Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
depdebt
Advanced tools
Changelog
v0.1.2: Account for @npmcli/config changes (2023-11-12)
depdebt
depends on @npmcli/config
internals. Update the usage to account for breaking changes and pin the dependency version.c1b4ba5
) package: update and pin npm packages since we're using internalsReadme
A high-performance libyear dependency debt analyzer for large scale usage across an entire organization.
To compute the libyears for the package in your current directory, run:
npx depdebt
You can specify the package.json
files to look at on the command-line:
npx depdebt something/package.json
If you have many files to analyze, pipe in a newline delimited list of file paths and pass -
as the filename:
find -name package.json -not -path '*/node_modules/*' | npx depdebt -
depdebt
inspects package.json
files to determine the dependencies to analyze. It compares the actual version of a dependency to the latest version available. The number of years between the actual and latest release dates make up the number of libyears. (See Actual version determination for more details.)
Usage: depdebt [options] [package.json ...]
Options:
-t, --tag-precedence <tag> Tag precedence (default: "latest", allows multiple with left-to-right priority)
-m, --missing <strategy> Missing package strategy (default: "throw", supports "ignore")
-h, --help Show this help
If file names are not supplied on the command line, defaults to "package.json". The special file name "-" instructs depdebt to listens for newline delimited file names from stdin.
Examples:
depdebt
depdebt package.json
depdebt -t lts -t latest package.json
find -name package.json -not -path '*/node_modules/*' | depdebt
depdebt
considers the release tagged with latest
as the desired version. You can specify an ordered list of tags to consider as latest.
If, for instance, you don't like living life on the wild side, you might want to set the precedence to "lts" and then "latest":
depdebt -t lts -t latest
You can tell depdebt
to ignore "not found" errors when retrieving package metadata.
It is useful to ignore "not found" errors for mono-repos. In these cases, the packages are locally-linked, so the dependency cannot be out of date.
To be clear, depdebt
supports private registries out of the box, so this is not a workaround.
You can ignore missing packages by specifying ignore
as the missing package strategy: depdebt -m ignore
.
The final result data includes ignored packages. You can identify ignored packages by looking for a missing: true
field:
depdebt | jq '.packages[].dependencies[] | select(.missing == true)'
{
"name": "@some-org/some-package",
"spec": "^1.0.0",
"libyears": 0,
"missing": true
}
The presence of a lock file influences the "actual" version of a dependency.
If a package-lock.json
file is present, depdebt
uses the version found in the lock file. Otherwise, depdebt
uses the latest version wanted by the version spec in package.json
.
For applications deployed based on the package-lock.json
committed into source control, the package-lock.json
should certainly be used. For libraries that are later installed based on the package.json
file, it's best to use the package.json
version rather than package-lock.json
version.
FAQs
A high-performance [libyear](https://libyear.com/) dependency debt analyzer for large scale usage across an entire organization.
The npm package depdebt receives a total of 0 weekly downloads. As such, depdebt popularity was classified as not popular.
We found that depdebt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.