Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
yarnd
Advanced tools
Readme
Deduplication utility for yarn
yarn add --dev yarnd
Yarn encourage reliability and works really well for this purpose. But sometimes when you want to update some direct dependencies yarn doesn't update transitive dependencies that already in use in other package. Therefore you can get two or more the same packages installed. For web bundles it's sometimes crucial to get only one or at least as less as possible identical dependencies. Because of possible errors and bigger bundle size if several duplicated dependencies present. So you have four choices:
yarnd
or yarnd check
Show all dependencies that have duplicates that can be automatically deduplicated by semveryarnd fix
Deduplicates all dependencies in automatic mode by semveryarnd @emotion/ react react-dom
Are the same as -1- but check only dependencies in @emotion namespace and react, react-dom packagesyarnd fix --primary react
Same as -3- but deduplicate only dependencies that transitively connected with dependencies that listed in package.json in dependencies field and react packageCheck for duplicated packages in yarn.lock and raise an error if there any (default):
yarnd check [packages]
Deduplicate specific packages or all if packages are not provided
yarnd fix [packages]
Default command can be run either by command name or only with the name of the package (yarnd ...)
Warning: After yarnd fix
- yarnd run yarn install --force
because yarn balances file in it's own way and this command must be run after yarnd
--lock [file]
Specifies where the yarn.lock file is placed (default is a file in the current directory)--included [packages]
Specifies included dependencies (not transitive)--excluded [packages]
Specifies excluded dependencies (not transitive)--primary
Check production dependencies (transitive)--dev
Check development dependencies (transitive)help
Show available commands and description for them--included [packages]
, --primary
, --dev
work applicative, so every command will add packages to check-list.
--strict
more verbose output that shows dependencies that cannot be deduplicated by semver. (filtered by previous commands)--included [packages]
, --excluded [packages]
also accept namespaces
Example: --excluded @babel/
- exclude all @babel namespace.
All flags have aliases by the first letter, so these are equal commands:
yarnd fix -ps
yarnd fix -p -s
yarnd fix --primary --strict
FAQs
Deduplication utility for yarn
The npm package yarnd receives a total of 1,268 weekly downloads. As such, yarnd popularity was classified as popular.
We found that yarnd demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.