something like:
var RegClient = require('npm-registry-client')
var client = new RegClient(config)
client.get("npm", "latest", 1000, function (er, data, raw, res) {
// error is an error if there was a problem.
// data is the parsed data object
// raw is the json string
// res is the response from couch
})
npm-registry-client is the library depended on by npm
to fetch things from the registry. Why is this better?
david
to check against two different registries I am currently limited by what is on disk in .npmrc
when you call npm.load
I would make a PR for this if you're interested.
Add package.json so dependencies can be installed easily via npm install
and so we don't have to maintain a list of dependencies in the README.md.
Package dependency version and dependency version nearly ALWAYS differ because package dependency version is always specified with "~" or ">=" whereas an actual npm dependency has an absolute current version - a literal string comparison doesn't work.
Feature request:bowtie:
david update
raises error with none npmjs.org/package, but my app depends on the module from github repository.
$ david update
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: none-npmjs-org-package] code: 'E404', pkgid: 'none-npmjs-org-package' }
I want update other packages with david update
.
My env:
$ david --version
v3.3.0
Hi, it would be really nice if David would support optionalDependencies. Have you considered adding that?
I run David on all my modules once in a while and there are some commonly used dependencies that are outdated but that I don't care about updating, like e.g. Mocha. Would be useful if David had an ignore
option where I could ignore dependencies I don't care about.
npm 2.x provide Local Paths feature.
Example project of Local Paths: azu/npm-localpaths-example
"dependencies": {
"example-utils": "file:local_modules/example-utils"
}
I try to update this project using david and get error:
$ david -v
v5.0.0
$ david u
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: example-utils] pkgid: 'example-utils', statusCode: 404, code: 'E404' }
Hi, your tool might work nicely with mine: next-update. It installs each available dependency's version, runs unit tests and then reports if tests passed or not. So you can actually know if upgrading is possible or not. Spread the word,
Now Github caches https endpoints too, sou you must provide Cache-Control: no-cache
and ETag
headers.
For details: github/markup#224
$ david
leads to
/usr/local/lib/node_modules/david/lib/david.js:176
return setImmediate(function () { cb(null, pkgs) })
^
ReferenceError: setImmediate is not defined
at getDependencies (/usr/local/lib/node_modules/david/lib/david.js:176:12)
at Object.module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:216:3)
at /usr/local/lib/node_modules/david/bin/david.js:109:11
at module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:226:5)
at /usr/local/lib/node_modules/david/lib/david.js:192:39
at _asyncMap (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:229:13)
at async.each (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:116:25)
at i (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:24:16)
at _asyncMap (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:226:17)
at results (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:513:34)
Put a limit on the total number of packages that are cached so it doesn't grow indefinitely.
npm already has an outdated
command, but it's somewhat neglected and david's is fancier. Heck, it's already using npm as a dep anyway.
Why not fold this into npm proper (and the semver-ext.js module's functionality into semver)?
When I run
david -g
i'm getting error
Failed to get updated dependencies/devDependencies [Error: Cannot use view command in global mode.]
Currently using npm version is '2.1.2'.
Any idea, how can fix this issue?
david update
will update to latest stable, give the user a way to update to latest unstable. Perhaps:
david update --unstable
Got an error when trying to update globally installed jitsu module via david
$ david update -g jitsu
npm http ...
..snip...
Stack trace:
/usr/local/lib/node_modules/david/node_modules/npm/node_modules/lockfile/lockfile.js:46
throw er
^
Error: Cannot find module '/usr/local/lib/node_modules/david/node_modules/npm/lib/build.js'
at Function.Module._resolveFilename (module.js:338:15)
at Function.Module._load (module.js:280:25)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at Object.defineProperty.get (/usr/local/lib/node_modules/david/node_modules/npm/lib/npm.js:185:15)
at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:1053:18
at asyncMap (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/slide/lib/async-map.js:27:18)
at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:587:7
at asyncMap (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/slide/lib/async-map.js:27:18)
at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:568:5
Of interest, I now realise now that david update
doesn't target individual modules, so adding jitsu to the command did nothing, and david tried to update all the things. Not a problem, just worth noting.
Also, for debugging, I ran a david -g
before hand, and david was one of the global modules that was due for updating...
$ david -g
npm http ...snip...
Outdated Global Dependencies
generator-karma (package: 0.4.1, latest: 0.5.0)
generator-angular (package: 0.3.1, latest: 0.4.0)
yo (package: 1.0.0-rc.1.4, latest: 1.0.3)
david (package: 1.9.0, latest: 2.0.0)
bower (package: 1.1.0, latest: 1.2.4)
npm (package: 1.2.32, latest: 1.3.9)
browserify (package: 2.26.0, latest: 2.29.0)
npm install --global [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Would you be open to accept a pull-request for adding support for checking bower dependencies?
Just how often does David update? I've fixed dependencies 2 hours ago, and they still come up as out of date, while David uses the old package.json.
Is there something extra I need to do or it just doesn't work?
grunt-contrib-jshint (package: ~0.3.0, latest: 0.6.2)
chai (package: ~1.5.0, latest: 1.7.2)
grunt-mocha-test (package: ~0.2.0, latest: 0.6.2)
sinon (package: ~1.6.0, latest: 1.7.3)
Because we're using ~
we could have the latest version installed and not need to make any changes. The output could be something like:
grunt-contrib-jshint (package: ~0.3.0, installed: 0.1.1, latest: 0.6.2)
chai (package: ~1.5.0, latest: installed: latest, latest: 1.7.2)
grunt-mocha-test (package: ~0.2.0, installed: 0.2.0, latest: 0.6.2)
I run David recursively (using a bash script) on my dev folder with a lot of node modules, but also other things. The package.json does not exist
messages creates a lot of noise. Would be nice if david
had a quiet mode that suppressed messages like that.
Reported here #59 (comment)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.