@code-pushup/js-packages-plugin
Advanced tools
Code PushUp plugin for JavaScript packages π‘οΈ
π¦ Code PushUp plugin for JavaScript packages. π‘οΈ
This plugin checks for known vulnerabilities and outdated dependencies. It supports the following package managers:
yarn-plugin-outdated.![NOTE] As of now, Yarn v2 does not support security audit of optional dependencies. Only production and dev dependencies audits will be included in the report.
If you haven't already, install @code-pushup/cli and create a configuration file.
Install as a dev dependency with your package manager:
npm install --save-dev @code-pushup/js-packages-plugin
yarn add --dev @code-pushup/js-packages-plugin
pnpm add --save-dev @code-pushup/js-packages-plugin
Insert plugin configuration with your package manager. By default, both audit and outdated checks will be run. The result should look as follows:
import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
export default {
// ...
plugins: [
// ...
await jsPackagesPlugin(), // the package manager is automatically derived from your file system. Use { packageManager: 'npm' } to configure it.
],
};
You may run this plugin with a custom configuration for any supported package manager or command. A custom configuration will look similarly to the following:
import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
export default {
// ...
plugins: [
// ...
await jsPackagesPlugin({ packageManager: 'yarn-classic', checks: ['audit'], dependencyGroups: ['prod'] }),
],
};
(Optional) Reference individual audits or the provided plugin groups which you wish to include in custom categories (use npx code-pushup print-config to list audits and groups).
π‘ Assign weights based on what influence each command should have on the overall category score (assign weight 0 to only include as extra info, without influencing category score).
export default {
// ...
categories: [
{
slug: 'security',
title: 'Security',
refs: [
{
type: 'group',
slug: 'npm-audit', // replace prefix with your package manager
plugin: 'js-packages',
weight: 1,
},
],
},
{
slug: 'up-to-date',
title: 'Up-to-date tools',
refs: [
{
type: 'group',
slug: 'npm-outdated', // replace prefix with your package manager
plugin: 'js-packages',
weight: 1,
},
// ...
],
},
// ...
],
};
Run the CLI with npx code-pushup collect and view or upload report (refer to CLI docs).
The plugin accepts the following parameters:
packageManager: The package manager you are using. Supported values: npm, yarn-classic (v1), yarn-modern (v2+), pnpm.checks: Array of checks to be run. Supported commands: audit, outdated. Both are configured by default.dependencyGroups: Array of dependency groups to be checked. prod and dev are configured by default. optional are opt-in.packageJsonPath: File path to package.json. Root package.json at CWD is used by default.auditLevelMapping: If you wish to set a custom level of issue severity based on audit vulnerability level, you may do so here. Any omitted values will be filled in by defaults. Audit levels are: critical, high, moderate, low and info. Issue severities are: error, warn and info. By default the mapping is as follows: critical and high β error; moderate and low β warning; info β info.This plugin provides a group per check for a convenient declaration in your config. Each group contains audits for all selected groups of dependencies that are supported (prod, dev or optional).
// ...
categories: [
{
slug: 'dependencies',
title: 'Package dependencies',
refs: [
{
type: 'group',
plugin: 'js-packages',
slug: 'npm-audit', // replace prefix with your package manager
weight: 1,
},
{
type: 'group',
plugin: 'js-packages',
slug: 'npm-outdated', // replace prefix with your package manager
weight: 1,
},
// ...
],
},
// ...
],
Each dependency group has its own audit. If you want to assign different weights to the audits or record different dependency groups for different checks (the bigger set needs to be included in the plugin configuration), you can do so in the following way:
// ...
categories: [
{
slug: 'dependencies',
title: 'Package dependencies',
refs: [
{
type: 'audit',
plugin: 'js-packages',
slug: 'npm-audit-prod', // replace prefix with your package manager
weight: 2,
},
{
type: 'audit',
plugin: 'js-packages',
slug: 'npm-audit-dev', // replace prefix with your package manager
weight: 1,
},
{
type: 'audit',
plugin: 'js-packages',
slug: 'npm-outdated-prod', // replace prefix with your package manager
weight: 2,
},
// ...
],
},
// ...
],
Audit output score is a numeric value in the range 0-1.
The score for security audit is decreased for each vulnerability found based on its severity.
The mapping is as follows:
Examples:
In order for this audit not to drastically lower the score, the current logic is such that only dependencies with major outdated version lower the score by a proportional amount to the total amount of dependencies on your project.
Examples:
FAQs
Code PushUp plugin for JavaScript packages π‘οΈ
The npm package @code-pushup/js-packages-plugin receives a total of 4,218 weekly downloads. As such, @code-pushup/js-packages-plugin popularity was classified as popular.
We found that @code-pushup/js-packages-plugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Β It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
AGENTS.md is a fast-growing open format giving AI coding agents a shared, predictable way to understand project setup, style, and workflows.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.