@github/dependency-submission-toolkit
Advanced tools
A TypeScript library for creating dependency snapshots.
@github/dependency-submission-toolkit is a TypeScript library for
creating dependency snapshots and submitting them to the dependency
submission API. Snapshots are a set of dependencies grouped by manifest with
some related metadata. A manifest can be a physical file or a more abstract
representation of a dependency grouping (such the processing of program
outputs). After submission to the API, the included dependencies appear in the
repository's dependency
graph.
npm install @github/dependency-submission-toolkit
Some useful commands to navigate using the library:
npm run build to compile TypeScript sourcenpm run test to run the tests
npm run test:watch to run the tests in watch-mode (tests re-run
when files change)npm run format to format files using prettiernpm run lint to lint files using ESLintnpm run package to compile the code into a single file using nccnpm run all will do the above and additional commands (e.g. lint the code, test)You may use classes from @github/dependency-submission-toolkit to help
in building your own GitHub Action for submitting dependencies to the
Dependency Submission API. At a high level, the steps to use the classes
are:
Create a PackageCache of all of the packages that could be included in your
manifest, as well define as the relationships between them.
Using the packages defined in PackageCache, create a Manifest or
a BuildTarget, which defines the dependencies of build environment or
specific build artifact.
Create a Snapshot to include one or more Manifests or
BuildTargets. The snapshot is the base container for submitting
dependencies to the Dependency Submission API.
Follow the instructions for Creating a JavaScript Action. These include:
action.yml action metadata filenccA full example action using this library is included in th example/
directory. This example uses the output from npm list to create an accurate
and complete graph of the dependencies used in this library. This action is
also included in a workflow in this repository and run for each commit to the
main branch.
This library uses the jest testing framework with tests co-located with
source files. To run the tests, you can use npm test to run tests.
Otherwise you can use jest directly.
FAQs
A TypeScript library for creating dependency snapshots.
The npm package @github/dependency-submission-toolkit receives a total of 234 weekly downloads. As such, @github/dependency-submission-toolkit popularity was classified as not popular.
We found that @github/dependency-submission-toolkit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 19 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Socket researchers uncover how threat actors weaponize Discord across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.
Security News
Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local dev and CI.
Research
The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean state-sponsored actors.