Gathering detailed insights and metrics for @leanup/stack
Gathering detailed insights and metrics for @leanup/stack
Installations
npm install @leanup/stackReleases
798
Developer
leanupjs
Developer Guide
BETA
Module System
CommonJS, ESM
Min. Node Version
Typescript Support
Yes
Node Version
20.14.0
NPM Version
10.7.0
Statistics
33 Stars
3,532 Commits
5 Forks
3 Watching
293 Branches
3 Contributors
Updated on 05 Jun 2024
Bundle Size
1.45 kB
Minified
578.00 B
Minified + Gzipped
Languages
TypeScript (70.88%)
JavaScript (13.46%)
HTML (7.34%)
Vue (2.74%)
Shell (2.35%)
Sass (1.98%)
Svelte (1.03%)
Gherkin (0.22%)
Total Downloads
Cumulative downloads
Total Downloads
423,007
Last day
-68%
47
Compared to previous day
Last week
63.9%
1,149
Compared to previous week
Last month
-23.9%
2,823
Compared to previous month
Last year
-10.5%
81,967
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
25
Peer Dependencies
3
Dev Dependencies
2
Versions
Make things pure ... to become lean.
leanup js
The @leanup ecosystem stands for a lightweight and pure way for application development in JavaScript/TypeScript.
- Motivation
- Our home stories
- What makes the difference
- Principles
- Arguments
- Demo's
- Tools
- Ecosystem structure
- Alternatives
Motivation
- Learnability
- Controllability
- Universality
- Flexibility
- Scalability
- Durability
- Transparency
Our home stories
In 2021
Transpilers
We switched from Babel to esbuild and from esbuild to swc (without Angular and Vue with proprietary template notation). And we can switch again if we want.
The performance of esbuild and swc are almost twice as fast as with the classic configuration. But there is currently no noticeable difference in performance between esbuild and swc.
Frameworks
We added two more frameworks (Lit and Solid) without any problems, without having to change the basic stack.
We have switched our Demo-Template from Bootstrap to Tailwindcss and from Tailwindcss to WindiCSS and now use the automatic application-specific CSS generation.
Bundlers
We tried two new bundlers (Vite and Snowpack) and integrated them for most frameworks. Alternatively, they can be installed alongside or instead of webpack.
What makes the difference
Stop the transitive knowledge.
We use the minimal configuration and build no overhead stuff on top of the popular tools and make every native command transparent.
Principles
- convention over configuration
- pure commands under the hood
- don't repeat yourself
- following the generic instead of the influenced way
- keep the dependencies always up to date
Arguments
The arguments for and against this concept are documented here:
Pro
- select only one pure and popular tool for each use case (e.g. bundling, unit-test)
- there are extensible configuration files for each tool
- due to the flat dependencies we can always stay up to date
- the CLI bundles all the necessary tools in a portable/scalable way
- the risk to get vulnerabilites in dependencies is lower
- leanup's own code is kept to a minimum
Contra
- please give feedback
- please show us your perspective
Demo's
There are some working examples:
Tools
| Tool/Technology | Description | Status | Note | Rating |
|---|---|---|---|---|
| TypeScript | Language | ✔️ | ready |  |
| Webpack | Bundler | ✔️ | ready |  |
| Snowpack | Bundler | ⌛ | in progress |  |
| Vite | Bundler | ⌛ | in progress |  |
| esbuild | Transpiler | ✔️ | ready |  |
| swc | Transpiler | ✔️ | ready |  |
| Babel | Transpiler | ✔️ | ready |  |
| Mocha | Unit-Test-Runner | ✔️ | ready |  |
| Chai | Assertion | ✔️ | ready | |
| Sinon | Mocking | ✔️ | ready |  |
| NYC | Code-Coverage | ✔️ | ready |  |
| ESLint | Code-Checker | ✔️ | ready |  |
| Nightwatch.js | E2E-Test-Runner | ✔️ | ready |  |
| Allsure | Report | ✔️ | ready | |
| Cucumber | BDD | ✔️ | ready |  |
| robotframework | BDD | ⌛ | will be evaluated | |
| Storybook | Documentation | ⌛ | in progress |  |
| OpenAPI | API | ✔️ | ready | |
| GraphQL | API | ✔️ | ready |  |
| Workbox | PWA | ✔️ | ready |  |
| Lerna | Mono-Repo | ✔️ | ready |  |
| Ant-Design | Design-System | ✔️ | proved |  |
| Bootstrap | Design-System | ✔️ | proved |  |
| Material | Design-System | ✔️ | proved |  |
| Tailwindcss | Design-System | ✔️ | proved |  |
| WindiCSS | Design-System | ✔️ | proved |  |
| Nexus IQ | Vulnerabiliy-Gate | ✔️ | ready | |
| Less | CSS | ✔️ | ready |  |
| Sass | CSS | ✔️ | ready |  |
| PostCSS | CSS | ✔️ | ready |  |
| TSArch | Architecture | ⌛ | in progress |  |
| Webhint | Webhint | ✔️ | moved *** |  |
| TestCafe | E2E-Test-Runner | ⌛ | will be evaluated **** |  |
| TSLint | Code-Checker | ❌ | removed ** |  |
| Cypress | E2E-Test-Runner | ❌ | excluded * |  |
* Arguments agains Cypress:
- reinvent wheel
- detect css selectors
- BDD test syntax
- principals
- large tooling
- a lot of binaries
- many dependencies
- ci integration vs selenium hub
It is difficult to keep focus with Cypress as it is more a nice tool than an effective tool. It is expected that a lot of time will be invested to justify the requirements of a project.
