alanshaw / david Goto Github PK

david update will update all modules in your project, perhaps you only want one or two to be updated. Alter the CLI to allow a space separated list of module names of modules to update.

It would be great if the user was asked if they want to run the command to update dependencies that the CLI generates for them.

Let say you have a private dependency like

"dependencies": {
    "request": "git+ssh://[email protected]:project/request.git"
}

David will issue a npm view request however here it's not the publicly available request that we want but the private one. And npm won't have any information about that.

Project like NSP ignore git dependency. I will send a pull-request later today to add an option like "--skip-git-deps"

Tests are currently failing when using semver ~2

My packages are definitely not up to date, yet when I run david or david update, it runs for a few seconds, and then doesn't output anything or do anything noticeable.

That's not enough to go off, so what else do you need to know?

~/path master
❯ david

~/path master
❯ david update

In directories without a package.json, it says "package.json does not exist", so it's definitely being called.

/usr/local/lib/node_modules/david/lib/david.js:176
    return setImmediate(function () { cb(null, pkgs) })
           ^
ReferenceError: setImmediate is not defined
    at getDependencies (/usr/local/lib/node_modules/david/lib/david.js:176:12)
    at Object.module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:216:3)
    at getDeps (/usr/local/lib/node_modules/david/bin/david.js:106:9)
    at Object.<anonymous> (/usr/local/lib/node_modules/david/bin/david.js:199:3)
    at Module._compile (module.js:449:26)
    at Object.Module._extensions..js (module.js:467:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.runMain (module.js:492:10)
    at process.startup.processNextTick.process._tickCallback (node.js:244:9)

node version: v0.8.16
npm version: 1.1.69

All version in my package.json are correct semver versions in form x.y.z, all latest versions of these packages are valid semver as well. However, I get the following:

$ david --version
v2.4.0
$ david

/usr/local/lib/node_modules/david/node_modules/semver/semver.js:271
    throw new TypeError('Invalid Version: ' + version);
          ^
TypeError: Invalid Version: 0.4.0rc6
    at new SemVer (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:271:11)
    at compare (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:424:10)
    at Function.gt (/usr/local/lib/node_modules/david/node_modules/semver/semver.js:453:10)
    at /usr/local/lib/node_modules/david/lib/david.js:81:22
    at /usr/local/lib/node_modules/david/node_modules/npm/lib/view.js:92:26
    at RegClient.get_ (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/lib/get.js:105:14)
    at RegClient.<anonymous> (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/lib/get.js:41:12)
    at fs.js:266:14
    at /usr/local/lib/node_modules/david/node_modules/npm/node_modules/npm-registry-client/node_modules/graceful-fs/graceful-fs.js:103:5
    at /usr/local/lib/node_modules/david/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:103:5

david shouldn't just completely break in such cases, I'd expect a warning at best and it should just go on.

npm supports -g for global, david might as well too

I usually only care about dependencies when using David to check what I need to upgrade in my various modules. Would be nice to be able to remove all the noise of devDependencies.

If a dependency is a URL, Git URL, or Github URL, can david be able to tell if it is outdated? If it's not currently supported, will there be a future support for this?

First of great work, I'm running into a problem and I may be missing something so apologies if that is the case.

I'm using David to track whether or not my project has out of date dependencies, now in the package.json I have specified protractor: ~1.0 now as far as I am aware that would mean anything from 1.0 to 1.2 and allow 1.1.1 for example.

https://david-dm.org/apibyexample/abe-protractor

Now if that's the case and 1.2 is the latest it shouldn't be out of date?

If a dependency is red or yellow it would be nice to see the list of commits that have occured since the dependency I have listed (the one that is out of date) and the most current dependency.

This would be as simple as doing a range query from two version tags

For example gemnasium does something like this.

I checked the David page for my package imgurgitate https://david-dm.org/hickford/imgurgitate . All the dependencies are status green. This surprised me, because I know if you install the package, you get some old versions of dependencies (underscore is now at 1.6.0 for example)

npm install imgurgitate

[email protected] node_modules\imgurgitate
├── [email protected]
├── [email protected]
├── [email protected] ([email protected])
├── [email protected]
├── [email protected] ([email protected], [email protected])
└── [email protected] ([email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected])

Is David wrong?

What's really going on is the package has both a package.json and a npm-shrinkwrapped.json. Read https://www.npmjs.org/doc/cli/npm-shrinkwrap.html and http://blog.nodejs.org/2012/02/27/managing-node-js-dependencies-with-shrinkwrap/ for explanations

The package.json says "I don't require old software", but the shrinkwrap says "these are the versions of dependencies I was developed and tested against and I suggest you use". They happen to be old.

How David should treat that depends on its purpose. Is it always bad to install old software? Or only to mandate it? I don't know. What do you think?

You know when you checkout a project and it builds fine for all the incumbent developers and is all build errors for you. Like when someone drops a patch release that meets the requirements of your package.json, but actually changes something fairly major.

All your fellow devs look at you like a newb, while you insist meekly that you followed the readme.

