dependency-check
检查您在代码中使用了哪些模块,然后确保它们在您的 package.json 中被列为依赖项,反之亦然
requirements for maintained majors
依赖检查 4.x 支持 Node.js 10 及更高版本
的依赖检查 3.x 支持 Node.js 6 及更高版本
的依赖检查 2.x 支持 Node.js 0.10 及更高版本 (开发说明:使用 legacy 标签发布)
有关维护状态的更多信息,请参阅 SECURITY.md。
how it works
dependency-check 从默认入口文件开始解析你的模块代码(例如 index.js 或 main 和任何 bin 在 package.json 中定义的命令,或者如果已经定义了特定的文件,那么这些命令)并遍历所有相对需要的 JS 文件,最终生成一个非相关模块的列表
- relative - e.g.
require('./a-relative-file.js'), if one of these are encountered the required file will be recursively parsed by the dependency-check algorithm
- non-relative - e.g.
require('a-module'), if one of these are encountered it will get added to the list of dependencies, but sub-dependencies of the module will not get recursively parsed
这个模块的目标是简单地检查所有非相关的得到 require() 的模块在 package.json 中,这可以防止人们在安装缺少 deps 的模块时出现“找不到模块”错误,这些 deps 被意外发布到 NPM(碰巧我一直都是,因此有动力编写这个模块)。
cli usage
$ npm install dependency-check -g
$ dependency-check <path to module file(s), package.json or module folder>
# e.g.
$ dependency-check ./package.json --verbose
Success! All dependencies used in the code are listed in package.json
Success! All dependencies in package.json are used in the code
$ dependency-check ./package.json --missing --verbose
Success! All dependencies used in the code are listed in package.json
$ dependency-check ./package.json --unused --verbose
Success! All dependencies in package.json are used in the code
# or with file input instead:
$ dependency-check ./index.js
# even with globs and multiple inputs:
$ dependency-check ./test/**/*.js ./lib/*.js
如果存在差异,dependency-check 将以代码 1 退出,并打印出来
要始终以代码 0 退出,请通过 --ignore
--missing
运行 dependency-check 。 /package.json --missing 只会进行检查以确保代码中的所有模块都在
--unused
运行 dependency-check ./package.json --unused 只会执行缺失检查的逆操作,并会告诉您 package.json 依赖项中的哪些模块未在
--no-dev
运行 dependency-check ./package.json --unused 的代码中使用 --no-dev 不会告诉您 package.json 中是否有任何 devDependencies 丢失或未使用
--no-peer
运行 dependency-check ./package.json --unused --no-peer 将不告诉您 package.json 中是否有任何 peerDependencies 丢失或未使用会
--ignore-module, -i
忽略模块。 这适用于 --unused 和 --missing。 您可以根据需要指定任意多个单独的 --ignore-module 参数。 例如,运行 dependency-check ./package.json --unused --ignore-module foo 不会告诉您 foo 模块是否未在您的代码中使用。 通过使用 micromatch 支持 globbing 模式,例如。 --ignore-module "@types/*" is possible
--no-default-entries
running eg. dependency-check package.json tests.js --no-default-entries 不会添加任何默认条目,尽管给定的主要路径是 package.json 或模块文件夹。 因此只有 tests.js 文件会被检查
--extensions, -e
运行 dependency-check ./package.json -e js,jsx:precinct 将解析到 .js 的需求路径 和 .jsx 路径,并使用 precinct。
--detective
运行 dependency-check ./package.json --detective precinct 将 require() 本地 precinct 作为默认解析器。 这可以使用 -e 为每个扩展设置。 默认使用 detective 进行解析。
--verbose
使用 --verbose 运行将在成功时启用日志消息,否则依赖性检查仅在失败时记录。
--help
显示以上选项和所有其他可用选项
auto check before every npm publish
将其添加到您的 .bash_profile/.bashrc
# originally from https://gist.github.com/mafintosh/405048d304fbabb830b2
npm () {
([ "$1" != "publish" ] || dependency-check .) && command npm "$@"
}
,现在当您执行 npm publish 并且缺少依赖项时, 不会发布,例如:
$ npm publish
Fail! Dependencies not listed in package.json: siblings
$ npm install --save siblings
$ npm publish # works this time
grunt usage
参见 grunt-dependency-check。
protips
- detective is used for parsing
require() statements, which means it only does static requires. this means you should convert things like var foo = "bar"; require(foo) to be static, e.g. require("bar")
- use globbing to effectively add all the files you want to check
dependency-check
checks which modules you have used in your code and then makes sure they are listed as dependencies in your package.json, or vice-versa
requirements for maintained majors
dependency-check 4.x supports Node.js 10 and later
dependency-check 3.x supports Node.js 6 and later
dependency-check 2.x supports Node.js 0.10 and later (Dev note: published using the legacy tag)
For more info on maintenance status, see SECURITY.md.