** TSLint is deprecated.
*** Webhint is not practical for the development of components, since component tags often have no relation to standard HTML. In addition, the webhint package alone is over 100 MB in size. I have good by using a IDE webhint plugin, like VSCode webhint.
**** TestCafe The idea that defined TestCafe architecture was that you don't really need an external driver to run end-to-end tests in the browser. That's interesting.
Ecosystem structure
Vanilla Java-/TypeScript are supported by default. That means for example custom elements and any plain Java-/TypeScript code.
@leanup/cli✔️@leanup/cli-vanilla(optional) ✔️
Frameworks
Vanilla Java-/TypeScript are supported by default. That means for example custom elements and any plain Java-/TypeScript code.
The selection of the following frameworks depends in parts on the following references:
Currently the following framework extensions are available:
@leanup/cli-angular✔️@leanup/cli-angularjs✔️@leanup/cli-aurelia✔️@leanup/cli-inferno✔️@leanup/cli-lit-element✔️@leanup/cli-preact✔️@leanup/cli-react✔️@leanup/cli-solid✔️@leanup/cli-svelte✔️@leanup/cli-vue✔️@leanup/cli-vue3✔️
Extensions
A separate package contains some nice but not required addons for webpack.
@leanup/cli-addons✔️@leanup/cli-cucumber✔️@leanup/cli-graphql✔️@leanup/cli-pwa✔️@leanup/cli-webhint✔️
Thinks
There a separate packages for important application features.
@leanup/git-hooks✔️@leanup/form✔️@leanup/lib✔️@leanup/ui⌛ (in progress)
Alternatives
- Angular
- Neutrino
- Rome
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
SAST tool detected: CodeQL
Details
- Info: SAST configuration detected: CodeQL
- Warn: no pull requests merged into dev branch
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.md:0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Warn: no linked content found
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/auto-dependency-updater.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/deploy-docs.yml:1
- Warn: no topLevel permission defined: .github/workflows/node-12-to-14.npm-6.test.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-to-npmjs.dry.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-to-npmjs.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-changelog.yml:1
- Warn: no topLevel permission defined: .github/workflows/weekly-releases.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-dependency-updater.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/auto-dependency-updater.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-dependency-updater.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/auto-dependency-updater.yml/release/2.0?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-dependency-updater.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/auto-dependency-updater.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/codeql-analysis.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/codeql-analysis.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/codeql-analysis.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/codeql-analysis.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-docs.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/deploy-docs.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-docs.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/deploy-docs.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-docs.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/deploy-docs.yml/release/2.0?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-docs.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/deploy-docs.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-12-to-14.npm-6.test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/node-12-to-14.npm-6.test.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-12-to-14.npm-6.test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/node-12-to-14.npm-6.test.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/publish-to-npmjs.dry.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/publish-to-npmjs.dry.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npmjs.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/publish-to-npmjs.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npmjs.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/publish-to-npmjs.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-changelog.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/update-changelog.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-changelog.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/update-changelog.yml/release/2.0?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-changelog.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/update-changelog.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/weekly-releases.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/weekly-releases.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/weekly-releases.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/weekly-releases.yml/release/2.0?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/weekly-releases.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/weekly-releases.yml/release/2.0?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/weekly-releases.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/leanupjs/leanup/weekly-releases.yml/release/2.0?enable=pin
- Warn: npmCommand not pinned by hash: docs/assets/demo.sh:18
- Warn: npmCommand not pinned by hash: scripts/wake-up.sh:4
- Warn: npmCommand not pinned by hash: .github/workflows/auto-dependency-updater.yml:32
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:45
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:53
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:61
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:69
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.dry.yml:77
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.yml:43
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.yml:51
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.yml:59
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npmjs.yml:67
- Warn: npmCommand not pinned by hash: .github/workflows/update-changelog.yml:37
- Info: 0 out of 20 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 4 third-party GitHubAction dependencies pinned
- Info: 1 out of 15 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'release/2.0'
- Warn: branch protection not enabled for branch 'release/1.3'
- Warn: branch protection not enabled for branch 'release/1.2'
- Warn: branch protection not enabled for branch 'release/1.1'
- Warn: branch protection not enabled for branch 'release/1.0'
Reason
40 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-8266-84wp-wv5c
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-353f-5xf4-qw67
- Warn: Project is vulnerable to: GHSA-c24v-8rfc-w8vw
- Warn: Project is vulnerable to: GHSA-8jhw-289h-jh2g
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986 / GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
- Warn: Project is vulnerable to: GHSA-f9xv-q969-pqx4
- Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
3.4
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More