As you can specify a node and npm version in the engines part of the package.json, can this addon be use to warn if an incompatible version is being used?

 "engines": {
   "node": "5.0.0",
   "npm": "3.3.12"
 },

When pulling a bower dependancy from a git url like: git://github.com/amk221/my-thing.git _#master_
the dependancy is determined to be 'not installed' (therefore builds fail).
It works without the #tag

given:

a shrinkwrap

and

symlink node_modules/broccoli-merge-trees @ 1.x
node_modules/foo/node_modules/bar which depends on broccoli-merge-trees @ 0.2.x

the symlink does not correctly put the dep checker into warn only mode for that version mismatch.

I'm not sure if this is new or related to #50, but...

My shrinkwrap file includes fsevents with "optional": true and so naturally npm doesn't install it on linux where it's not supported. But when running ember exam, I get:

Missing npm-shrinkwrap packages: 
Package: fsevents
Required by: pagerduty
  * Specified: 1.1.1
  * Installed: (not installed)
Run `rm -rf node_modules/ && npm install` to install missing dependencies.

The optional attribute was just added to npm shrinkwrap around the end of last year, so I wouldn't be surprised if it's not supported here yet, but it probably should be?

Temporary workaround might be just removing that bit from the npm shrinkwrap file for now.

👋 Hey there! I wanted to open an issue to discuss adding peerDependencies support to ember-cli-dependency-checker.

I've gone around a few times with folks like @ef4 and @Turbo87 about the best way for addons to specify their dependencies. It seems peerDependencies is semantically often what we want, but it's currently not really used or enforced by existing tooling.

If ember-cli-dependency-checker failed builds if a peer dependency were missing, it would encourage addon authors to start using them more, and might make everyone's lives a little easier.

What do you think? Has there been priori discussion around this? I'm just learning about these issues, but often get recommended to consider using peerDependencies even though it's not currently enforced anywhere. If this addon supported it, I think myself and others would be more incentivized to use it.

Erroring out on missing dependencies is useful, erroring out on incorrect dependencies is a PITA. Often a dependency is mismatched because a new version is being trialed, and often it's a more recent version than the one in package.json. Warning would be much more useful.

Thanks for this addon. I've been needing something like this for a while now. Any chance an option be added to error out of the command if missing dependencies are detected?

The application shouldn't work anyway so I think this would be reasonable.

https://bower.io/blog/2017/how-to-migrate-away-from-bower/

ember-cli-dependency-checker attempts to validate these packages as npm packages. If they're bower-only packages it will fail due to the missing or incomplete package.json.

A try catch here would allow us to include which package failed.

The existing error message is as follows:

Invalid Version: *
TypeError: Invalid Version: *
    at new SemVer (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:295:11)
    at Range.test (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:1049:15)
    at Function.satisfies (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:1098:16)
    at Function.VersionChecker.satisfies (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/version-checker.js:31:17)
    at Package.updateRequired (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/package.js:21:26)
    at Package.init (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/package.js:15:27)
    at new Package (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/package.js:4:13)
    at EmberCLIDependencyChecker.<anonymous> (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:122:12)
    at Array.map (native)
    at EmberCLIDependencyChecker.readDependencies (/Users/offirgolan/Documents/Projects/Ember-Components/ember-cp-validations/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:118:36)

Proposed error message:

Package: <Package Name> - <Reason>
Path: <Path>
# ... rest of stack trace

I haven't dug in yet, but we should definitely start researching exactly how to leverage yarn.lock for dependency validation.

Could this be done, possibly, by altering line 90 of dependency-checker.js as follows?

  var dependencies = this.project.dependencies(undefined,process.env.NODE_ENV==='production');

Not a all required, if you are interested ember-cli org now exists now and as this repo provides core functionality you are welcome to transition it to that org.

I will be sure you continue to maintain existing commits + ownership.

If at this point in time you would prefer not to, this is fine. But if in the future you no-longer want to maintain this project, I will then gladly welcome it on the org.

Ultimately, this is a bug in ember-cli, but I would prefer to not check for errors twice when running ember build.

As discussed in this issue, it seems that the deployment steps described in the README are confusing and won't work well. I'd suggest just advising to always delete the node_versions directory.