how it works
dependency-check parses your module code starting from the default entry files (e.g. index.js or main and any bin commands defined in package.json or if specific files has been defined, then those) and traverses through all relatively required JS files, ultimately producing a list of non-relative modules
- relative - e.g.
require('./a-relative-file.js'), if one of these are encountered the required file will be recursively parsed by the dependency-check algorithm
- non-relative - e.g.
require('a-module'), if one of these are encountered it will get added to the list of dependencies, but sub-dependencies of the module will not get recursively parsed
the goal of this module is to simply check that all non-relative modules that get require()'d are in package.json, which prevents people from getting 'module not found' errors when they install your module that has missing deps which was accidentally published to NPM (happened to me all the time, hence the impetus to write this module).
cli usage
$ npm install dependency-check -g
$ dependency-check <path to module file(s), package.json or module folder>
# e.g.
$ dependency-check ./package.json --verbose
Success! All dependencies used in the code are listed in package.json
Success! All dependencies in package.json are used in the code
$ dependency-check ./package.json --missing --verbose
Success! All dependencies used in the code are listed in package.json
$ dependency-check ./package.json --unused --verbose
Success! All dependencies in package.json are used in the code
# or with file input instead:
$ dependency-check ./index.js
# even with globs and multiple inputs:
$ dependency-check ./test/**/*.js ./lib/*.js
dependency-check exits with code 1 if there are discrepancies, in addition to printing them out
To always exit with code 0 pass --ignore
--missing
running dependency-check ./package.json --missing will only do the check to make sure that all modules in your code are listed in your package.json
--unused
running dependency-check ./package.json --unused will only do the inverse of the missing check and will tell you which modules in your package.json dependencies were not used in your code
--no-dev
running dependency-check ./package.json --unused --no-dev will not tell you if any devDependencies in your package.json were missing or unused
--no-peer
running dependency-check ./package.json --unused --no-peer will not tell you if any peerDependencies in your package.json were missing or unused
--ignore-module, -i
ignores a module. This works for both --unused and --missing. You can specify as many separate --ignore-module arguments as you want. For example running dependency-check ./package.json --unused --ignore-module foo will not tell you if the foo module was not used in your code. Supports globbing patterns through the use of micromatch, so eg. --ignore-module "@types/*" is possible
--no-default-entries
running eg. dependency-check package.json tests.js --no-default-entries won't add any default entries despite the main path given being one to a package.json or module folder. So only the tests.js file will be checked
--extensions, -e
running dependency-check ./package.json -e js,jsx:precinct will resolve require paths to .js and .jsx paths, and parse using precinct.
--detective
running dependency-check ./package.json --detective precinct will require() the local precinct as the default parser. This can be set per-extension using using -e. Defaults to parsing with detective.
--verbose
Running with --verbose will enable a log message on success, otherwise dependency-check only logs on failure.
--help
shows above options and all other available options
auto check before every npm publish
add this to your .bash_profile/.bashrc
# originally from https://gist.github.com/mafintosh/405048d304fbabb830b2
npm () {
([ "$1" != "publish" ] || dependency-check .) && command npm "$@"
}
now when you do npm publish and you have missing dependencies it won't publish, e.g.:
$ npm publish
Fail! Dependencies not listed in package.json: siblings
$ npm install --save siblings
$ npm publish # works this time
grunt usage
See grunt-dependency-check.
protips
- detective is used for parsing
require() statements, which means it only does static requires. this means you should convert things like var foo = "bar"; require(foo) to be static, e.g. require("bar")
- use globbing to effectively add all the files you want to check
