moog-require
Advanced tools
moog-require - npm Package Compare versions
Comparing version 1.3.1 to 1.3.2
22
index.js
@@ -165,6 +165,22 @@ var async = require('async'); | ||
| // confused by an unrelated npm module with the same name as an Apostrophe | ||
| // module unless we verify it is a real project-level dependency | ||
| // module unless we verify it is a real project-level dependency. However | ||
| // if no package.json at all exists at project level we do search up the | ||
| // tree until we find one to accommodate patterns like `src/app.js` | ||
| if (!self.validPackages) { | ||
| const info = JSON.parse(fs.readFileSync(`${path.dirname(self.root.filename)}/package.json`, 'utf8')); | ||
| self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]); | ||
| let info = null; | ||
| const initialFolder = path.dirname(self.root.filename); | ||
| let folder = initialFolder; | ||
| while (true) { | ||
| const file = `${folder}/package.json`; | ||
| if (fs.existsSync(file)) { | ||
| const info = JSON.parse(fs.readFileSync(file, 'utf8')); | ||
| self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]); | ||
| break; | ||
| } else { | ||
| folder = path.dirname(folder); | ||
| if (!folder.length) { | ||
| throw new Error(`package.json was not found in ${initialFolder} or any of its parent folders.`); | ||
| } | ||
| } | ||
| } | ||
| } | ||
@@ -171,0 +187,0 @@ if (!self.validPackages.has(type)) { |
@@ -39,5 +39,5 @@ { | ||
| "scripts": { | ||
| "test": "mocha test/test.js" | ||
| "test": "mocha test/test.js test/nested/test.js" | ||
| }, | ||
| "version": "1.3.1" | ||
| "version": "1.3.2" | ||
| } |
@@ -353,2 +353,4 @@ [](https://travis-ci.org/punkave/moog-require) | ||
| 1.3.2: starting in version 1.3.1, this module only loads other modules via `npm` if they are explicit npm dependencies, which is necessary for stability and security. However, it is too strict: if the project has no `package.json` at all at the level of `app.js`, `npm` search up the tree, and this module should too. Beginning in verison 1.3.2, it does search up the tree. However it stops at the first `package.json` found. | ||
| 1.3.1: `moog-require` loads modules from npm if they exist there and are configured by name in the application. This was always intended only as a way to load direct, intentional dependencies of your project. However, since npm "flattens" the dependency tree, dependencies of dependencies that happen to have the same name as a project-level module could be loaded by default, crashing the site or causing unexpected behavior. So beginning with this release, `moog-require` scans `package.json` to verify an npm module is actually a dependency of the project itself before attempting to load it. | ||
@@ -355,0 +357,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by46.46%
80479
- Number of package files
- increased by2.78%
37
- Lines of code
- increased by68.41%
1743
- Number of lines in readme file
- increased by0.53%
381
- Number of medium supply chain risk alerts
- decreased by-100%
0