delfrrr / npm-consider Goto Github PK
View Code? Open in Web Editor NEWCheck package dependencies before installing it
License: Other
Check package dependencies before installing it
License: Other
When redirecting output away from the TTY to a file or a pipe, I get this error:
TypeError: process.stdout.cursorTo is not a function
at getPackageDetails.then (/Users/benjamin/.npm/_npx/27879/lib/node_modules/npm-consider/index.js:100:22)
at process._tickCallback (internal/process/next_tick.js:68:7)
Steps to reproduce:
npx npm-consider install nodemon >/dev/null
Hi!
Great package and concept. Also appreciated the Medium.com write-up.
I noticed that when providing the details of licenses, "[email protected]", whose license is listed as "GPL-3.0-or-later OR MIT" is categorized as "Protective". Since the "OR" is present with the permissive MIT, I would think it should go with "Permissive" instead. Only for "AND" would it make sense I think to be "Protective".
$ npx npm-consider i webvtt-parser
GET https://registry.npmjs.org/webvtt-parserError: Response is not ok
at checkResponse (/Users/bilonenk/dev/lazy-german-subtitles/node_modules/npm-consider/lib/getPackageDetails.js:24:9)
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:188:7)
Hi,
I'm often most concerned if I've already installed some Protective or Uncategorized licenses (into a permissive or weakly protective package).
It'd be great if one could opt to get the details table showing only certain license types, e.g., Protective or Uncategorized ones.
Would be nice to be able to print the dependency graph when you integrate this on a CI environment.
Something like
npm-consider install --production --test --details
## OR
npm-consider install --production --test_details
This way you get more details instead of just a success or an error with short details.
When reading the details report, it would be great to understand what peer-dependencies are required of a package in addition to the dependencies that will be installed with a package.
Feature request: support for GitHub-based dependencies.
I was just playing around, and found that I can run the --test option together with the --production option, and it results in different results with much less packages. Our wish is to be able to run the --test only on the dependencies and not devDependencies.
This is the command I run. Does it actually do what I hope it is doing?
npx npm-consider install --test --production
It think it would be useful to include a way to check GPL2 and GPL3 compatibility, specifically flagging licenses that may be problematic, such as CC-BY-SA, Apache (for GPL2), GPL2 only (for GPL3), etc.
Excellent tool and great article to go with it.
As someone who does open source license compliance for my company, I have a few suggestions on licenses to add/types to consider for them:
Thanks, and keep up the good work spreading the gospel of licensing!
There is no chance to use npm-consider with private repositories.
It would be nice to have any of options:
command I run:
npm-consider install
Packages I use:
"@fortawesome/fontawesome-svg-core": "^1.2.25",
"@fortawesome/pro-light-svg-icons": "^5.11.2",
"@fortawesome/vue-fontawesome": "^0.1.8",
Error I get:
Error: Response is not ok 401 Unauthorized https://npm.fontawesome.com/@fortawesome%2ffontawesome-svg-core
at checkResponse (/usr/local/lib/node_modules/npm-consider/lib/getPackageDetails.js:26:9)
at process._tickCallback (internal/process/next_tick.js:68:7)
When using yarn workspaces, the yarn.lock
file is located in the root folder.
If I run npm-consider install <pkg>
inside a nested folder that represents a package in my monorepo (workspace), npm-consider does not detect this belongs to a yarn workspace and tries to use npm install
instead.
For yarn workspaces see: https://yarnpkg.com/lang/en/docs/workspaces/
The following command will install both express
and feathers
but it will only give information about express
.
npm-consider install express @feathersjs/feathers
It would be great if npm-consider could give information either on each package in turn or on all packages together.
When I run npm-consider install
, it goes through tens of packages and then at one point it gives ETIMEOUT. Every time I retry, it stops at different points.
Either retry, or expand timeout?
I am using vue-cli.
vue create npm-consider-test
<<< click enter and then wait for a minute >>>
cd npm-consider-test
npm-consider install
PS C:\temp\npm-consider-test> npm-consider install
[email protected]
GET https://registry.npmjs.org/p-limit{ FetchError: request to https://registry.npmjs.org/@babel%2fpreset-stage-2 failed, reason: connect ETIMEDOUT 104.16.20.35:443
at ClientRequest.<anonymous> (C:\Users\kennethc\AppData\Roaming\npm\node_modules\npm-consider\node_modules\node-fetch\index.js:133:11)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at TLSSocket.socketErrorListener (_http_client.js:387:9)
at emitOne (events.js:116:13)
at TLSSocket.emit (events.js:211:7)
at emitErrorNT (internal/streams/destroy.js:64:8)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickCallback (internal/process/next_tick.js:180:9)
name: 'FetchError',
message: 'request to https://registry.npmjs.org/@babel%2fpreset-stage-2 failed, reason: connect ETIMEDOUT 104.16.20.35:443',
type: 'system',
errno: 'ETIMEDOUT',
code: 'ETIMEDOUT' }
PS C:\temp\npm-consider-test> npm-consider install
[email protected]
GET https://registry.npmjs.org/run-queue{ FetchError: request to https://registry.npmjs.org/cssnano failed, reason: connect ETIMEDOUT 104.16.20.35:443
at ClientRequest.<anonymous> (C:\Users\kennethc\AppData\Roaming\npm\node_modules\npm-consider\node_modules\node-fetch\index.js:133:11)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at TLSSocket.socketErrorListener (_http_client.js:387:9)
at emitOne (events.js:116:13)
at TLSSocket.emit (events.js:211:7)
at emitErrorNT (internal/streams/destroy.js:64:8)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickCallback (internal/process/next_tick.js:180:9)
name: 'FetchError',
message: 'request to https://registry.npmjs.org/cssnano failed, reason: connect ETIMEDOUT 104.16.20.35:443',
type: 'system',
errno: 'ETIMEDOUT',
code: 'ETIMEDOUT' }
PS C:\temp\npm-consider-test>
Related to #10 which correctly observes that
no good way to pipe it to a file
There shall be non interactive way to call details. The other issue already gives an potential solution by adding --details
arg
npm-consider install --test --details > detailsdump.txt
would solve both
detailsdump.txt
Thanks!
