NPM Vet is a simple CLI tool to help vet your npm package versions. NPM Vet can be used locally, or as a CI build-step to prevent builds passing with mismatched package versions. To read more about NPM Vet, visit the Hark website.
$ npm install npmvet -g
Usage: npmvet [options]
Options:
-h, --help output usage information
-V, --version output the version number
-p, --package <package> package.json file location (Default: .)
-m, --modules <modules> node_modules folder location (Default: .)
-r, --renderer <renderer> Renderer to use (Default: inlinetable)
-s, --strict Using the CI renderer, fail build if any packages unlocked (Default: false, flag)
If you're using the CI renderer (see below) the -s flag will enable strict mode. In which builds will fail if versions are unlocked, not just unmatching.
Renderers are used to dictate how to output the data NPM Vet collects. The default is inlinetable.
$ npmvet -r inlinetable
The default renderer, inlinetable will print a table inline with your current process. You can use this locally to visualise package differences.
$ npmvet -r ci
To prevent your CI builds passing with mismatched package versions, use the CI renderer. If any package version mismatches are found, the build will fail:
Or if there are no mismatching package versions, your build will continue (and hopefully pass!):
The blessed renderer will render a table inside a screen, that has be exited by the user to escape.
$ npmvet -r blessed
The JSON renderer will print a JSON array with match information for each package.
$ npmvet -r json
[
{
"name": "blessed",
"packageVersion": "0.1.81",
"installedVersion": "0.1.81",
"matches": true,
"locked": false
},
{
"name": "chalk",
"packageVersion": "1.1.3",
"installedVersion": "1.1.3",
"matches": true,
"locked": false
},
{
"name": "jest",
"packageVersion": "18.1.0",
"installedVersion": "18.1.0",
"matches": true,
"locked": false
}
]
For information regarding contributing to this project, please read the Contributing document.
FAQs
A simple CLI tool for vetting npm package versions
We found that npmvet demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.