deps - npm Package Compare versions

Comparing version 0.1.2 to 1.0.0

package.json

 {
-  "author": "Zeus Lalkaka <lalkaka.zeus@gmail.com> (distracteddev.com)",
   "name": "deps",
-  "description": "A executable tool that allows you to add/remove/view your current depedencies from the command line",
-  "version": "0.1.2",
+  "version": "1.0.0",
+  "description": "Node dependency usage checker using V8 Coverage",
+  "keywords": [
+    "node",
+    "dependency",
+    "usage",
+    "coverage",
+    "v8"
+  ],
+  "files": [
+    "bin",
+    "dist"
+  ],
+  "bin": {
+    "deps": "bin/deps.js",
+    "deps-start": "bin/deps-start.sh",
+    "deps-stop": "bin/deps-stop.sh"
+  },
+  "scripts": {
+    "build": "rm -rf dist && tsc -p src",
+    "dev": "npm run build -- -w",
+    "lint": "xo",
+    "version": "standard-version"
+  },
+  "husky": {
+    "hooks": {
+      "pre-commit": "lint-staged && tsc -p src --composite false --noEmit",
+      "commit-msg": "commitlint -E HUSKY_GIT_PARAMS"
+    }
+  },
+  "lint-staged": {
+    "*.[tj]s": "xo --fix"
+  },
   "repository": {
-    "url": ""
+    "type": "git",
+    "url": "git+https://github.com/privatenumber/deps.git"
   },
-  "main": "deps",
-  "dependencies": {},
-  "devDependencies": {},
-  "optionalDependencies": {},
-  "engines": {
-    "node": "*"
+  "author": "Hiroki Osame <hiroki.osame@gmail.com>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/privatenumber/deps/issues"
   },
-  "bin": {
-    "deps": "./deps"
+  "homepage": "https://github.com/privatenumber/deps#readme",
+  "dependencies": {
+    "chalk": "^4.1.0",
+    "cli-simple-table": "0.0.3",
+    "del": "^5.1.0",
+    "execa": "^4.0.1",
+    "minimist": "^1.2.5",
+    "read-pkg": "^5.2.0",
+    "sort-keys": "^4.0.0",
+    "tempy": "^0.5.0"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^8.3.5",
+    "@commitlint/config-conventional": "^8.3.4",
+    "@types/minimist": "^1.2.0",
+    "@types/node": "^14.0.13",
+    "husky": "^4.2.5",
+    "lint-staged": "^10.2.10",
+    "standard-version": "^8.0.0",
+    "typescript": "^3.9.5",
+    "xo": "^0.32.0"
   }
 }

README.md

@@ -1,32 +0,69 @@
----
-## - deps - 
-#####The lazy-man's CLI npm dependency manager. 
-----	
+# 📦 deps <a href="https://npm.im/deps"><img src="https://badgen.net/npm/v/deps"></a> <a href="https://npm.im/deps"><img src="https://badgen.net/npm/dm/deps"></a> <a href="https://packagephobia.now.sh/result?p=deps"><img src="https://packagephobia.now.sh/badge?p=deps"></a>
 
-###Local Installation ( for current directory only ):
+<p align="center">
+  <img src="/.github/screenshot.png" width="70%">
+  <br>
+  Accurately detect which Node dependencies are in-use with V8 Coverage 🔥
+</p>
 
+#### Try it out!
+```sh
+$ npx deps [...command]
 ```
-npm install deps
-```
+_eg. `npx deps npm run build`_
 
-###Global Installation ( If you want to call it from anywhere ):
-
+## :rocket: Install
+Install globally if you don't want to use it via [npx](https://blog.npmjs.org/post/162869356040/introducing-npx-an-npm-package-runner).
+```sh
+npm i -g deps
 ```
-npm install -g deps
-```
 
