npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

uproot

v1.0.1

Published

node utility that checks if a given npm module in a shrinkwrapped package.json is already in a registry

Downloads

2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

ellismarkfellismarkf

Keywords

Readme

uproot

uproot <path/to/your/shrinkwrapped/package.json> <'url-to-your-private-registry'>

A small utility that checks a shrinkwrapped package.json file against a private registry and produces a file listing depedencies that are missing from or out of date with respect to the registry.

The motivation for this tool, and probably its sole use case, is to aid in submitting license reviews for a new package or set of packages that you have introduced into your project. The alternative would be manually checking the entire registry (in my case, artifactory) one package at time, to see if the package is already there, and if it is, checking the package directory for the specific version of the package you want to import.

No thanks.

It's time consuming, boring, and more importantly, a perfect candidate for scripting. And thus, uproot was born.

how to use it

Once you have the project on your machine, run npm i to install the utility's dependencies and then npm link to create a symlink from index.js script to /usr/local/bin/uproot, so you can use it from the command line (provided that /usr/local/bin is on your PATH).

Then: uproot <path/to/your/shrinkwrapped/package.json> <'url-to-your-private-registry'>

ie: uproot ~/projects/cool-project/npm-shrinkwrap.json 'http://some-host:8000/artifactory/registry'

Once uproots finishes processing, it will output a .txt file listing all the dependencies you use in your project that aren't currently in the registry, and noting whether the package needs a version bump or is simply not in the registry. The list is comprised of entries that are formatted as follows:

	package name: <name>
  	version: <specific-version-number>
  	from: <semver pattern>
  	requesting: <new npm module || updated version of existing module>
  	resolved: <url-to-package>
	______________________________________________________________________________

Now you can give your architect or whoever handles license reviews a copy of your outputted .txt file, and both of you can be happy that this process was so easy.

To recap:

git clone [email protected]:ellismarkf/uproot.git
cd uproot
npm i
npm link
uproot <path/to/your/shrinkwrapped/package.json> <'url-to-your-private-registry'>

:joy:

a quick note

uproot expects a shrinkwrapped package.json file; if you don't have one, run npm shrinkwrap in the directory where your target package.json files lives.

If you do have one, and you have npm configured to pull from a registry other than the default, I would recommend deleting your node_modules/ directory, running npm cache clean, and then npm install again, this time making sure that you are pulling from npm's default registry and NOT your private registry. You can do this by temporarily removing or disabling the configuration that tells npm where to send requests for packages (usually this is in a .npmrc file). After you've pulled your dependencies from npm's registry, run npm shrinkwrap again, and feed this file to uproot. See the caveats section below for more information.

caveats & assumptions

  • uproot currently only checks top level dependencies, and doesn't indicate whether a given package's transitive dependencies are in the specified registry. I'm working on it, but pull requests are welcome.
  • I don't know if this works on Windows. Pull requests to enable Windows support are welcome. :neckbeard:
  • Make sure your dependencies have been pulled from npm's registry before running npm shrinkwrap; this way the file that uproot produces will point to each package's location on the internet and not its location on your private registry.
  • If you've already pulled your dependencies from your custom registry before running npm shrinkwrap, your dependencies' resolution URL will point to your custom registry. Why is this a problem? Because whoever will be reading your .txt file and importing the new packages into your registry will need to know where on the internet they can find the package, and pointing them to the custom registry wouldn't be very helpful, since the point of using uproot in the first place is to find which dependencies aren't already in the registry.
  • The second argument you should give to uproot is the url to your private registry. Internally, uproot uses that url as a base when searching for matches, and dynamically builds urls using dependency names that look like this: registryBaseUrl + '/' + dependencyName + '/-/'. So if your registry doesn't correspond to that format (ie http://some-host:8000/artifactory/registry/targetPackage/-/), then this utility won't work for you out of the box. You can, however, modify the source on your local machine to match your registry's url format.