Security News
The Push to Ban Ransom Payments Is Gaining Momentum
Ransomware costs victims an estimated $30 billion per year and has gotten so out of control that global support for banning payments is gaining momentum.
npm-package-arg
Advanced tools
Changelog
11.0.2 (2024-04-12)
207ba7d
#168 postinstall for dependabot template-oss PR (@lukekarrys)604c1d2
#168 bump @npmcli/template-oss from 4.21.1 to 4.21.3 (@dependabot[bot])82273b5
#165 postinstall for dependabot template-oss PR (@lukekarrys)4228b37
#165 bump @npmcli/template-oss from 4.19.0 to 4.21.1 (@dependabot[bot])d4b1447
#147 postinstall for dependabot template-oss PR (@lukekarrys)c5920a9
#147 bump @npmcli/template-oss from 4.18.1 to 4.19.0 (@dependabot[bot])ee68f93
#146 postinstall for dependabot template-oss PR (@lukekarrys)7901052
#146 bump @npmcli/template-oss from 4.18.0 to 4.18.1 (@dependabot[bot])Readme
Parses package name and specifier passed to commands like npm install
or
npm cache add
, or as found in package.json
dependency sections.
var assert = require("assert")
var npa = require("npm-package-arg")
// Pass in the descriptor, and it'll return an object
try {
var parsed = npa("@bar/foo@1.2")
} catch (ex) {
…
}
var npa = require('npm-package-arg')
npm install
, like:
foo@1.2
, @bar/foo@1.2
, foo@user/foo
, http://x.com/foo.tgz
,
git+https://github.com/user/foo
, bitbucket:user/foo
, foo.tar.gz
,
../foo/bar/
or bar
. If the arg you provide doesn't have a specifier
part, eg foo
then the specifier will default to latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
foo
or @bar/foo
.1.2
, ^1.7.17
, http://x.com/foo.tgz
, git+https://github.com/user/foo
,
bitbucket:user/foo
, file:foo.tar.gz
or file:../foo/bar/
. If not
included then the default is latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
Returns the purl (package URL) form of the given package name/spec.
foo@1.0.0
or @bar/foo@2.0.0-alpha.1
.https://registry.npmjs.org
.Throws if the package name is invalid, or the supplied arg can't be resolved to a purl.
The objects that are returned by npm-package-arg contain the following keys:
type
- One of the following strings:
git
- A git repotag
- A tagged version, like "foo@latest"
version
- A specific version number, like "foo@1.2.3"
range
- A version range, like "foo@2.x"
file
- A local .tar.gz
, .tar
or .tgz
file.directory
- A local directory.remote
- An http url (presumably to a tgz)alias
- A specifier with an alias, like myalias@npm:foo@1.2.3
registry
- If true this specifier refers to a resource hosted on a
registry. This is true for tag
, version
and range
types.name
- If known, the name
field expected in the resulting pkg.scope
- If a name is something like @org/module
then the scope
field will be set to @org
. If it doesn't have a scoped name, then
scope is null
.escapedName
- A version of name
escaped to match the npm scoped packages
specification. Mostly used when making requests against a registry. When
name
is null
, escapedName
will also be null
.rawSpec
- The specifier part that was parsed out in calls to npa(arg)
,
or the value of spec
in calls to `npa.resolve(name, spec).saveSpec
- The normalized specifier, for saving to package.json files.
null
for registry dependencies.fetchSpec
- The version of the specifier to be used to fetch this
resource. null
for shortcuts to hosted git dependencies as there isn't
just one URL to try with them.gitRange
- If set, this is a semver specifier to match against git tags withgitCommittish
- If set, this is the specific committish to use with a git dependency.hosted
- If from === 'hosted'
then this will be a hosted-git-info
object. This property is not included when serializing the object as
JSON.raw
- The original un-modified string that was provided. If called as
npa.resolve(name, spec)
then this will be name + '@' + spec
.subSpec
- If type === 'alias'
, this is a Result Object for parsing the
target specifier for the alias.FAQs
Parse the things that can be arguments to `npm install`
We found that npm-package-arg demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware costs victims an estimated $30 billion per year and has gotten so out of control that global support for banning payments is gaining momentum.
Application Security
New SEC disclosure rules aim to enforce timely cyber incident reporting, but fear of job loss and inadequate resources lead to significant underreporting.
Security News
The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).