DAVID TO THE RESCUE... "David, based on my package.json show me all deps that published updates recently, that meet our declared semver range requirements. WHICH SEMVER TORPEDO HAS BESMIRCHED OUR PROJECT?"

david blame --month

where the default is "changes in the last week" and flags allow you to alter the amount of history you wanna blame against.

Leaderboards of most projects besmirched by module is a nice to have extension.

It would be nice to deal with unique package names but they are only unique when published to NPM. Packages submitted to David by users may be clones of existing repos.

npm lets you use git urls like this:

    "devDependencies": {
        "grunt": "~0.4",
        "test-project": "https://github.private.server/dylang/test-project/archive/1.2.3.tar.gz"
    }

This produces this error:

$ david
Failed to get dependency test-project { [Error: 404 Not Found: test-project] code: 'E404', pkgid: 'test-project' }

I think ideally it would use a regex to figure out that this is a github url and attempt to figure out if the latest tag in git.

Tarballs are something we have to do when using npm to depend on repos not in github, such as internal projects that aren't open source (yet).

Hello

I'm trying to use the david command in Jenkins, to integrate it with the CI workflow.

I noticed that it always returns 0, even though some dependencies (in my case devDependencies) are out of date.

Unless I am missing something, david returns an error when there is a repo linked (with npm link):

❯ david -g
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: my-secret-module] pkgid: 'my-secret-module', statusCode: 404, code: 'E404' }

Is there a way to not make it fail / bypass locally linked modules?

I'm curious as to why you're not using gittip shields. For me it's the sole reason I'm not switching to David since I like to keep a consistent look between my DM / CI / coverage / complexity badges.

Currently the CLI simply exists when all dependencies are up to date. It should log a message saying something along the lines of "All dependencies up to date".

It would be awesome to have a branch option on the image, although I'm not sure if integrating branch-based testing is a much bigger architectural change (I feel like it might be). So for example, you could run:

https://david-dm.org/foo/bar.png?branch=testing

Travis has this option, if it helps at all. Either way, let me know if this is something you might want help with, and thanks so much for an absolutely fantastic tool!

david shouldn't give me ANSI color on a non-TTY output without some kind of --color flag defaulting to !process.stdout.isTTY.

$ david
optionalDependencies

┌────────────────────────┬─────────┬────────┐
│ Name                   │ Package │ Latest │
├────────────────────────┼─────────┼────────┤
│ grunt-contrib-imagemin │ 0.9.2   │ 0.9.3  │
└────────────────────────┴─────────┴────────┘

npm install --save [email protected]

It should say --save-optional, not --save.

david 6.1.4.

Migrated from alanshaw/david-www#177

i updated to the last version and now david doesn't print any output.

i downgraded to an older version and the same problem happened making me wonder if it's a problem with one of the dependencies.

This was recently changed in npm as it more accurately adheres to semver.

Relevant npm ticket: npm/npm#4587

David should default to it. Right now it switches my ^ back to ~.

Assume project depends on xxx, version ~0.6.1-1. Version 0.6.1-1 is the latest and 0.6.0 is latest stable.

When asking David for updated dependencies specifying onlyStable, David will return xxx because 0.6.0 does not satisfy ~0.6.1-1.

semver 2.2.0 now includes gtr function from semverext.

Since you're only using npm.commands.view it would be better to just use something like:

var RegClient = require('npm-registry-client')
var client = new RegClient(config)

client.get("npm", "latest", 1000, function (er, data, raw, res) {
  // error is an error if there was a problem.
  // data is the parsed data object
  // raw is the json string
  // res is the response from couch
})

npm-registry-client is the library depended on by npm to fetch things from the registry. Why is this better?

1. Reduces dependencies: As a library about dependencies this should be self-explanatory :-D
2. More configurable: If I wanted to use david to check against two different registries I am currently limited by what is on disk in .npmrc when you call npm.load

I would make a PR for this if you're interested.

Add package.json so dependencies can be installed easily via npm install and so we don't have to maintain a list of dependencies in the README.md.

Package dependency version and dependency version nearly ALWAYS differ because package dependency version is always specified with "~" or ">=" whereas an actual npm dependency has an absolute current version - a literal string comparison doesn't work.

Feature request:bowtie:

david update raises error with none npmjs.org/package, but my app depends on the module from github repository.

$ david update
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: none-npmjs-org-package] code: 'E404', pkgid: 'none-npmjs-org-package' }

I want update other packages with david update.

My env:

$ david --version
v3.3.0

Hi, it would be really nice if David would support optionalDependencies. Have you considered adding that?

I run David on all my modules once in a while and there are some commonly used dependencies that are outdated but that I don't care about updating, like e.g. Mocha. Would be useful if David had an ignore option where I could ignore dependencies I don't care about.

https://npmjs.org/doc/README.html#Using-npm-Programmatically

npm 2.x provide Local Paths feature.

