Security News
PyPI’s New Archival Feature Closes a Major Security Gap
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
By Sarah Gooding - Jan 30, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
exact-deps
Update all dependency versions in package.json to be exact version currently installed.
exact-deps
Update package.json to use exact versions for dependencies
NOTE: this does not replace the best practice of adding a .npmrc file with save-exact=true attribute to a project
yarn add -D exact-deps
Table of Contents
Getting started
For a variety of reasons, I have often wanted to convert all the versions of dependencies in a package.json file to the exact versions that have been installed.
exact-deps solves this problem by
- looping through each dependency in the main
package.jsonfile - for each dependency:
- finding the locally installed dependency's
package.jsonfile - updating the entry in the main
package.jsonwith the version attribute from the dependency'spackage.jsonfile
- finding the locally installed dependency's
Requirements
- node: >=8
Command Line
This module provides a simple CLI:
./node_modules/.bin/exact-deps --help
If combined with Yarn, it can be run as:
yarn exact-deps --help
It can also be used as part of an npm script:
{
"scripts": {
"deps:exact": "exact-deps -w"
},
"devDependencies": {
"exact-deps": "latest"
}
}
yarn deps:exact
Module
The module exports a function that takes the directory of package.json.
It returns a new object with path and contents properties
const fs = require('fs');
const exactDeps = require('exact-deps');
const { path, contents } = exactDeps(process.cwd());
fs.writeFileSync(path, JSON.stringify(contents, null, 2));
Integrating
An effective integration of this plugin could look like this:
{
"scripts": {
"deps:exact": "exact-deps",
"precommit": "lint-staged",
"prepublish": "deps:exact"
},
"lint-staged": {
"package.json": [
"exact-deps",
"git add"
]
},
"devDependencies": {
"lint-staged": "latest",
"exact-deps": "latest"
},
"optionalDependencies": {
"husky": "latest"
}
}
This configuration combines:
lint-stagedfor automatically running tasks on staged fileshuskyfor githook integrationsexact-depsto make surepackage.jsonis always exact
Together, these modules ensure the package.json file is automatically updated if it changes and provides an easy package.json script for manual use:
yarn deps:exact
FAQs
Update all dependency versions in package.json to be exact version currently installed.
The npm package exact-deps receives a total of 8 weekly downloads. As such, exact-deps popularity was classified as not popular.
We found that exact-deps demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 Oct 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
North Korean APT Lazarus Targets Developers with Malicious npm Package
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.
By Kirill Boychenko, Peter van der Zee - Jan 29, 2025
Security News
CISA Brings KEV Data to GitHub
CISA's KEV data is now on GitHub, offering easier access, API integration, commit history tracking, and automated updates for security teams and researchers.
By Sarah Gooding - Jan 29, 2025