npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

pin-dependencies-checker

v2.5.0

Published

> Sometimes you need a reminder for mundane tasks.

Downloads

6,490

Readme

Pin Dependencies Checker CLI

Sometimes you need a reminder for mundane tasks.

Table of Contents

Why

When installing dependencies without specifying a version, package managers (yarn, npm, pnpm, etc.) will, by default, install the latest published version with a caret ^:

pnpm add lodash
{
  "dependencies": {
    "lodash": "^4.17.21"
  }
}

This is termed a "ranged" version.

In the lock file, it will be registered that lodash is installed on version 4.17.21 OR HIGHER... and this is where issues arise.

Suppose lodash 4.18.0 is released, and it removes or alters an API our codebase depends on. If I need to regenerate my lockfile for any reason, the package manager will again fetch the latest version 4 of lodash. Instead of installing 4.17.21, it will fetch the new 4.18.0.

If we have unit tests, builds, etc., we'll likely encounter issues without understanding the cause. Our package.json hasn't changed, right? However, it's the lockfile that determines which dependencies get installed.

One way to ensure consistent versions is to avoid installing ranged versions. This can be achieved in various ways depending on the package manager:

pnpm add --save-exact lodash

Or, using pnpm, it can be defined in .npmrc:

save-prefix=''

Alternatively, you can use this tool as a pre-commit reminder to assess all dependencies you've installed and check for ranged versions. 😅

[!IMPORTANT]
Renovate provides an extensive article detailing the issues with ranged versions. I highly recommend reading it.

How it Works

The process is straightforward:

  1. Scan all package.json files in the current work directory.
  2. Identify all dependencies that:
    • aren't valid semver versions (e.g. 1.2.3 or 4.5.6.alpha)
    • are URLs or GitHub repositories and don't contain a commitish string neither a semver string
  3. If any are found, the CLI will list them and exit with an error.
  4. Otherwise, it will exit successfully.

Getting Started

You can use this CLI directly from the registry via npx or pnpm dlx:

pnpm dlx pin-dependencies-checker

# OR using npm

npx pin-dependencies-checker

Alternatively, add it to your project's dev dependencies:

pnpm add --save-exact --save-dev pin-dependencies-checker
# Or the equivalent command for your package manager

Then run:

pnpm pin-checker
# Or for npm or yarn
npx pin-checker

Git Hooks

You can automate the CLI execution using a git hook (e.g., pre-commit).

Many JS projects use husky for this purpose.

Simply add the command to your pre-commit script:

# Other commands and setup
pnpm pin-checker

# Or using npx
npx pin-checker

Arguments

By default, this CLI scans only dependencies and devDependencies. This behavior can be modified with CLI arguments.

--ignore-workspaces

Default: false

Allows versions starting with workspaces: to be ignored:

pnpm pin-checker --ignore-workspaces

--ignore-catalog

Default: false

Allows versions starting with catalog: to be ignored:

pnpm pin-checker --ignore-catalog

See more about pnpm's catalogs feature

--no-deps

Default: false

Skips the dependencies evaluation:

pnpm pin-checker --no-deps

--no-dev-deps

Default: false

Skips the devDependencies evaluation:

pnpm pin-checker --no-dev-deps

--peer-deps

Default: false

Evaluates peerDependencies:

NOTE Peer dependencies are primarily for libraries, indicating to the package manager the necessary version for the library to function correctly. You likely don't want to verify this.

pnpm pin-checker --peer-deps

--optional-deps

Default: false

Evaluates optionalDependencies:

pnpm pin-checker --optional-deps

Contributing

To run this project, you'll need:

  • Node 20 or higher
  • pnpm

After cloning, install the dependencies:

pnpm install

You can either link the package globally or run the command:

pnpm run dev

This will evaluate the current repository, which can be handy for quick tests.

To run unit tests:

pnpm run test

License

MIT