harksys / npmvet Goto Github PK

The document states that it can be displayed in JSON with npmvet - r json, but it can not be executed in 0.1.2. Do you still have an update plan?

I realise the types for this package are managed by typings. Since TypeScript 2 you can manage types using NPM and the @types organisation - see here.

I have tested this locally and am happy to submit a PR if this is of interest.

It seems that the installed version matches, but if package version is tgz it will be Mismatch.

example:
glob │ https://registry.npmjs.org/glob/-/glob-7.1.1.tgz │ 7.1.1   │  Mismatch  │  Unlocked

Aren't you "locking" it when you use ~ or ^ ?

Or is it only supposed to represent if you use a static version?

Currently you get a mismatch if you use things like "latest,beta,next,etc" in your package.json.

example:
║ mock-fs │ latest │ 3.12.1 │ Mismatch │ Unlocked ║

Is there a way to add support for this?

Hi, thank you, this project is quite useful!

I know its not it scope but it would be a nice addition to optionally display the latest available version. That way it would allow to make update decisions, eg. there is a minor update and decide to update, test and lock again.

This isn't really an issue, but I think that it would be good to compare this package with the standard npm outdated -l command. Something else worth positioning as a comparison would be npm shrinkwrap as a way to lock dependencies (e.g. in a CI context, to ensure that all dependencies are locked).

This would help and figure out the added value of this package.

Thanks

It would be great to have a JSON renderer so you can store or process the output. Instead of a table the output could be something like

[
  {
    "name": "blessed",
    "packageVersion": "0.1.81",
    "installedVersion": "0.1.81",
    "matches": true,
    "locked": false
  },
]

How does this handle sub-dependencies (i.e. you're not locking downbabel if you remove the ^ in your project's package.json because that version of Babel still uses the caret to specify its dependencies) ?

And what benefit does this tool provide over using npm shrinkwrap?

I know sometimes even minor versions can result in fuckery, I'd wanted to use a --lock=installed command.
This would edit my package.json file with the specific versions that are surely to work.

This could be expanded if npmvet would display available version, so you could tell npmvet what version they should lock on (either package version, installed version or available version).

In that case a --lock=package|installed|available could be useful.

It would be cool if npmvet would acknowledge these as being the same:

In my situation it is necessary to have a local file package rather than an npm hosted package. I am not able to use npmvet in our build process as a final check due to it considering the local file package different than the installed version. It would be great to have an exclude package option, or a feature that auto excluded local file packages.

Currently if you have a package version referenced via git, npmvet will say the dependency is Mismatched & Unlocked

For example (package.json):
"jquery-mask-plugin": "git+https://github.com/nmelv170/jQuery-Mask-Plugin.git#ec617bf82861401738027674e053ead8701bd10e"

It seems that the installed version matches, but if package version is an alias it will be Mismatch.

example:
examplealias │ npm:[email protected] │  0.1.1  │  Mismatch  │  Unlocked

There should be a flag you can add if packages are not locked it would fail the CI also.

If package is locked, but mismatch, the npmvet -s -r ci exit without error.

This may happen in development, when you update your branch with the latest master, that brings new packages, and forget to run npm ci.

I made a PR with the fix.

In some repositories the version tags do not start with 'v'

"ng-uikit-pro-standard": "git+https://oauth2:[email protected]/mdb/angular/ng-uikit-pro-standard.git#8.5.0"

This is a slight variant on the fix in issue #2

Will submit a PR.

Hey,

First of all, thanks for amazing project!

I have added npmvet -r ci to pipeline hoping it would start failing the pipeline if there is a version mismatch. There is a new mismatch, but the pipeline does not fail and the command has exited with 0 error code.

Am I using it not in a proper way?

Thanks for your answer!

It would be great to add

• what the current package.json says (i.e Current column).
• What the resolution of things like ~ or ^ wants (i.e Wanted column) and maybe state that in the output?
• then a 3rd column for how far behind you are (i.e. Latest).
• Then you can have your mismatch logic be behind current and wanted.

