Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
snyk-resolve-deps
Advanced tools
Resolves a node package tree with combined support for both npm@2 and npm@3.
This package will create a virtual tree representation of a node package's dependencies, supporting both npm@2 and npm@3 directory structures.
Note that the output differs from the npm ls
output in that deduped packages are resolved to their owners.
let resolveDeps = require('snyk-resolve-deps');
let asTree = require('snyk-tree');
let options = { dev: true };
resolveDeps(process.cwd(), options).then(function (tree) {
console.log(asTree(tree));
}).catch(function (error) {
// error is usually limited to unknown directory
console.log(error.stack);
process.exit(1);
});
false
] report only development optionsundefined
] extract extra fields from dependencies' package.json files. example: ['files']
false
] don't include from
arrays with list of deps from root
on every node'package.json'
] location of the package fileTo fully support npm@2 and npm@3 two passes of the tree are required:
The module will start by reading the package.json
from the target directory, capture the metadata and then read through each recursive node_modules
directory.
This creates the physicalTree
object. In npm@3 this will usually yield an object with the root metadata (name, version, etc) and then a dependencies
object that contains every dependency across the entire code base. This is not the true representation of the package relationships so we need to make the second pass.
There are also edge cases that need to be handled, particularly when a dev or prod dependency hasn't been loaded into the physical tree because it has been missed. This can be either because the package is missing from the project, or (more likely) because the dependencies is much higher up and outside of the original directory that was scanned. So a second check is run to find those missing modules, using the snyk-resolve module.
Note: code found in lib/deps.js
The next pass uses the physicalTree
as the starting point, but uses the dependencies
and devDependencies
properties from the package.json
metadata. It will iterate through the dependencies and resolve the correct dependency package from the physical tree based on similar methods that the require
module loading system will use (this is in lib/pluck.js
).
Finally, once the virtual tree is constructed, a pass is made to check for unused packages from the original physicalTree
, which are marked as extraneous: true
, and if the optional dev
flag is false
, all devDependencies
are stripped.
Note: code found in lib/logical.js
FAQs
Resolves a node package tree with combined support for both npm@2 and npm@3.
The npm package snyk-resolve-deps receives a total of 74,973 weekly downloads. As such, snyk-resolve-deps popularity was classified as popular.
We found that snyk-resolve-deps demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.