Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
check-dependencies
Advanced tools
Checks if currently installed npm dependencies are installed in the exact same versions that are specified in package.json
Checks if currently installed npm dependencies are installed in the exact same versions that are specified in package.json
To install the package and add it to your package.json
, invoke:
npm install check-dependencies --save-dev
When dependencies are changed in package.json
, whether it's a version bump or a new package, one can forget to invoke npm install
and continue using the application, possibly encountering errors caused by obsolete package versions. To avoid it, use the check-dependencies
module at the top of the entry point of your application; it will inform about not up-to-date setup and optionally install the dependencies.
Another option would be to always invoke npm install
at the top of the main file, but it can be slow and check-dependencies
is fast.
Once the package has been installed, it may be used via:
$ check-dependencies
All options from the API except log
and error
can be passed to the CLI, example:
$ check-dependencies --verbose --package-manager pnpm --scope-list dependencies
Options accepting array values in the API (like scopeList
) should have each value passed individually, example:
$ check-dependencies --scope-list dependencies --scope-list devDependencies
The exported function returns a promise which should eventually be fulfilled (never rejected).
const output = await require('check-dependencies')(config);
where config
is a configuration object.
output
is an object containing fields:
{
status: number, // 0 if successful, 1 otherwise
depsWereOk: boolean, // true if dependencies were already satisfied
log: array, // array of logged messages
error: array, // array of logged errors
}
There is a synchronous alternative -- the following code:
const output = require('check-dependencies').sync(config);
will assign to output
the same object to which the returned promise would otherwise resolve to.
The config
object may have the following fields:
Package manager to check against. Example values: 'npm'
, yarn
, pnpm
.
NOTE: The value passed to this parameter will be invoked if the install
option is set to true
. Do not pass untrusted input here. In the worst case, it may lead to arbitrary code execution! Also, versions below 1.1.1
did no validation of this parameter; versions 1.1.1
and newer ensure it matches the regex /^[a-z][a-z0-9-]*$/i
. It is still not safe to provide untrusted input in versions 1.1.1
or newer, though.
Type: string
Default: 'npm'
Path to the directory containing package.json
.
Type: string
Default: the closest directory containing package.json
when going up the tree, starting from the current one
Ensures all installed dependencies are specified in package.json
.
NOTE: Don't use this option with npm 3.0.0 or newer as it deduplicates the file dependency tree by default so check-dependencies
will think many modules are excessive whereas in fact they will not.
Type: boolean
Default: false
Installs packages if they don't match. With the onlySpecified
option enabled it installs if excessive packages are present as well.
Type: boolean
Default: false
The list of keys in package.json
where to look for package names & versions.
Type: array
Default: ['dependencies', 'devDependencies']
The list of keys in package.json
where to look for optional package names & versions. An optional package is not required to be installed but if it's installed, it's supposed to match the specified version range.
This list is also consulted when using onlySpecified: true
.
Type: array
Default: ['optionalDependencies']
By default, check-dependencies will skip version check for packages whose version contains the full repository path. For example:
"dependencies": {
"semver": "https://github.com/npm/node-semver.git#0.5.9"
}
If checkGitUrls is enabled, check-dependencies will parse the version number (after the path to the git repository and the hash) and check it against the version of the installed package.
Type: boolean
Default: false
Prints messages to the console.
Type: boolean
Default: false
A function logging debug messages (applies only if verbose: true
).
Type: function
Default: console.log.bind(console)
A function logging error messages (applies only if verbose: true
).
Type: function
Default: console.error.bind(console)
The most basic usage:
const output = await require('check-dependencies')();
This will check packages' versions and report an error to output
if packages' versions are mismatched.
The following:
await require('check-dependencies')({
install: true,
verbose: true,
});
will install mismatched ones.
This project aims to support all Node.js versions supported upstream (see Release README for more details).
In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests for any new or changed functionality. Lint and test your code using npm test
.
Copyright (c) Michał Gołębiowski-Owczarek. Licensed under the MIT license.
FAQs
Checks if currently installed npm dependencies are installed in the exact same versions that are specified in package.json
We found that check-dependencies demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.