Is it possible to give a list of dependencies to ignore when running for a whole project?
My team have some internal npm dependenies that aren't published.
Looks like it may be checking things in a specific order, so it's identifying it as "Unlicense" (which is a correct license).
https://docs.npmjs.com/files/package.json
Finally, if you do not wish to grant others the right to use a private or unpublished package under any terms:
{ "license": "UNLICENSED" }
I'd suggest doing a longest-fit search for the license, so it can get the correct category.
If someone puts the wrong license in their package.json
then that is an issue for them to fix ;-)
Hi,
My machine is behind a proxy, I set the npm proxy settings and 'npm install' works fine !
But when I try 'npm-consider install', it fails with this error:
GET https://registry.npmjs.org/http-proxy{ FetchError: request to https://registry.npmjs.org/@slack%2fclient failed, reason: connect ECONNREFUSED 104.18.95.96:443
at ClientRequest.<anonymous> (/usr/lib/node_modules/npm-consider/node_modules/node-fetch/index.js:133:11)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at TLSSocket.socketErrorListener (_http_client.js:387:9)
at emitOne (events.js:116:13)
at TLSSocket.emit (events.js:211:7)
at emitErrorNT (internal/streams/destroy.js:64:8)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickCallback (internal/process/next_tick.js:180:9)
name: 'FetchError',
message: 'request to https://registry.npmjs.org/@slack%2fclient failed, reason: connect ECONNREFUSED 104.18.95.96:443',
type: 'system',
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED' }
It seems 104.18.95.96:443
is hard-coded as a proxy by the tool because it is not the proxy I configured !
Thanks.
Some teams use yarn instead of npm maybe with some flag the command can be yarn add instead of npm save?
Is there a way to see the details on ALL packages at once?
npm-consider install --test --details
or something of the like?
Great tool in any case! just have a lot of packages right now and I don't know which ones are "protective"
It was been drawn to my attention that there is really an even stronger category than "Network protective" as they put conditions on how the package is used even privately; yet is still considered by some as open source, and I think might be worth flagging, including with devDependencies
.
While "Uncategorized" presumably already includes these (as well as any custom license terms), it might still be helpful to add "Reuse protective" as its own category.
Hi,
Not a big deal, but I figure you may want to correct the spelling of the "maxSizeBites" option to "maxSizeBytes".
Thanks!
I gave a try to npm-consider
today in my company environment.
We use Nexus from Sonatype as a private registry that mirrors npm's one and his hosting company's private modules.
For some reason (which might be a misconfiguration of the Nexus instance on our side), npm-consider
can't fetch the package's dependencies size (everything is at 0).
When selecting Impact
from the prompt, it gives me the following output:
? What is next? Impact
Packages 5 +4.31%
Size 0 B +NaN%
After a quick read of the codebase, I can see that this is the line causing it to be NaN
(divide by 0):
https://github.com/delfrrr/npm-consider/blob/master/lib/showImpact.js#L102
Do you think a PR that adds a check on currentPackageStats.size
and setting everything to 0 or (option b) adding a message saying that something wrong happened while trying to fetch package size is appropriate ?
I am willing to work on this, just need your opinion before.
Regards
The issue is exactly as the title says: npm-consider
seems to fail when selecting Impact
. Associated command output with stack trace is below (tested using express
with command npm-consider install --save express
):
***@***:~/proj/zifar$ npm-consider install --save express
[email protected] (updated 6 months ago)
Packages 51
Size 535.18 KB
Licenses Permissive 51
? What is next? Impact
TypeError: Cannot read property 'saveDev' of undefined
at getLocalPackage.then (/mnt/c/Users/***/AppData/Roaming/npm/node_modules/npm-consider/lib/showImpact.js:69:25)
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:188:7)
Note that this error also occurs if I attempt to use the module directly in the Windows command prompt.
Hi,
@delfrrr , @DanielRuf : Thank you for such a valuable project.
As it has been some months since making some PRs without hearing back, I am wondering whether you are still maintaining the project though?
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.