Does make sense to ember-cli-dependency-checker warns when node_modules or bower_components are not present?
For instance running some ember-cli command in a project without node_modules will throw Error: Cannot find module 'ember-cli/lib/broccoli/ember-app'. I think we could show a better message like: No dependencies installed. Run npm installandbower install to install missing dependencies.

This is related to ember-cli/ember-cli#3961, but I think this kind of check belongs here.

Thoughts?

//cc @stefanpenner @quaertym

This addon has been extremely helpful to all ember-cli users for quite some time. Since this is somewhat fundamental to newly generated ember-cli applications, I'd like to reduce bus factor and get a few of the ember-cli core team members added to npm for releasing updates and fixes.

The following would be a great start:

npm owner add stefanpenner ember-cli-dependency-checker
npm owner add rwjblue ember-cli-dependency-checker
npm owner add turbo87 ember-cli-dependency-checker

/cc @quaertym

Version 1.2.0 is causing the following error

DEPRECATION: Overriding init without calling this._super is deprecated. Please call this._super.init && this._super.init.apply(this, arguments); addon: ember-cli-dependency-checker

Commit 6c05a33 fixes this. Can we get a new release out?

tildeio/rsvp.js#390

Sometimes a dependency is removed from bower.json or package.json and it stays installed on the developer machine. This addon can warn developer when that happens. In this case, developer can run prune command or manifest that dependency.

The addon currently displays "Missing npm packages" and "Run npm install to install missing dependencies" (same with Bower). However, the error might be a bit misleading because sometimes, the packages are installed; they're just not the right version.

Also, I realize this is a bit subjective, but it'd be nice to minimize the colors used in the error message (replace green with white?):

I just installed Block UI via bower. There version it specifies in its bower.json is 2.70 without a patch version. This causes the cli to tell me:

Invalid Version: 2.70
TypeError: Invalid Version: 2.70
    at new SemVer (/Users/will.henry/Desktop/unikitty/core/smallbiz/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:295:11)

If I manually change it to 2.70.0 all is well. But I don't want to do that. How do I ignore this check for blockUI? The "whitelist" issue only checked if a dependency didn't have a bower.json?

If a dependency has a version of "*" then the dependency checker throws an exception, and doesn't indicate where the dependency is coming from.

Invalid Version: *
TypeError: Invalid Version: *
    at new SemVer (terminal/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:273:11)
    at Range.test (terminal/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:998:15)
    at Function.satisfies (terminal/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:1047:16)
    at Package.updateRequired (terminal/node_modules/ember-cli-dependency-checker/lib/package.js:35:18)
    at new Package (terminal/node_modules/ember-cli-dependency-checker/lib/package.js:7:27)
    at EmberCLIDependencyChecker.<anonymous> (terminal/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:85:12)
    at Array.map (native)
    at EmberCLIDependencyChecker.readBowerDependencies (terminal/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:82:36)
    at EmberCLIDependencyChecker.checkDependencies (terminal/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:28:24)
    at new EmberCLIDependencyChecker (terminal/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:19:8)

I just upgraded to Ember 1.10 beta by adding "ember": "~1.10.0" to bower.json. I ran bower install, and everything installed. But the dependency checker fails when I try to start ember-cli:

$ ember s
version: 0.1.4

Missing bower packages: 
Package: ember
  * Specified: ~1.10.0
  * Installed: 1.10.0-beta.3

Please recognize packages that are correctly installed and meet the requested dependencies.

(tested on ember-cli-dependency-checker version 0.0.6 and 0.0.7)

my incredibly version pedantic feedback.

• expose https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L139-L152 so it can be imported and tested against a69312c
• ductype DependencyError isDependencyError 5b694d1 (please verify this is what you meant)
• i feel this should be an ember-cli thing, and we should always include the stack https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L143
• use Object.create(Error.prototype) https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L151 5ab831c
• https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L19-L21 should be defined in the outer context and as function isUnsatisfied(pkg) { ... } 6f6cfeb
• it might be strange that the EmberCLIDependencyChecker constructor has sideaffects beyond setting up the object https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L14 (but i can easily be convinced this is what we want)
• will https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L30-L31 be a problem if people bower link or npm link to different versions?
• it seems strange that an instance method, doesn't merely reach into is own object to retrieve the project instead project is also passed in as an argument. This goes to all instance methods, that also consume project. It is then unclear to me, if the project passed in can differ from the one passed to the constructor. And if that is the case, why bother with a stateful object at all? a436140
• https://github.com/quaertym/ember-cli-dependency-checker/blob/v0.0.5/index.js#L73-L75 should be defined in the outer context 13e116e

people may be having issues with optional deps not being installed, but validated...

ember-cli/ember-cli#4965

It would be nice to not have the error message for missing dependencies say to use npm install when you're using yarn in that project. Developers who are not familiar with what's going on will just trust the error message instead of realizing that they should actually have run yarn install.

