Gathering detailed insights and metrics for @alcalzone/pak
Gathering detailed insights and metrics for @alcalzone/pak
Programmatic wrapper around popular Node.js package managers
Installations
npm install @alcalzone/pakDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
20.14.0
NPM Version
10.7.0
Score
93.6
Supply Chain
97.4
Quality
74.5
Maintenance
100
Vulnerability
100
License
Releases
15
Languages
2
TypeScript
JavaScript
TypeScript (96.56%)
JavaScript (3.44%)
Developer
AlCalzone
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
5 Stars
50 Commits
4 Forks
1 Watchers
1 Branches
2 Contributors
Updated on May 24, 2025
Bundle Size
136.41 kB
Minified
43.41 kB
Minified + Gzipped
Package Meta Information
Latest Version
0.11.0
Package Id
@alcalzone/pak@0.11.0
Unpacked Size
82.09 kB
Size
16.36 kB
File Count
21
NPM Version
10.7.0
Node Version
20.14.0
Published on
Jun 21, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
23
@alcalzone/release-script@babel/core@babel/plugin-transform-typescript@babel/preset-env@babel/preset-typescript@types/fs-extra@types/jest@types/node@types/rimraf@types/semver@typescript-eslint/eslint-plugin@typescript-eslint/parsereslinteslint-config-prettiereslint-plugin-prettierjestjest-extendedjest-jasmine2prettierprettier-plugin-organize-importsrimrafsource-map-supporttypescript
pak
Programmatic wrapper around popular Node.js package managers
Supports:
-
npm -
Yarn Classic -
Yarn Berry
(not all features are available for all package managers)
Usage
Auto-detect the correct package-manager to use
1import { detectPackageManager } from "pak"; 2 3async function main() { 4 // Use the current working directory 5 const pak = await detectPackageManager(); 6 7 // Or use a different directory. The package manager will default to that dir 8 const pak = await detectPackageManager({ cwd: "/path/to/dir" }); 9}
detectPackageManager takes an options object with the following properties:
1{ 2 /** The working directory for the package manager. Detection will start from here upwards. */ 3 cwd?: string; 4 /** Whether to change the `cwd` to operate in the package's root directory instead of the current one. */ 5 setCwdToPackageRoot?: boolean; 6 /** If this is `false` and no package manager with a matching lockfile was found, another pass is done without requiring one */ 7 requireLockfile?: boolean; 8}
Create an instance of a specific package manager
1import { packageManagers } from "pak"; 2const pak = new packageManagers.npm();
Package manager properties
All package managers share the following properties:
| Property | Type | Description |
|---|---|---|
cwd | string | The directory to run the package manager commands in. Defaults to process.cwd() |
loglevel | "info" | "verbose" | "warn" | "error" | "silent" | Which loglevel to pass to the package manager. Note: Not every package manager supports every loglevel. |
stdout | WritableStream | A stream to pipe the command's stdout into. |
stderr | WritableStream | A stream to pipe the command's stderr into. |
stdall | WritableStream | A stream to pipe the command's stdout and stderr into in the order the output comes. |
environment | `"production" | "development"` |
Install one or more packages
1const result = await pak.install(packages, options);
packagesis an array of package specifiers, like["pak", "fs-extra"]or["semver@1.2.3"]options: See common options for details.
If packages is empty or undefined, this will install the packages that are defined in package.json in the cwd.
Uninstall one or more packages
1const result = await pak.uninstall(packages, options);
packagesis an array of package specifiers, like["pak", "fs-extra"]or["semver@1.2.3"]options: See common options for details.
Update one or more packages
1const result = await pak.update(packages, options);
packagesis an array of package names, like["pak", "fs-extra"]. If no packages are given, all packages in the current workspace are updated.options: See common options for details.
Recompile native packages
1const result = await pak.rebuild(packages, options);
packagesis an array of package names, like["pak", "fs-extra"]. If no packages are given, all packages in the current workspace are rebuilt.options: See common options for details.
Pin transitive dependencies to a fixed version
1const result = await pak.overrideDependencies(overrides);
overridesis an object of packages and exact versions, like{"pak": "1.2.3"}
Sometimes it is necessary to update transitive dependencies, meaning dependencies of dependencies. This command changes all occurences of the given overridden dependencies in the current node_modules tree so that the packages have the specified versions. How it works depends on the package manager:
yarnuses the built-in"resolutions"property forpackage.jsonnpmpatches the rootpackage-lock.jsonandpackage.jsonfor all dependents of the overridden packages
Note: This command does not support version ranges and it does not check whether the overrides are compatible with the version specified in package.json.
Result object
The returned value is an object with the following properties:
1interface CommandResult { 2 /** Whether the command execution was successful */ 3 success: boolean; 4 /** The exit code of the command execution */ 5 exitCode: number; 6 /** The captured stdout */ 7 stdout: string; 8 /** The captured stderr */ 9 stderr: string; 10}
Common options
These options are used to influence the commands' behavior. All options are optional:
| Option | Type | Description | Default | Commands |
|---|---|---|---|---|
dependencyType | "prod" | "dev" | Whether to install a production or dev dependency. | "prod" | all |
global | boolean | Whether to install the package globally. | false | all |
exact | boolean | Whether exact versions should be used instead of "^ver.si.on". | false | install |
ignoreScripts | boolean | Prevent execution of pre/post/install scripts. | false | install |
force | boolean | Pass the --force flag to the package manager where applicable. The specific behavior depends on the package manager. | false | install |
additionalArgs | string[] | Additional command line args to pass to the underlying package manager. | none | install, uninstall |
Find the nearest parent directory with a package.json
1await pak.findRoot(); 2await pak.findRoot("lockfile.json");
Returns a string with a path to the nearest parent directory (including cwd) that contains a package.json (and a lockfile if one was specified). Throws if none was found.
Stream the command output
You can stream the command output (stdout, stderr or both) during the command execution, as opposed to getting the entire output at the end. To do so,
set the stdout, stderr and/or stdall properties of the package manager instance to a writable stream. Example:
1import { PassThrough } from "stream"; 2import { packageManagers } from "../../src/index"; 3 4const pak = new packageManagers.npm(); // or the automatically detected one 5pak.stdall = new PassThrough().on("data", (data) => { 6 // For example, log to console - or do something else with the data 7 console.log(data.toString("utf8")); 8}); 9 10// execute commands
Get the version of the package manager
1const version = await pak.version();
Returns a string with the package manager's version.
Get the paths of all workspaces in the current monorepo
1const workspaces = await pak.workspaces();
Returns an array of strings including the paths of all workspaces in the current monorepo. This will return an empty array if the current directory is not part of a monorepo.
A folder will be considered a workspace if it contains a file package.json and it is referenced in the workspaces property of the root package.json.
Pack a project or monorepo package into an installable tarball
1const result = await pak.pack(options);
options are optional and control what gets packed where and has the following shape:
1interface PackOptions { 2 /** 3 * In monorepos, this determines which workspace to pack. Defaults to the current working directory. 4 * This must be a path relative to the repo root. 5 */ 6 workspace?: string; 7 /** Where to save the packed tarball. Defaults to the current working directory */ 8 targetDir?: string; 9}
result is a CommandResult (see above) where the stdout contains the absolute path of the packed tarball.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 1/30 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/test-and-release.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-and-release.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/AlCalzone/pak/test-and-release.yml/master?enable=pin
- Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 13 are checked with a SAST tool
Reason
22 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Score
2.5
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More