npmpackage.info

Gathering detailed insights and metrics for @cerner/duplicate-package-checker-webpack-plugin

@cerner/duplicate-package-checker-webpack-plugin - 2.6.0 | npmpackage.info

@cerner/duplicate-package-checker-webpack-plugin

Terra Toolkit is a monorepo that contains utility modules for use when developing using Terra components

2.6.0

Apache-2.0

JavaScript

98.66 kB

3.7

Installations

npm install @cerner/duplicate-package-checker-webpack-plugin

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Min. Node Version

10 || 12 || 14

Node Version

14.21.3

NPM Version

lerna/6.6.2/node@v14.21.3+x64 (linux)

Pull Requests

Open

0

Total

619

Closed

52

Merged

567

Issues

Open

1

Total

222

Closed

221

Releases

v2.11.0

Updated on Apr 11, 2018

2.5.0

v2.5.0

Updated on Jan 03, 2018

v2.0.0

Updated on Aug 31, 2017

v1.2.2

Updated on Jul 14, 2017

v1.2.1

Updated on Jul 13, 2017

v1.2.0

Updated on Jul 13, 2017

View All 7 releases

Languages

JavaScript

MDX

SCSS

Dockerfile

CSS

JavaScript (91.84%)

MDX (8.09%)

SCSS (0.05%)

Dockerfile (0.01%)

CSS (0.01%)

Developer

cerner

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

Apache-2.0 License

32 Stars

859 Commits

38 Forks

29 Watchers

76 Branches

66 Contributors

Updated on May 22, 2024

Maintainers

View All 66 Contributors

Package Meta Information

Latest Version

2.6.0

Package Id

@cerner/duplicate-package-checker-webpack-plugin@2.6.0

Unpacked Size

98.66 kB

Size

78.37 kB

File Count

NPM Version

lerna/6.6.2/node@v14.21.3+x64 (linux)

Node Version

14.21.3

Published on

Sep 27, 2023

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

🕵 duplicate-package-checker-webpack-plugin

Webpack plugin that warns when your bundle contains multiple versions of the same package.

duplicate-package-checker-webpack-plugin

This package is a modified fork of darrenscerri's duplicate-package-checker-webpack-plugin.

Why?

It might be possible that a single package gets included multiple times in a Webpack bundle due to different package versions. This situation may happen without any warning, resulting in extra bloat in your bundle and may lead to hard-to-find bugs.

This plugin will warn you of such cases to minimize bundle size and avoid bugs caused by unintended duplicate packages.

Motivation: https://github.com/webpack/webpack/issues/385 and https://github.com/webpack/webpack/issues/646.

Install

1npm install @cerner/duplicate-package-checker-webpack-plugin --save-dev

Configuration

Add the plugin to your webpack config:

1var DuplicatePackageCheckerPlugin = require("@cerner/duplicate-package-checker-webpack-plugin");
2
3module.exports = {
4  plugins: [new DuplicatePackageCheckerPlugin()]
5};

You can also pass an object with configurable options:

1new DuplicatePackageCheckerPlugin({
2  // Also show module that is requiring each duplicate package (default: false)
3  verbose: true,
4  // Emit errors instead of warnings (default: false)
5  emitError: true,
6  // Show help message if duplicate packages are found (default: true)
7  showHelp: false,
8  // Warn also if major versions differ (default: true)
9  strict: false,
10  /**
11   * Exclude instances of packages from the results.
12   * If all instances of a package are excluded, or all instances except one,
13   * then the package is no longer considered duplicated and won't be emitted as a warning/error.
14   * @param {Object} instance
15   * @param {string} instance.name The name of the package
16   * @param {string} instance.version The version of the package
17   * @param {string} instance.path Absolute path to the package
18   * @param {?string} instance.issuer Absolute path to the module that requested the package
19   * @returns {boolean} true to exclude the instance, false otherwise
20   */
21  exclude: instance => instance.name === "fbjs",
22  // Emit errors (regardless of emitError value) when the specified packages are duplicated (default: [])
23  alwaysEmitErrorsFor: ['react', 'react-router'],
24});

Strict mode

Strict mode warns when multiple packages with different major versions (such as v1.0.0 vs v2.0.0) exist in the bundle.