Example project of Local Paths: azu/npm-localpaths-example

"dependencies": {
  "example-utils": "file:local_modules/example-utils"
}

I try to update this project using david and get error:

$ david -v
v5.0.0
$ david u
Failed to get updated dependencies/devDependencies { [Error: 404 Not Found: example-utils] pkgid: 'example-utils', statusCode: 404, code: 'E404' }

Hi, your tool might work nicely with mine: next-update. It installs each available dependency's version, runs unit tests and then reports if tests passed or not. So you can actually know if upgrading is possible or not. Spread the word,

Now Github caches https endpoints too, sou you must provide Cache-Control: no-cache and ETag headers.

For details: github/markup#224

$ david

leads to

/usr/local/lib/node_modules/david/lib/david.js:176
    return setImmediate(function () { cb(null, pkgs) })
           ^
ReferenceError: setImmediate is not defined
    at getDependencies (/usr/local/lib/node_modules/david/lib/david.js:176:12)
    at Object.module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:216:3)
    at /usr/local/lib/node_modules/david/bin/david.js:109:11
    at module.exports.getUpdatedDependencies (/usr/local/lib/node_modules/david/lib/david.js:226:5)
    at /usr/local/lib/node_modules/david/lib/david.js:192:39
    at _asyncMap (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:229:13)
    at async.each (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:116:25)
    at i (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:24:16)
    at _asyncMap (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:226:17)
    at results (/usr/local/lib/node_modules/david/node_modules/async/lib/async.js:513:34)

Put a limit on the total number of packages that are cached so it doesn't grow indefinitely.

npm already has an outdated command, but it's somewhat neglected and david's is fancier. Heck, it's already using npm as a dep anyway.

Why not fold this into npm proper (and the semver-ext.js module's functionality into semver)?

When I run

david -g

i'm getting error

Failed to get updated dependencies/devDependencies [Error: Cannot use view command in global mode.]

Currently using npm version is '2.1.2'.

Any idea, how can fix this issue?

david update will update to latest stable, give the user a way to update to latest unstable. Perhaps:

david update --unstable

Got an error when trying to update globally installed jitsu module via david

• Node: 0.10.12
• OSX: 10.8.4
• david: 1.9.0

$ david update -g jitsu
npm http ...
..snip...

Stack trace:

/usr/local/lib/node_modules/david/node_modules/npm/node_modules/lockfile/lockfile.js:46
      throw er
            ^
Error: Cannot find module '/usr/local/lib/node_modules/david/node_modules/npm/lib/build.js'
    at Function.Module._resolveFilename (module.js:338:15)
    at Function.Module._load (module.js:280:25)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.defineProperty.get (/usr/local/lib/node_modules/david/node_modules/npm/lib/npm.js:185:15)
    at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:1053:18
    at asyncMap (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/slide/lib/async-map.js:27:18)
    at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:587:7
    at asyncMap (/usr/local/lib/node_modules/david/node_modules/npm/node_modules/slide/lib/async-map.js:27:18)
    at /usr/local/lib/node_modules/david/node_modules/npm/lib/install.js:568:5

Of interest, I now realise now that david update doesn't target individual modules, so adding jitsu to the command did nothing, and david tried to update all the things. Not a problem, just worth noting.

Also, for debugging, I ran a david -g before hand, and david was one of the global modules that was due for updating...

$ david -g
npm http ...snip...

Outdated Global Dependencies

generator-karma (package: 0.4.1, latest: 0.5.0)
generator-angular (package: 0.3.1, latest: 0.4.0)
yo (package: 1.0.0-rc.1.4, latest: 1.0.3)
david (package: 1.9.0, latest: 2.0.0)
bower (package: 1.1.0, latest: 1.2.4)
npm (package: 1.2.32, latest: 1.3.9)
browserify (package: 2.26.0, latest: 2.29.0)

npm install --global [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Would you be open to accept a pull-request for adding support for checking bower dependencies?

It would be really great to be able to use david to tell you which dependencies are out of date while using the Atom editor.

Similar example:

getUpdatedDependencies does a yeoman's job of letting you know about updated versions. A little more context without having to dig would be awesome.

Just how often does David update? I've fixed dependencies 2 hours ago, and they still come up as out of date, while David uses the old package.json.

Is there something extra I need to do or it just doesn't work?

grunt-contrib-jshint (package: ~0.3.0, latest: 0.6.2)
chai (package: ~1.5.0, latest: 1.7.2)
grunt-mocha-test (package: ~0.2.0, latest: 0.6.2)
sinon (package: ~1.6.0, latest: 1.7.3)

Because we're using ~ we could have the latest version installed and not need to make any changes. The output could be something like:

grunt-contrib-jshint (package: ~0.3.0, installed: 0.1.1, latest: 0.6.2)
chai (package: ~1.5.0, latest: installed: latest, latest: 1.7.2)
grunt-mocha-test (package: ~0.2.0, installed: 0.2.0, latest: 0.6.2)

I run David recursively (using a bash script) on my dev folder with a lot of node modules, but also other things. The package.json does not exist messages creates a lot of noise. Would be nice if david had a quiet mode that suppressed messages like that.

Reported here #59 (comment)