npm / package-json Goto Github PK
View Code? Open in Web Editor NEWProgrammatic API to update package.json
License: Other
Programmatic API to update package.json
License: Other
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Related issues:
npm/npm#12133
npm/normalize-package-data#75
This package also makes the assumption that the presence of a preinstall script means that the package does not use a gyp file and that the default install script for such a package (node-gyp rebuild
) does not need to be run.
This is an unnecessary assumption and one that breaks my package.
In my tests, when I remove this assumption, my package builds fine. Would it be possible to remove this assumption?
Need to change the entire sourcecode for the npmjs project or use an local alias to install a different package B instead of package A.
I should be able to redirect installation of a npmjs A
package to npmjs B
package from package.json
config
.
Citing my repositories as an example to ensure not to make phpcgijs old versions unfindable. What I am wishing to do is redirect phpcgijs to cgijs
package.json
{
...
"repository": {
"type": "git",
"url": "https://github.com/ganeshkbhat/cgi-js.git",
"redirect": "newpackagename_preferably--OR--differentrepository"
}
}
OR
{
...
"redirect": "newpackagename_preferably"
"repository": {
"type": "git",
"url": "https://github.com/ganeshkbhat/cgi-js.git"
}
}
NA
In arborist's inventory class it does its own attempts to normalize/account for license/licence but it ALSO is looking for licenses/licences, which @npmcli/package-json
does not appear to to
See if we can safely consolidate this normalization into this module, or at least see if we want to normalize the array/plural version.
It's not available on npm now.
https://www.npmjs.com/package/@npmcli/package-json
No response
In the package.json's bin
documentation, it's documented that you can use an object with one or more bin file references OR use a single string.
Unfortunately, this is now marked as "error in your package.json when publishing".
I expected this notation to not be marked as an error, as the documentation clearly documents this as a valid option.
$ npm init
"bin": "path/to/file.js"
$ npm publish
[email protected]
was published but never tagged latest
due to a bug found during release. below is a root cause of the bug, but the tl;dr
is that [email protected]
will be deprecated and [email protected]
will be published once the bug is fixed.
we switched from read-package-json
to @npmcli/package-json
which recently received an update to bring all the features from the former to the latter. lost in this port was a minor change to normalizing package bins. previously we would not parse package.json#directories.bin
if a package.json#bin
was present (ref: https://github.com/npm/read-package-json/blob/main/lib/read-json.js#L351-L353) but now we do regardless of whether a bin object is there (ref: https://github.com/npm/package-json/blob/main/lib/normalize.js#L161)
next steps:
[email protected]
. this version exists on the registry and contains breaking changes that would impact users if you publish packages using both bin
and directories.bin
@npmcli/package.json
read-package-json
and @npmcli/package-json
and assert this behavior in news tests to ensure no other breaking changes occurred[email protected]
Originally posted by @lukekarrys in npm/cli#6470 (comment)
Build id is a pretty grey area for semver and the npm registry. Since it's not part of semver resolution it's stripped when sending the packument data, but kept in the package.json in the tarball.
Discussion at npm/cli#1479
npm pkg fix
may want to not strip build id by default.
When the scripts
key is entirely missing from a package.json
, the normalize
function will report it as invalid and that it was removed, then delete. Of course, the key never existed at all, so deleting it does nothing.
See:
npm/cli#7127
If scripts
being required to be at least an empty object is intended, then I'd expect normalize
to set it to that instead of deleting it. If scripts
can be omitted, then I'd expect it to not report them as invalid.
As an aside, the message Removed invalid "scripts"
is very misleading if scripts
was already missing.
npm init -y
npm pkg delete scripts
npm i @npmcli/package-json
index.js
:const changes = [];
require("@npmcli/package-json")
.fix(".", { changes })
.then(
(res) => console.log(changes.join("\n"), res.content.scripts),
console.error
);
node index.js
Removed invalid "scripts" undefined
, it errored about the missing scripts, but didn't fix it.A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.