Packages with different major versions introduce backward incompatible changes and require either interventions on third-party packages or unsafe workarounds (such as resolving differing package major versions dependencies with a single version).

It is suggested that strict mode is kept enabled since this improves visibility into your bundle and can help in solving and identifying potential issues.

Node version support

This package was developed and tested using Node 10 up to Node 14. Consumers using Node 16 or greater are advised to use it at their own risk since those versions are not officially supported due to lack of thorough testing.

Resolving duplicate packages in your bundle

There are multiple ways you can go about resolving duplicate packages in your bundle, the right solution mostly depends on what tools you're using and on each particular case.

Webpack `resolve.alias`

Add an entry in resolve.alias which will configure Webpack to route any package references to a single specified path.

For example, if Lodash is duplicated in your bundle, the following configuration would render all Lodash imports to always refer to the Lodash instance found at ./node_modules/lodash.

alias: {
  lodash: path.resolve(__dirname, 'node_modules/lodash'),
}

Note: Aliasing packages with different major versions may break your app. Use only if you're sure that all required versions are compatible, at least in the context of your app

Yarn `install --flat`

Yarn allows flat installations (yarn install --flat) which will only allow one version of each package to be installed.

Yarn resolutions

If you want more control over your overridden dependency versions and don't feel like using yarn install --flat, yarn supports "selective version resolution" which allows you to enforce specific versions for each dependency.

package.json

{
  "dependencies": {
    "lodash": "4.17.0",
    "old-package-with-old-lodash": "*"
  },
  "resolutions": {
    "old-package-with-old-lodash/lodash": "4.17.0"
  }
}

NPM Dedupe

If you use NPM and not Yarn, you can try running npm dedupe. NPM may leave multiple versions of the same package installed even if a single version satisfies each semver of all of its dependants.

Bump your dependencies

If your project is using an old version of a package and a dependency is using a newer version of that package, consider upgrading your project to use the newer version.

File issues!

If your project has a dependency and it's using an outdated version of a package, file an issue and notify the author to update the dependencies. Let's help keep our projects green and our applications secure, performant and bug-free!

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

9

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Fuzzing

Determines if the project uses fuzzing.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/ci-cd.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-close.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-close.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-close.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-close.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-close.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-close.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-preview.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/cerner/terra-toolkit/pr-preview.yml/main?enable=pin
Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:1
Warn: containerImage not pinned by hash: Dockerfile:2
Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 13 third-party GitHubAction dependencies pinned
Info: 0 out of 2 containerImage dependencies pinned

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

45 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Warn: Project is vulnerable to: GHSA-pwfr-8pq7-x9qv
Warn: Project is vulnerable to: GHSA-8g77-54rh-46hx
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
Warn: Project is vulnerable to: GHSA-v4rh-8p82-6h5w
Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q

Score

3.7

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

@cerner/duplicate-package-checker-webpack-plugin

Installations

Developer Guide

No

CommonJS

10 || 12 || 14

14.21.3

lerna/6.6.2/node@v14.21.3+x64 (linux)

Pull Requests

0

619

52

567

Issues

1

222

221

Releases

Languages

Developer

Download Statistics

GitHub Statistics

Maintainers

Package Meta Information

Total Downloads

NaN

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Peer Dependencies

Dev Dependencies

🕵 duplicate-package-checker-webpack-plugin

Why?

Install

Configuration

Strict mode

Node version support

Resolving duplicate packages in your bundle

Webpack resolve.alias

Yarn install --flat

Yarn resolutions

NPM Dedupe

Bump your dependencies

File issues!

10

10

10

9

0

0

0

0

0

0

0

0

3.7

/10

Webpack `resolve.alias`

Yarn `install --flat`