dpan

DPAN, a DePendency ANalyzer

Table of Contents generated with DocToc

• What It Is
• Notes
• To Do

What It Is

DePendancy ANalyzer, an SQLite-based database of your projects' npm dependency trees

Notes

• DB file created and re-used by default
• most inserts are upserts / on conflict do nothing, so faster on updates
• unclear how to deal with deletions though

To Do

• [–] implement

• [–] document

• [–] add property dba to Dpan::constructor() to pass configuration directly to ICQL/DBA

• [–] fetch data from https://registry.npmjs.cf/$pkg_name

• [–] provide info about vulnerabilities

  • [–] from GitHub
  • [–] from npm

• [–] package manager used (npm/pnpm/yarn...)

• [–] circular dependencies

• [–] try to handle spurious changes caused by Unicode Normalization on some file systems (e.g. APFS); case in point is dbay-rustybuzz which has some filenames with ä; originally entered as single codepoint, the ä is turned into a sequence of base letter plus combining diacritic. This change is not reported by git status, but git-utils repo.getStatus() returns an object like this:

  { 'fonts/schäffel.ch/1455_gutenberg_b42.otf': 128,
    'fonts/schäffel.ch/1458_gutenberg_b36.otf': 128,
    'fonts/schäffel.ch/2002_horatius.otf': 128,
    'fonts/schäffel.ch/LICENSE.txt': 128,
    'fonts/schäffel.ch/1455_gutenberg_b42.otf': 512,
    'fonts/schäffel.ch/1458_gutenberg_b36.otf': 512,
    'fonts/schäffel.ch/2002_horatius.otf': 512,
    'fonts/schäffel.ch/LICENSE.txt': 512 }
  

  where the files in question both have a deleted and a new marker. One should suspect this being a flaw in either git or in git-utils; also check how [nodegit][https://github.com/nodegit/nodegit] deals with this situation.