-## Usage:
-###### Do not type the '$' in the following:
+## Usage
+### 🔬 Quick analysis
+Prefix your Node command with `deps` and it will analyze and output the dependencies it used
+```sh
+$ deps ...
 ```
-// Lists your dependencies, devDependencies and optionalDependencies
-// as defined by your package.json.
-$ deps 
+eg. `deps npm run build`
 
-// Adding/Removing a dependency
-$ deps {add,rm} {packageName} {packageVersion} 
-// Adding/Removing a devDependency
-$ deps {add,rm} {packageName} {packageVersion} dev
-// Adding/Removing a optionalDependency 
-$ deps {add,rm} {packageName} {packageVersion} opt
-```
+### 👩‍🔬 Analyzing dependency usage across commands
+_Prerequisite: install `deps` globally_
+1. Start recording dependecy usage (note the [dot-space](https://superuser.com/questions/1136409/what-is-the-dot-space-filename-command-doing-in-bash) at the beginning)
+  ```sh
+  $ . deps-start
+  ```
 
+2. Run a series of Node scripts eg.
+  - `npm run dev`
+  - `npm run build`
+  - `npm run lint`
+  - etc.
+
+3. Analyze used dependencies
+  ```sh
+  $ deps analyze
+  ```
+  - Save data to file:
+    ```sh
+    deps analyze -o output.json
+    ```
+  - Read later with:
+    ```sh
+    deps -f output.json
+    ```
+
+4. When you're done, stop recording
+  ```sh
+  $ . deps-stop
+  ```
+
+## 💁‍♂️ FAQ
+
+#### How does it work?
+`deps` detects which modules are loaded by using [V8's code coverage](https://nodejs.org/api/cli.html#cli_node_v8_coverage_dir) feature, so it's very accurate. However, it doesn't detect file-system reads, as they are simply read as text rather than actually being parsed and executed. That means it can't detect what files are statically analyzed by bundlers (eg. Webpack, Rollup, etc.). I am considering supporting FS reads in the future.
+
+#### How does it compare to `depcheck`?
+[`depcheck`](https://github.com/depcheck/depcheck) statically analyzes your project to see which dependencies are imported, avoiding the need to execute code. In contrast, `deps` executes code to analyze which dependencies were loaded during run-time. They work in completely different ways, but a major drawback for me is that `depcheck` requires a ["special"](https://github.com/depcheck/depcheck#special) for supporting whether a module was loaded via dev-tools.
+
+## 💼 License
+MIT

New alerts

Native code

Supply chain risk

Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

Empty package

Supply chain risk

Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.

Found 1 instance in 1 package

No bug tracker

Maintenance

Package does not have a linked bug tracker in package.json.

Found 1 instance in 1 package

No repository

Supply chain risk

Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

No website

Quality

Package does not have a website.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

198343

increased by5254.83%

Number of package files

27

increased by800%

Lines of code

294

increased byInfinity%

Number of low maintenance alerts

0

decreased by-100%

Number of low quality alerts

0

decreased by-100%

Number of lines in readme file

70

increased by112.12%

Worsened metrics

Dependency count

8

increased byInfinity%

Dev dependency count

9

increased byInfinity%

Number of low supply chain risk alerts

4

increased by300%

Number of medium supply chain risk alerts

3

increased by200%

Dependency changes

• + Addedchalk@^4.1.0

• + Addedcli-simple-table@0.0.3

• + Addeddel@^5.1.0

• + Addedexeca@^4.0.1

• + Addedminimist@^1.2.5

• + Addedread-pkg@^5.2.0

• + Addedsort-keys@^4.0.0

• + Addedtempy@^0.5.0

• + Added@babel/code-frame@7.26.2(transitive)

• + Added@babel/helper-validator-identifier@7.25.9(transitive)

• + Added@nodelib/fs.scandir@2.1.5(transitive)

• + Added@nodelib/fs.stat@2.0.5(transitive)

• + Added@nodelib/fs.walk@1.2.8(transitive)

• + Added@types/glob@7.2.0(transitive)

• + Added@types/minimatch@5.1.2(transitive)

• + Added@types/node@22.10.7(transitive)

• + Added@types/normalize-package-data@2.4.4(transitive)

• + Addedaggregate-error@3.1.0(transitive)

• + Addedansi-regex@5.0.1(transitive)

