Security News
RubyGems.org Adds New Maintainer Role
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
@times-components/depend
Advanced tools
A tool for analysing, visualizing and syncing version numbers in a monorepo.
This tool parses all package.json
files described in your lerna.json
or that
match a given glob-expression. All packages found are assumed to be part of one
monorepo.
Based on the parsed packages, linting rules are computed. Based on those rules,
hints are computed and can be displayed using --hint
and applied with --fix
.
Strategies add additional rules for ensuring packages install the same external
dependencies. By default, only rules are computed that ensure that every package
installs the latest version of each package found in the monorepo.
--list
prints all package versions found in the monorepo. Based on the used
rules, packages will be rendered in different colours:
If no rules are available, set a strategy or fix the issue by using --pick
.
depend --lerna "{path/to/lerna/project}" [...options]
depend --expr "{glob}" [...options]
Evaluate all package.json
files defined in the packages
field found
<path>/lerna.json
file.
Defines the glob expression that will be used to search the filesystem for package.json files.
Fixes the packages according to the computed versions.
Prints a graphviz compatible output that can be converted to an image.
--list
prints all package versions found in the monorepo.
prints all computed rules.
Consider following repo:
packages/foo/package.json
:
{
"name": "foo",
"version": "0.0.1",
"dependencies": {
"react-native": "0.54.2",
"bar": "0.0.1"
}
}
packages/bar/package.json
:
{
"name": "bar",
"version": "0.0.2",
"dependencies": {
"react-native": "0.53.1",
"glob": "6.2.1"
}
}
depend -l . -g
outputs all dependencies in .dot
format:
digraph {
"foo@0.0.1" -> "react-native@0.54.2";
"foo@0.0.1" -> "bar@0.0.1";
"bar@0.0.2" -> "react-native@0.53.1";
"bar@0.0.2" -> "glob@6.2.1";
}
depend -l . -g "*=>react-native"
will only outputs the subset that has
react-native as a dependency:
digraph {
"foo@0.0.1" -> "react-native@0.54.2";
"bar@0.0.2" -> "react-native@0.53.1";
}
depend -l . -g "foo=>*"
will only outputs the subset that has react-native as
a dependency:
digraph {
"foo@0.0.1" -> "react-native@0.54.2";
"foo@0.0.1" -> "bar@0.0.1";
}
Depend itself does not have any rendering capabilities but --graph
output can
be directly piped into a graphviz renderer. fdp
and circo
can be obtained by installing the graphviz package.
depend -l . -g "@times-components/*=>dextrose@" | fdp -Tsvg -o dextrose.svg
depend -l . -g "*/ad@ => *" | circo -Tgif -o ad.gif
Adds {package}@{version}
to the set of rules. Use this in conjunction with
--hint
to verify the expected behaviour and use --fix
to apply the changes.
depend -l . --pick react-native@0.54.2 --hint
would set all react-native
dependencies to 0.54.2
The filter allows you to restrict the nodes that will be part of the graph.
The graph is described as a set of relationship of the shape package@version => dependency@version
. A Node is included in the graph if the supplied pattern
matches the relationship. Currently only supported placeholder symbol is "*".
=>react-native@0.50.*
everything that installs react-native ver0.50.*
=>jest
everything that installs jest
@times-components/*=>*
, @times-components
all the dependencies of all times-components packages
*=>*
, ``, *
everything
exit with code 1 if packages don't install the expected versions.
Strategies compute additional rules how to resolve version conflicts of external (dev)dependencies within the monorepo.
Dependencies that are also packages of the monorepo, are always (suggested to be) set to the latest version found in the monorepo irrespective of the chosen strategy.
pick the oldest used version
pick the newest used version
use the version that is used by the majority of packages in your repo
as majority but on a tie pick the older version
as majority but on a tie pick the newer version
Strategies progressive
and conservative
don't support version ranges.
FAQs
dependency analyzer and fixer
We found that @times-components/depend demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.