Posted what yarn outdated would look like for reference.

yarn outdated v0.17.10
Package                        Current Wanted  Latest Package Type
autoprefixer                   6.5.4   6.5.4   6.7.2  devDependencies
babel-cli                      6.14.0  6.14.0  6.22.2 devDependencies
babel-eslint                   6.1.2   6.1.2   7.1.1  devDependencies
babel-istanbul                 0.11.0  0.11.0  0.12.1 devDependencies
babel-plugin-webpack-loaders   0.7.1   0.7.1   0.8.0  devDependencies
babel-polyfill                 6.6.1   6.6.1   6.22.0 devDependencies
babel-runtime                  6.6.1   6.6.1   6.22.0 devDependencies
bluebird                       3.3.3   3.3.3   3.4.7  devDependencies
concurrently                   2.2.0   2.2.0   3.1.0  devDependencies
cross-env                      2.0.1   2.0.1   3.1.4  devDependencies
css-loader                     0.24.0  0.24.0  0.26.1 devDependencies
enzyme                         2.4.2   2.4.2   2.7.1  devDependencies
es6-promisify                  4.1.0   4.1.0   5.0.0  devDependencies
esdoc                          0.4.8   0.4.8   0.5.2  devDependencies
eslint-config-airbnb           10.0.1  10.0.1  14.0.0 devDependencies
eslint-config-standard         6.0.1   6.0.1   6.2.1  devDependencies
eslint-import-resolver-webpack 0.5.1   0.5.1   0.8.1  devDependencies
eslint-plugin-import           1.16.0  1.16.0  2.2.0  devDependencies
eslint-plugin-jsx-a11y         2.2.3   2.2.3   4.0.0  devDependencies
eslint-plugin-promise          2.0.1   2.0.1   3.4.0  devDependencies
eventemitter3                  1.1.1   1.1.1   2.0.2  devDependencies
expand-tilde                   1.2.2   1.2.2   2.0.2  devDependencies
fix-path                       2.0.0   2.0.0   2.1.0  devDependencies
fs-extra                       1.0.0   1.0.0   2.0.0  devDependencies
github                         5.2.3   5.2.3   8.1.1  dependencies
history                        2.0.1   2.0.1   4.5.1  devDependencies
http-status-codes              1.0.6   1.0.6   1.1.6  devDependencies
husky                          0.11.9  0.11.9  0.13.1 devDependencies
isomorphic-style-loader        1.0.0   1.0.0   1.1.0  devDependencies
jquery                         2.2.4   2.2.4   3.1.1  devDependencies
lodash                         4.11.2  4.11.2  4.17.4 devDependencies
mocha-multi                    0.9.1   0.9.1   0.10.0 devDependencies
node-fetch                     1.3.3   1.3.3   1.6.3  devDependencies
normalize.css                  3.0.3   3.0.3   5.0.0  devDependencies
npm                            3.10.10 3.10.10 4.1.2  devDependencies
path-to-regexp                 1.6.0   1.6.0   1.7.0  devDependencies
postcss-import                 8.2.0   8.2.0   9.1.0  devDependencies
postcss-loader                 0.8.2   0.8.2   1.2.2  devDependencies
postcss-scss                   0.1.9   0.1.9   0.4.0  devDependencies
prettyjson                     1.1.3   1.1.3   1.2.1  devDependencies
react                          15.4.0  15.4.0  15.4.2 devDependencies
react-dom                      15.4.0  15.4.0  15.4.2 devDependencies
react-dropzone                 3.6.0   3.6.0   3.9.2  devDependencies
react-notification-system      0.2.7   0.2.7   0.2.11 devDependencies
react-redux                    4.4.6   4.4.6   5.0.2  devDependencies
redux                          3.5.2   3.5.2   3.6.0  devDependencies
redux-logger                   2.6.1   2.6.1   2.8.1  devDependencies
redux-thunk                    2.0.1   2.0.1   2.2.0  devDependencies
request                        2.78.0  2.78.0  2.79.0 devDependencies
sort-package-json              1.4.0   1.4.0   1.5.0  devDependencies
sync-request                   3.0.1   3.0.1   4.0.1  devDependencies
webpack                        1.12.15 1.12.15 2.2.1  devDependencies
webpack-merge                  0.14.1  0.14.1  2.6.1  devDependencies
whatwg-fetch                   0.11.0  0.11.0  2.0.2  devDependencies 

Hi

I just forked, cloned and followed the steps in https://github.com/harksys/npmvet/blob/master/CONTRIBUTING.md

After the npm install step npm runs the prepublish script which attempts to build the lib. This fails if the typings are not installed so ideally the typings install step should come before the npm install step.