Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
npm-package-arg
Advanced tools
The npm-package-arg package is a utility for parsing package names and specifiers in the npm ecosystem. It helps in understanding and manipulating package references, whether they are simple names, version ranges, GitHub URLs, or local paths.
Parsing Package Names
This feature allows you to parse a simple package name. The output will be an object containing details about the package, such as its name, type, and registry.
const npa = require('npm-package-arg');
const parsed = npa('express');
console.log(parsed);
Parsing Version Ranges
This feature allows you to parse a package name with a version range. The output will include the specified version range and other details.
const npa = require('npm-package-arg');
const parsed = npa('express@^4.0.0');
console.log(parsed);
Parsing GitHub URLs
This feature allows you to parse a GitHub URL. The output will include details about the repository, such as the user and repo names.
const npa = require('npm-package-arg');
const parsed = npa('github:user/repo');
console.log(parsed);
Parsing Local Paths
This feature allows you to parse a local file path. The output will include details about the local path and the type of reference.
const npa = require('npm-package-arg');
const parsed = npa('file:./local-package');
console.log(parsed);
The validate-npm-package-name package is used to validate whether a string is a valid npm package name. Unlike npm-package-arg, it focuses solely on validation and does not parse version ranges, URLs, or paths.
The semver package is used for parsing, validating, and comparing semantic versioning strings. While npm-package-arg can parse version ranges as part of a package specifier, semver provides more comprehensive tools for working with version numbers.
The npm-registry-fetch package is used to make requests to the npm registry. It can fetch package metadata and tarballs. While npm-package-arg helps in parsing package specifiers, npm-registry-fetch is focused on interacting with the npm registry.
Parse the things that can be arguments to npm install
Takes an argument like foo@1.2
, or foo@user/foo
, or
http://x.com/foo.tgz
, or git+https://github.com/user/foo
, and
figures out what type of thing it is.
var assert = require("assert")
var npa = require("npm-package-arg")
// Pass in the descriptor, and it'll return an object
var parsed = npa("foo@1.2")
// Returns an object like:
// {
// name: "foo", // The bit in front of the @
// type: "range", // the type of descriptor this is
// spec: "1.2" // the specifier for this descriptor
// }
// Completely unreasonable invalid garbage throws an error
// Make sure you wrap this in a try/catch if you have not
// already sanitized the inputs!
assert.throws(function() {
npa("this is not \0 a valid package name or url")
})
For more examples, see the test file.
The objects that are returned by npm-package-arg contain the following fields:
name
- If known, the name
field expected in the resulting pkg.type
- One of the following strings:
git
- A git repogithub
- A github shorthand, like user/project
tag
- A tagged version, like "foo@latest"
version
- A specific version number, like "foo@1.2.3"
range
- A version range, like "foo@2.x"
local
- A local file or folder pathremote
- An http url (presumably to a tgz)spec
- The "thing". URL, the range, git repo, etc.raw
- The original un-modified string that was provided.rawSpec
- The part after the name@...
, as it was originally
provided.FAQs
Parse the things that can be arguments to `npm install`
The npm package npm-package-arg receives a total of 13,898,234 weekly downloads. As such, npm-package-arg popularity was classified as popular.
We found that npm-package-arg demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.