Not trivial I realize, but tests seem fairly important to make sure we deal with the edge cases.

My package.json contains this line: "ember-cli-sass": "^3.0.3",. Trying to run ember build results in this message:

Missing npm packages: 
Package: ember-cli-sass
  * Specified: ^3.0.3
  * Installed: 3.1.0-beta

Run `npm install` to install missing dependencies.

According to the node-semver documentation about prereleases, version 3.1.0-beta does in fact satisfy the specifier ^3.0.3. Pretty sure it is right, because npm install installed version 3.1.0-beta. Please either follow the specifier rules used by the package managers or change the error message to explain why you don't follow them and how to fix the problem. The error message says to run npm install, and that is just flat out wrong.

Might need to be a 0.1.0 to signify that there are relatively large changes (I'm thinking of the shrinkwrap work), but either way I'd love to have a new version to start testing/playing with.

After having linked a local module for development, and forgetting I had done so, I was left with this unhelpful message:

~/Code/project (develop *)$ ember dependency-lint
Invalid Version: *
TypeError: Invalid Version: *
    at new SemVer (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:295:11)
    at Range.test (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:1049:15)
    at Function.satisfies (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/node_modules/semver/semver.js:1098:16)
    at Function.VersionChecker.satisfies (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/version-checker.js:31:17)
    at Package.updateRequired (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/package.js:21:26)
    at Package.init (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/package.js:15:27)
    at new Package (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/package.js:4:13)
    at EmberCLIDependencyChecker.<anonymous> (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:133:12)
    at Array.map (native)
    at EmberCLIDependencyChecker.readDependencies (/Users/pcm/Code/web-directory/node_modules/ember-cli-dependency-checker/lib/dependency-checker.js:129:36)

By following that stacktrace though to here I just threw in this:

    try {
        return new Package(name, versionSpecified, versionInstalled, path);
    } catch (e) {
        console.error('Error mapping package', name, versionSpecified, versionInstalled, path);
        throw(e);
    }

Which gave me a much more helpful

Error mapping package SimpleWebRTC ~2.2.0 * bower_components/SimpleWebRTC

If you'd be amenable to this change, or even just a helpful console log if versionSpecified or versionInstalled is '*' I'll open a PR.

Part of ember-cli PnP meta issue (ember-cli/ember-cli#8164).

We need to update this code (and any other that uses resolve.sync):

We can do either of the following:

• Wait for browserify/resolve#170 to land, bump the version here, and pass useProcessResolution to the resolve.sync call.
• Update to use this.project.resolveSync (and assume that ember-cli will address as part of ember-cli/ember-cli#8164).

I would suggest swapping to this.project.resolveSync since it works for older ember-cli versions and allows us to move forward immediately...

I've run into a problem that I suspect is related to ember-cli-dependency-checker:
adopted-ember-addons/ember-electron#355 (comment)

Basically we are installing a package via the npm install <tarball file> syntax (to work around a caching problem and a symlink problem), but the dependency checker seems to get confused about this and think the wrong package is installed:

Missing npm packages: 
Package: ember-electron
  * Specified: file:../../tmp-2580rXGPRrApjWO8/ember-electron-cachebust.tgz
  * Installed: file:C:/Users/appveyor/AppData/Local/Temp/1/tmp-2580rXGPRrApjWO8/ember-electron-cachebust.tgz
Run `npm install` to install missing dependencies.

I have a dependency which I would like to track master branch on github:

"devDependencies": { ...
  "ember-cli-smenu": "shaunc/ember-smenu"
}

When I try to install another addon, I can't because dependency check fails.

Perhaps in this and similar cases, you could ignore (or warn) on check?

