npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

depdebt

v0.1.2

Published

A high-performance [libyear](https://libyear.com/) dependency debt analyzer for large scale usage across an entire organization.

Downloads

6

Readme

depdebt

A high-performance libyear dependency debt analyzer for large scale usage across an entire organization.

Quick start

To compute the libyears for the package in your current directory, run:

npx depdebt

You can specify the package.json files to look at on the command-line:

npx depdebt something/package.json

If you have many files to analyze, pipe in a newline delimited list of file paths and pass - as the filename:

find -name package.json -not -path '*/node_modules/*' | npx depdebt -

Usage

depdebt inspects package.json files to determine the dependencies to analyze. It compares the actual version of a dependency to the latest version available. The number of years between the actual and latest release dates make up the number of libyears. (See Actual version determination for more details.)

Command-Line arguments

Usage: depdebt [options] [package.json ...]

Options:
  -t, --tag-precedence <tag>  Tag precedence (default: "latest", allows multiple with left-to-right priority)
  -m, --missing <strategy>    Missing package strategy (default: "throw", supports "ignore")
  -h, --help                  Show this help

If file names are not supplied on the command line, defaults to "package.json". The special file name "-" instructs depdebt to listens for newline delimited file names from stdin.

Examples:
  depdebt
  depdebt package.json
  depdebt -t lts -t latest package.json
  find -name package.json -not -path '*/node_modules/*' | depdebt

Tag precedence

depdebt considers the release tagged with latest as the desired version. You can specify an ordered list of tags to consider as latest.

If, for instance, you don't like living life on the wild side, you might want to set the precedence to "lts" and then "latest":

depdebt -t lts -t latest

Missing package strategy

You can tell depdebt to ignore "not found" errors when retrieving package metadata.

It is useful to ignore "not found" errors for mono-repos. In these cases, the packages are locally-linked, so the dependency cannot be out of date.

To be clear, depdebt supports private registries out of the box, so this is not a workaround.

You can ignore missing packages by specifying ignore as the missing package strategy: depdebt -m ignore.

The final result data includes ignored packages. You can identify ignored packages by looking for a missing: true field:

depdebt | jq '.packages[].dependencies[] | select(.missing == true)'
{
  "name": "@some-org/some-package",
  "spec": "^1.0.0",
  "libyears": 0,
  "missing": true
}

Actual version determination

The presence of a lock file influences the "actual" version of a dependency.

If a package-lock.json file is present, depdebt uses the version found in the lock file. Otherwise, depdebt uses the latest version wanted by the version spec in package.json.

For applications deployed based on the package-lock.json committed into source control, the package-lock.json should certainly be used. For libraries that are later installed based on the package.json file, it's best to use the package.json version rather than package-lock.json version.