Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@lerna/bootstrap
Advanced tools
Link local packages together and install remaining package dependencies
@lerna/bootstrap is a part of the Lerna monorepo management toolset. It is used to install and link dependencies for a multi-package repository, ensuring that all inter-package dependencies are properly resolved and symlinked.
Install dependencies
This feature installs all the dependencies for the packages in the monorepo. It uses the npm client and hoists common dependencies to the root node_modules directory.
const { bootstrap } = require('@lerna/bootstrap');
bootstrap({
cwd: process.cwd(),
npmClient: 'npm',
hoist: true
}).then(() => {
console.log('Dependencies installed and linked');
});
Link local packages
This feature links local packages together, ensuring that inter-package dependencies are resolved using symlinks. This is useful for development as changes in one package are immediately reflected in dependent packages.
const { bootstrap } = require('@lerna/bootstrap');
bootstrap({
cwd: process.cwd(),
npmClient: 'npm',
hoist: true
}).then(() => {
console.log('Local packages linked');
});
Run lifecycle scripts
This feature runs specified lifecycle scripts (e.g., prepublish, postinstall) for all packages in the monorepo. This ensures that any necessary build steps or other setup tasks are performed.
const { bootstrap } = require('@lerna/bootstrap');
bootstrap({
cwd: process.cwd(),
npmClient: 'npm',
hoist: true,
scripts: ['prepublish', 'postinstall']
}).then(() => {
console.log('Lifecycle scripts executed');
});
Yarn is a package manager that also supports monorepos through its workspaces feature. It installs dependencies and links local packages similarly to @lerna/bootstrap, but it is a more general-purpose tool with a broader scope.
pnpm is a fast, disk space-efficient package manager that also supports monorepos. It uses a content-addressable file system to store all files from all module directories on a disk. It is similar to @lerna/bootstrap in that it can install and link dependencies, but it offers additional performance benefits.
Rush is a monorepo management tool that provides sophisticated support for managing large repositories with many packages. It includes features for installing dependencies, linking local packages, and running lifecycle scripts, similar to @lerna/bootstrap, but it also offers advanced features like incremental builds and change tracking.
@lerna/bootstrap
Link local packages together and install remaining package dependencies
Install lerna for access to the lerna
CLI.
$ lerna bootstrap
Bootstrap the packages in the current Lerna repo. Installs all of their dependencies and links any cross-dependencies.
When run, this command will:
npm install
all external dependencies of each package.packages
that are dependencies of each other.npm run prepublish
in all bootstrapped packages (unless --ignore-prepublish
is passed).npm run prepare
in all bootstrapped packages.lerna bootstrap
respects the --ignore
, --scope
and --include-filtered-dependencies
flags (see Filter Flags).
Pass extra arguments to npm client by placing them after --
:
$ lerna bootstrap -- --production --no-optional
May also be configured in lerna.json
:
{
...
"npmClient": "yarn",
"npmClientArgs": ["--production", "--no-optional"]
}
Install external dependencies matching glob
at the repo root so they're
available to all packages. Any binaries from these dependencies will be
linked into dependent package node_modules/.bin/
directories so they're
available for npm scripts. If the option is present but no glob
is given
the default is **
(hoist everything). This option only affects the
bootstrap
command.
$ lerna bootstrap --hoist
For background on --hoist
, see the hoist documentation.
Note: If packages depend on different versions of an external dependency, the most commonly used version will be hoisted, and a warning will be emitted.
Do not install external dependencies matching glob
at the repo root. This
can be used to opt out of hoisting for certain dependencies.
$ lerna bootstrap --hoist --nohoist=babel-*
$ lerna bootstrap --ignore component-*
The --ignore
flag, when used with the bootstrap
command, can also be set in lerna.json
under the command.bootstrap.ignore
key. The command-line flag will take precedence over this option.
Example
{
"version": "0.0.0",
"command": {
"bootstrap": {
"ignore": "component-*"
}
}
}
Hint: The glob is matched against the package name defined in
package.json
, not the directory name the package lives in.
--ignore-prepublish
Skip prepublish lifecycle scripts run by default in bootstrapped packages. Note, this lifecycle is deprecated, and will likely be removed in the next major version of Lerna.
$ lerna bootstrap --ignore-prepublish
--ignore-scripts
Skip any lifecycle scripts normally run (prepare
, etc) in bootstrapped packages.
$ lerna bootstrap --ignore-scripts
--registry <url>
When run with this flag, forwarded npm commands will use the specified registry for your package(s).
This is useful if you do not want to explicitly set up your registry configuration in all of your package.json files individually when e.g. using private registries.
--npm-client <client>
Must be an executable that knows how to install npm package dependencies.
The default --npm-client
is npm
.
$ lerna bootstrap --npm-client=yarn
May also be configured in lerna.json
:
{
...
"npmClient": "yarn"
}
--use-workspaces
Enables integration with Yarn Workspaces (available since yarn@0.27+).
The values in the array are the commands in which Lerna will delegate operation to Yarn (currently only bootstrapping).
If --use-workspaces
is true then packages
will be overridden by the value from package.json/workspaces.
May also be configured in lerna.json
:
{
...
"npmClient": "yarn",
"useWorkspaces": true
}
The root-level package.json must also include a workspaces
array:
{
"private": true,
"devDependencies": {
"lerna": "^2.2.0"
},
"workspaces": ["packages/*"]
}
This list is broadly similar to lerna's packages
config (a list of globs matching directories with a package.json),
except it does not support recursive globs ("**"
, a.k.a. "globstars").
--no-ci
When using the default --npm-client
, lerna bootstrap
will call npm ci
instead of npm install
in CI environments.
To disable this behavior, pass --no-ci
:
$ lerna bootstrap --no-ci
To force it during a local install (where it is not automatically enabled), pass --ci
:
$ lerna bootstrap --ci
This can be useful for "clean" re-installs, or initial installations after fresh cloning.
--force-local
$ lerna bootstrap --force-local
When passed, this flag causes the bootstrap
command to always symlink local dependencies regardless of matching version range.
Let's use babel
as an example.
babel-generator
and source-map
(among others) are dependencies of babel-core
.babel-core
's package.json
lists both these packages as keys in dependencies
, as shown below.// babel-core package.json
{
"name": "babel-core",
...
"dependencies": {
...
"babel-generator": "^6.9.0",
...
"source-map": "^0.5.0"
}
}
babel-generator
can be an internal dependency, while source-map
is always an external dependency.babel-generator
in the package.json
of babel-core
is satisfied by packages/babel-generator
, passing for an internal dependency.source-map
is npm install
ed (or yarn
ed) like normal.packages/babel-core/node_modules/babel-generator
symlinks to packages/babel-generator
npm install
ed (or yarn
ed) like normal.latest
, do not satisfy semver ranges.Webstorm locks up when circular symlinks are present. To prevent this, add node_modules
to the list of ignored files and folders in Preferences | Editor | File Types | Ignored files and folders
.
3.14.0 (2019-05-14)
npm-lifecycle
dependency to avoid noisy audit warning (ea7c20d)--preserve-commit
option (#2079) (6a7448d)--otp
option (6fcbc36), closes #2076@lerna/run-topologically
(3a8b175)FAQs
Link local packages together and install remaining package dependencies
The npm package @lerna/bootstrap receives a total of 355,809 weekly downloads. As such, @lerna/bootstrap popularity was classified as popular.
We found that @lerna/bootstrap demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.