• + Addedansi-styles@4.3.0(transitive)

• + Addedarray-union@2.1.0(transitive)

• + Addedastral-regex@2.0.0(transitive)

• + Addedbalanced-match@1.0.2(transitive)

• + Addedbrace-expansion@1.1.11(transitive)

• + Addedbraces@3.0.3(transitive)

• + Addedchalk@4.1.2(transitive)

• + Addedclean-stack@2.2.0(transitive)

• + Addedcli-simple-table@0.0.3(transitive)

• + Addedcli-truncate@2.1.0(transitive)

• + Addedcolor-convert@2.0.1(transitive)

• + Addedcolor-name@1.1.4(transitive)

• + Addedconcat-map@0.0.1(transitive)

• + Addedcross-spawn@7.0.6(transitive)

• + Addedcrypto-random-string@2.0.0(transitive)

• + Addeddel@5.1.0(transitive)

• + Addeddir-glob@3.0.1(transitive)

• + Addedemoji-regex@8.0.0(transitive)

• + Addedend-of-stream@1.4.4(transitive)

• + Addederror-ex@1.3.2(transitive)

• + Addedexeca@4.1.0(transitive)

• + Addedfast-glob@3.3.3(transitive)

• + Addedfastq@1.18.0(transitive)

• + Addedfill-range@7.1.1(transitive)

• + Addedfs.realpath@1.0.0(transitive)

• + Addedfunction-bind@1.1.2(transitive)

• + Addedget-stream@5.2.0(transitive)

• + Addedglob@7.2.3(transitive)

• + Addedglob-parent@5.1.2(transitive)

• + Addedglobby@10.0.2(transitive)

• + Addedgraceful-fs@4.2.11(transitive)

• + Addedhas-flag@4.0.0(transitive)

• + Addedhasown@2.0.2(transitive)

• + Addedhosted-git-info@2.8.9(transitive)

• + Addedhuman-signals@1.1.1(transitive)

• + Addedignore@5.3.2(transitive)

• + Addedindent-string@4.0.0(transitive)

• + Addedinflight@1.0.6(transitive)

• + Addedinherits@2.0.4(transitive)

• + Addedis-arrayish@0.2.1(transitive)

• + Addedis-core-module@2.16.1(transitive)

• + Addedis-extglob@2.1.1(transitive)

• + Addedis-fullwidth-code-point@3.0.0(transitive)

• + Addedis-glob@4.0.3(transitive)

• + Addedis-number@7.0.0(transitive)

• + Addedis-path-cwd@2.2.0(transitive)

• + Addedis-path-inside@3.0.3(transitive)

• + Addedis-plain-obj@2.1.0(transitive)

• + Addedis-stream@2.0.1(transitive)

• + Addedisexe@2.0.0(transitive)

• + Addedjs-tokens@4.0.0(transitive)

• + Addedjson-parse-even-better-errors@2.3.1(transitive)

• + Addedlines-and-columns@1.2.4(transitive)

• + Addedmerge-stream@2.0.0(transitive)

• + Addedmerge2@1.4.1(transitive)

• + Addedmicromatch@4.0.8(transitive)

• + Addedmimic-fn@2.1.0(transitive)

• + Addedminimatch@3.1.2(transitive)

• + Addedminimist@1.2.8(transitive)

• + Addednormalize-package-data@2.5.0(transitive)

• + Addednpm-run-path@4.0.1(transitive)

• + Addedonce@1.4.0(transitive)

• + Addedonetime@5.1.2(transitive)

• + Addedp-map@3.0.0(transitive)

• + Addedparse-json@5.2.0(transitive)

• + Addedpath-is-absolute@1.0.1(transitive)

• + Addedpath-key@3.1.1(transitive)

• + Addedpath-parse@1.0.7(transitive)

• + Addedpath-type@4.0.0(transitive)

• + Addedpicocolors@1.1.1(transitive)

• + Addedpicomatch@2.3.1(transitive)

• + Addedpump@3.0.2(transitive)

• + Addedqueue-microtask@1.2.3(transitive)

• + Addedread-pkg@5.2.0(transitive)

• + Addedresolve@1.22.10(transitive)

• + Addedreusify@1.0.4(transitive)

• + Addedrimraf@3.0.2(transitive)

• + Addedrun-parallel@1.2.0(transitive)

• + Addedsemver@5.7.2(transitive)

• + Addedshebang-command@2.0.0(transitive)

• + Addedshebang-regex@3.0.0(transitive)

• + Addedsignal-exit@3.0.7(transitive)

• + Addedslash@3.0.0(transitive)

• + Addedslice-ansi@3.0.0(transitive)

• + Addedsort-keys@4.2.0(transitive)

• + Addedspdx-correct@3.2.0(transitive)

• + Addedspdx-exceptions@2.5.0(transitive)

• + Addedspdx-expression-parse@3.0.1(transitive)

• + Addedspdx-license-ids@3.0.21(transitive)

• + Addedstring-width@4.2.3(transitive)

• + Addedstrip-ansi@6.0.1(transitive)

• + Addedstrip-final-newline@2.0.0(transitive)

• + Addedsupports-color@7.2.0(transitive)

• + Addedsupports-preserve-symlinks-flag@1.0.0(transitive)

• + Addedtemp-dir@2.0.0(transitive)

• + Addedtempy@0.5.0(transitive)

• + Addedto-regex-range@5.0.1(transitive)

• + Addedtype-fest@0.12.00.6.0(transitive)

• + Addedundici-types@6.20.0(transitive)

• + Addedunique-string@2.0.0(transitive)

• + Addedvalidate-npm-package-license@3.0.4(transitive)

• + Addedwhich@2.0.2(transitive)

• + Addedwrappy@1.0.2(transitive)