
Security News
/Research
Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
npm-check-unused
Advanced tools
npm-check-unused
Check for unused dependencies.
This is the easiest way to use npm-check-unused
.
$ npm install -g npm-check-unused
$ npm-check-unused
Usage
$ npm-check-unused <path> <options>
Path
Where to check. Defaults to current directory.
Options
-p, --production Skip devDependencies.
-d, --dev-only Look at devDependencies only (skip dependencies).
-i, --ignore Ignore dependencies based on succeeding glob.
--specials List of depcheck specials to include in check for unused dependencies.
--no-emoji Remove emoji support. No emoji in default in CI environments.
--debug Show debug output. Throw in a gist when creating issues on github.
Examples
$ npm-check-unused # See what isn't being used.
$ npm-check-unused ../foo # Check another path.
-p, --production
By default npm-check
will look at packages listed as dependencies
and devDependencies
.
This option will let it ignore packages listed as devDependencies
.
-d, --dev-only
Ignore dependencies
and only check devDependencies
.
This option will let it ignore packages listed as dependencies
.
-i, --ignore
Ignore dependencies that match specified glob.
$ npm-check-unused -i babel-*
will ignore all dependencies starting with 'babel-'.
--specials
Check special (e.g. config) files when looking for unused dependencies.
$ npm-check-unused --specials=bin,webpack
will look in the scripts
section of package.json and in webpack config.
See https://github.com/depcheck/depcheck#special for more information.
--emoji, --no-emoji
Enable or disable emoji support. Useful for terminals that don't support them. Automatically disabled in CI servers.
--spinner, --no-spinner
Enable or disable the spinner. Useful for terminals that don't support them. Automatically disabled in CI servers.
The API is here in case you want to wrap this with your CI toolset.
const npmCheck = require('npm-check');
npmCheck(options)
.then(currentState => console.log(currentState.get('packages')));
ignoreDev
devDependencies
.--production
on the command line to match npm
.false
devOnly
dependencies
and only check devDependencies
.false
ignore
[]
debug
false
cwd
npm-check
checks.process.cwd()
specials
depcheck
special parsers to include.''
currentState
The result of the promise is a currentState
object, look in state.js to see how it works.
You will probably want currentState.get('packages')
to get an array of packages and the state of each of them.
Each item in the array will look like the following:
{
moduleName: 'lodash', // name of the module.
homepage: 'https://lodash.com/', // url to the home page.
regError: undefined, // error communicating with the registry
pkgError: undefined, // error reading the package.json
latest: '4.7.0', // latest according to the registry.
installed: '4.6.1', // version installed
isInstalled: true, // Is it installed?
notInstalled: false, // Is it installed?
packageWanted: '4.7.0', // Requested version from the package.json.
packageJson: '^4.6.1', // Version or range requested in the parent package.json.
devDependency: false, // Is this a devDependency?
usedInScripts: undefined, // Array of `scripts` in package.json that use this module.
mismatch: false, // Does the version installed not match the range in package.json?
semverValid: '4.6.1', // Is the installed version valid semver?
easyUpgrade: true, // Will running just `npm install` upgrade the module?
bump: 'minor', // What kind of bump is required to get the latest, such as patch, minor, major.
unused: false // Is this module used in the code?
},
You will also see this if you use --debug
on the command line.
Copyright (c) 2018 Nfer Zhuang, contributors.
Released under the MIT license.
Screenshots are CC BY-SA (Attribution-ShareAlike).
FAQs
Check unused dependencies.
The npm package npm-check-unused receives a total of 202 weekly downloads. As such, npm-check-unused popularity was classified as not popular.
We found that npm-check-unused demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.
Security News
/Research
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.