Alternatively (or in addition), in .ember-cli or in own config package, there could be a list of dependencies to skip.

I have dev dependencies such as http-proxy, express in package.json. I can use "npm install --production" to install all production dependencies, but I can't deploy using ember deploy b/c the dependency checker will flag those missing dependencies.

overall the dependency checking is extremely valuable, except when developing a module via npm link.

Using SKIP_DEPENDENCY_CHECKER=true in this scenario is actually an anti-pattern, as it is insufficiently granular.

Let me propose instead, npm link'ed modules that do not satisfy the version contraints by default merely warn.

note: https://github.com/quaertym/ember-cli-dependency-checker/blob/master/lib/dependency-checker.js#L31

cc @rwjblue

I love the way this package works inside of ember cli. I would really like to have similar functionality in another non-ember application (a simple node.js server project). I've only quickly scanned the code here, but it seems like it wouldn't be too hard to split this into two separate npm packages. One being a generic package that does the version checking in an ember agnostic way and the second still being called ember-cli-dependency-checker which would consume the first. I envision the first package returning some sort of json structure that describes what packages are missing and/or need updating.

Do you think this could be done without too much pain and suffering? If you had the time and interest to create such a package, I may be willing to trade you for my left kidney. If not, I would be willing to attempt using your code to create such a package (assuming you think it's do-able and I have your blessing). However, I do have a looming deadline at the moment so it would be a few weeks before I could look into it.

When I run any ember command I get a long list of missing packages:

Missing npm-shrinkwrap packages: 
Package: extend
Required by: mtv-cast-receiver / fsevents
  * Specified: https://registry.npmjs.org/extend/-/extend-3.0.0.tgz
  * Installed: 3.0.0
…

Apparently, a bunch of the packages use the package download url as the version in npm-shrinkwrap.json, eg.:

        "extend": {
          "version": "https://registry.npmjs.org/extend/-/extend-3.0.0.tgz",
          "integrity": "sha1-WkdDU7nzNT3dgXbf03uRyDpG8dQ=",
          "dev": true,
          "optional": true
        },

As far as I can tell, it is allowed within the design of package locks, and needs to be handled here.

I suspect the solution would be to also do a check against the "_resolved" field in the installed package.json?

@rwjblue

• is this a good idea (i strongly think yes)
• what still needs to be done?

If possible, this addon should ignore the ember install command (as well as install:npm and install:bower) since that command is used to update dependencies.

This addon should not be checking dependencies for commands that aren't test serve or build. By doing so it breaks many commands that still valid, and likely even what the user needs at that moment in time, such as ember install or ember update.

One of the things I'm doing with ember-cli-toolbelts is enabling easier dependency maintenance, but this addon conflicts with that.

I'm basically proposing adding a ember fix-dependencies command that does essentially the following:

• For npm deps installed at the wrong versions: rimraf('node_modules/<package-name>');
• For bower deps installed at the wrong versions: rimraf('bower_components/<package-name>');
• npm install
• bower install

This is essentially what we all have to do manually right now after seeing we have the wrong deps, it would be nice if the error that prints out today by the dep checker could include a reference to the command that would "fix" things...

Hey, could you please release so the following goes out #31 ? we would like to include this in the next release of ember-cli which will be out today (hopefully)

My .bowerrc:

{
  "directory": "/bower_components"
}

I think broccoli will find these fine, because it looks in .bowerrc for the bower directory. However, this package reports "Missing bower packages"

Hi, it doesn't work correctly with Yarn workspaces... Here is the issues: yarnpkg/yarn#4503 (same as yarnpkg/yarn#4081). All other apps works fine, they search for node_modules in root dir instead of current dir if they don't find it, but Ember just search it in current dir...

included is only called when building.

Checking for package deps on addon init will ensure that for non build related commands you still get checking.

It's possible (and not uncommon) to install packages using bower that don't have a bower.json. For example, Sinon.js doesn't provide a Bower package, so you install it using an HTTP URL:

"sinon": "http://sinonjs.org/releases/sinon-1.10.0.js",

This is reported as "(not installed)" by this module and prevents ember-cli from starting. The only workaround that I can see is to remove this module.

It would be good to be able to specify a "whitelist" of packages that should be ignored.