Comments (4)
waynebeaton
commented on July 25, 2024
The current implementation is something of a quick-and-dirty just-what-we-need convenience hack. Extending it to support multiple versions shouldn't be too hard (so we should do it), but I'm concerned that there may be some subtlety in parsing the file that we're missing.
It would be better to have npm do the parsing for us (even is only as a backup for cases where the hypothetical subtlety that I'm concerned about bites us).
AFAICT, the npm-ls command is the magic that gives us the dependency list, but I don't see a configuration that generates a simple flat file. The parseable option, even when combined with the long option doesn't seem to give us something that is any more workable than just the straight hierarchy list.
AFAICT, the simplest get-npm-to-do-it solution is this:
npm ls --all | grep -Poh "[\w\-\/]+@\d+(?:\.\d+){2}" | sort | uniq
and then pipe the result into the tool.
Do you have any further insight @ffendt ?
Can you provide me a link to the package-lock.json file for your project so that I can test with it?
from dash-licenses.
waynebeaton
commented on July 25, 2024
I've been looking a bit harder at the file format.
There's a "dev" option; when this is set to true, the library is required only at development time (i.e., it is specifically not required at runtime). I'm thinking that we can (at least optionally) skip these, or try to otherwise use the feature to identify "works with" dependencies.
from dash-licenses.
waynebeaton
commented on July 25, 2024
Rudimentary support for v2 has been added with 448b95b
from dash-licenses.
ffendt
commented on July 25, 2024
Thanks a lot for the work you've already put into this. Sadly I don't have further insights as I just stumbled upon this. Afaik, the dev option also was there for files in v1 format.
In our CI we're splitting the existing package-lock.json files at the dev option and run the dash-licenses tool once for the lockfile with only prod dependencies and once for the lockfile with only dev dependencies. You can find one of the bigger lockfiles we're running on in ditto-clients/javascript/lib/node/package-lock.json. (Side note: Sadly ClearlyDefined also times out sometimes for this amount of packages).
I'd really like to test your enhancements, but I'm not sure when I'll get to this as the next two weeks are already quite packed.
from dash-licenses.
Related Issues (20)
- Wrong example package detected in package-lock.json HOT 3
- Remapping of package name is not detected in package-lock.json HOT 3
- mavenLicenseCheck GH workflow is triggered (and immediately skipped) on every issue comment HOT 1
- Correctly parse crates version names HOT 2
- Reduce calls to clearlydefined HOT 2
- Move this repository to to the eclipse-dash organisation HOT 10
- The tool has built-in support for go.sum files
- Cyclic error reported for a bundle with fragment HOT 1
- Source bundles are present in dependencies after upgrading to Tycho 4.0.5. HOT 1
- Too many dependencies are present after upgrading to Tycho 4.0.5. HOT 3
- Download of latest dash-licenses jar is currently not working HOT 1
- Support the Conan C/C++ Package Manager
- dash-licenses does not understand npm Workspaces
- dotnet instructions feedback
- "Plugin not found in any plugin repository" HOT 2
- False positive on call-mvn-license-check github workflow HOT 4
- ERROR Could not parse the response from ClearlyDefined HOT 3
- license-check fails with "GitLabApiException: 401 Unauthorized" when unvetted dependency is found HOT 5
- Many duplicate IPLab issues lead to lots of output annoying/unnecessary changes in license check output HOT 6
- Take some "originating Pull/Merge request" as input and store PR<->IP review link HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dash-licenses.