Danger is a tool that helps automate code review chores. It allows you to create rules that can be enforced during the code review process, ensuring that certain standards and practices are followed.
Automate Code Review
This feature allows you to automate code review tasks by defining rules that can fail or warn if certain conditions are not met. For example, you can fail a pull request if it does not have a description or warn if it does not have any labels.
danger({
fail: 'This PR does not have a description.',
warn: 'This PR does not have any labels.'
});Check for Changelog Updates
This feature checks if the changelog has been updated in the pull request. If not, it can warn the user to add a changelog entry for their changes.
if (!danger.git.modified_files.includes('CHANGELOG.md')) {
warn('Please add a changelog entry for your changes.');
}Enforce PR Size Limits
This feature allows you to enforce size limits on pull requests. If a pull request exceeds a certain number of additions and deletions, it can warn the user to consider breaking it down into smaller PRs.
const bigPRThreshold = 500;
if (danger.github.pr.additions + danger.github.pr.deletions > bigPRThreshold) {
warn('This PR is too large. Consider breaking it down into smaller PRs.');
}ESLint is a tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. While it focuses on linting and enforcing coding standards, it can be used in conjunction with Danger to ensure code quality.
Prettier is an opinionated code formatter that enforces a consistent style by parsing your code and re-printing it. It complements Danger by ensuring code style consistency, which can be part of the automated code review process.
Husky is a tool that allows you to run scripts before committing or pushing code. It can be used to enforce pre-commit hooks, ensuring that certain checks (like those defined in Danger) are run before code is committed.
Danger on Node, wonder what's going on? see VISION.md
Welcome!
So, what's the deal? Well, right now Danger JS does a lot of the simpler parts of the Ruby version. You can look at Git metadata, or GitHub metadata on Travis, Circle, Semaphore, Jenkins, Docker Cloud, or Codeship.
Danger can fail your build, write a comment on GitHub, edit it as your PR changes and then delete it once you've passed review. Perfect.
# with yarn
yarn add danger --dev
# or with npm
npm install --save-dev danger
If using NPM, add a run command to your package.json
{
"scripts": {
"danger": "danger"
}
}
Then create a dangerfile.js in the project root with some rules:
import { danger, fail, warn } from "danger"
import fs from "fs"
// Make sure there are changelog entries
const hasChangelog = danger.git.modified_files.includes("changelog.md")
if (!hasChangelog) { fail("No Changelog changes!") }
const jsFiles = danger.git.created_files.filter(path => path.endsWith("js"))
// new js files should have `@flow` at the top
const unFlowedFiles = jsFiles.filter(filepath => {
const content = fs.readFileSync(filepath)
return !content.includes("@flow")
})
if (unFlowedFiles.length > 0) {
warn(`These new JS files do not have Flow enabled: ${unFlowedFiles.join(", ")}`)
}
Then you add yarn run danger to the end of your CI run, and Danger will run. Here's an example. 👍
Want to see some existing examples? Check out:
I'd love PRs adding more.
For now, to get set up I'd recommend looking at the setup guide for the Ruby version. All the environment vars are the exact same between versions.
You will need to create a bot account, and set up CI to run danger.
If you are using Docker Cloud, make sure to set the following blank ENV vars in your docker-compose.test.yml file so they are carried forward from the build environment:
sut:
build: .
environment:
- DANGER_GITHUB_API_TOKEN
- DOCKER_REPO
- PULL_REQUEST_URL
- SOURCE_REPOSITORY_URL
There are two ways to do this:
danger prThe command danger pr expects an argument of a PR url, e.g. danger pr https://github.com/danger/danger-js/pull/100.
This will use your local dangerfile.js against the metadata of that PR. Danger will then output the results as JSON, instead of on the PR itself.
dangerIf you create an appropriately scoped temporary api token for your github account, this can be a good way to see if danger is suitable for you before integrating it into your CI system.
You can manually trigger danger against a pull request on the command line by setting the following environmental variables:
export DANGER_FAKE_CI="YEP"
export DANGER_GITHUB_API_TOKEN='xxxxxxxxxx' # a github api token
export DANGER_TEST_REPO='username/reponame'
Then you can run against a local branch that is attached to a pull-request, by running the following
git checkout branch-for-pr-1234
DANGER_TEST_PR='1234' npm run danger
assuming that your local file-system matches up to that branch on github, this will be a good approximation of how danger will work when you integrate it into your CI system.
Note: this will leave a comment on the PR.
yarn run lint | tee linter_output.txt. This can then be picked up with readFileSync at linter_output.txt in your Dangerfile later.await with no problem though)Awesommmmee.
git clone https://github.com/danger/danger-js.git
cd danger-js
# if you don't have yarn installed
npm install -g yarn
yarn install
You can then verify your install by running the tests, and the linters:
yarn test
yarn lint
Tips:
danger command globally from your dev build by running yarn run link.debugger to get a repl and context.Check the issues, I try and keep my short term perspective there. Long term is in the VISION.md.
0.11.3 - 0.11.5
Internal changes for usage with Peril - [@orta]
Add danger pr --repl, which drops into a Node.js REPL after evaluating the dangerfile - macklinu
Add support for Codeship - deecewan
FAQs
Unit tests for Team Culture
The npm package danger receives a total of 372,438 weekly downloads. As such, danger popularity was classified as popular.
We found that danger demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.