Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@lerna/project
Advanced tools
@lerna/project is a part of the Lerna monorepo management toolset. It provides functionalities to manage and interact with the project structure in a monorepo setup. This includes reading and manipulating package.json files, managing dependencies, and handling versioning.
Reading Project Metadata
This feature allows you to read metadata about the project, such as the list of packages in the monorepo. The code sample demonstrates how to initialize a Project instance and retrieve the packages.
const { Project } = require('@lerna/project');
(async () => {
const project = new Project();
const projectMetadata = await project.getPackages();
console.log(projectMetadata);
})();
Managing Dependencies
This feature helps in managing dependencies across the monorepo. The code sample shows how to get the dependency graph of the project.
const { Project } = require('@lerna/project');
(async () => {
const project = new Project();
const dependencies = await project.getDependencyGraph();
console.log(dependencies);
})();
Handling Versioning
This feature allows you to handle versioning of the project. The code sample demonstrates how to retrieve the current version of the project.
const { Project } = require('@lerna/project');
(async () => {
const project = new Project();
const version = await project.getVersion();
console.log(version);
})();
Nx is a smart, fast, and extensible build system with first-class monorepo support and powerful integrations. It offers more advanced features compared to @lerna/project, such as caching, distributed task execution, and more.
Yarn is a package manager that doubles as a monorepo manager with its workspaces feature. It allows you to manage multiple packages within a single repository, similar to @lerna/project, but also focuses on dependency management and performance.
@lerna/project
Lerna project configuration
Lerna's file-based configuration is located in lerna.json
or the lerna
property of package.json
.
Wherever this configuration is found is considered the "root" of the lerna-managed multi-package repository.
A minimum-viable configuration only needs a version
property; the following examples are equivalent:
{
"version": "1.2.3"
}
{
"name": "my-monorepo",
"version": "0.0.0-root",
"private": true,
"lerna": {
"version": "1.2.3"
}
}
Any other properties on this configuration object will be used as defaults for CLI options of all lerna subcommands. That is to say, CLI options always override values found in configuration files (a standard practice for CLI applications).
To focus configuration on a particular subcommand, use the command
subtree. Each subproperty of command
corresponds to a lerna subcommand (publish
, create
, run
, exec
, etc).
{
"version": "1.2.3",
"command": {
"publish": {
"loglevel": "verbose"
}
},
"loglevel": "success"
}
In the example above, lerna publish
will act as if --loglevel verbose
was passed.
All other subcommands will receive the equivalent of --loglevel success
(much much quieter).
3.18.0 (2019-10-15)
--conventional-graduate
(f73e6ed)--conventional-prerelease
(f3581ae)--force-local
(6948a11)--force-publish
(343a751)--ignore-prepublish
(fa21723)--ignore-scripts
(efcb3bd)--pre-dist-tag
(1d9552c)--use-workspaces
(ac8385d)--exclude-dependents
option (ff50e29), closes #2198--include-filtered-*
options (f2c3a92)pruneCycleNodes()
(ccf32e1)FAQs
Lerna project configuration
The npm package @lerna/project receives a total of 308,956 weekly downloads. As such, @lerna/project popularity was classified as popular.
We found that @lerna/project demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.