Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.
Installations
npm install @lerna/bootstrapDeveloper Guide
Typescript
No
Module System
CommonJS, ESM
Min. Node Version
^14.17.0 || >=16.0.0
Node Version
18.15.0
NPM Version
lerna/6.6.2/node@v18.15.0+arm64 (darwin)
Score
62.2
Supply Chain
70.5
Quality
69.6
Maintenance
50
Vulnerability
91.4
License
Releases
Contributors
Unable to fetch Contributors
Languages
TypeScript (96.63%)
JavaScript (2.36%)
Shell (0.51%)
CSS (0.5%)
Batchfile (0.01%)
Developer
Download Statistics
Total Downloads
257,071,289
Last Day
50,530
Last Week
374,668
Last Month
1,828,262
Last Year
25,238,792
GitHub Statistics
35,782 Stars
2,799 Commits
2,264 Forks
251 Watching
36 Branches
336 Contributors
Bundle Size
4.56 kB
Minified
0.98 kB
Minified + Gzipped
Maintainers
Package Meta Information
Latest Version
6.6.2
Package Id
@lerna/bootstrap@6.6.2
Unpacked Size
624.25 kB
Size
116.37 kB
File Count
241
NPM Version
lerna/6.6.2/node@v18.15.0+arm64 (darwin)
Node Version
18.15.0
Publised On
04 May 2023
Total Downloads
Cumulative downloads
Total Downloads
257,071,289
Last day
-26.1%
50,530
Compared to previous day
Last week
-6.4%
374,668
Compared to previous week
Last month
-16.4%
1,828,262
Compared to previous month
Last year
-44.8%
25,238,792
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
lerna bootstrap
Link local packages together and install remaining package dependencies
Install lerna for access to the lerna CLI.
Usage
1$ lerna bootstrap
Bootstrap the packages in the current Lerna repo. Installs all of their dependencies and links any cross-dependencies.
When run, this command will:
npm installall external dependencies of each package.- Symlink together all Lerna
packagesthat are dependencies of each other. npm run prepublishin all bootstrapped packages (unless--ignore-prepublishis passed).npm run preparein all bootstrapped packages.
lerna bootstrap accepts all filter flags.
Pass extra arguments to npm client by placing them after --:
1$ lerna bootstrap -- --production --no-optional
May also be configured in lerna.json:
1{ 2 ... 3 "npmClient": "yarn", 4 "npmClientArgs": ["--production", "--no-optional"] 5}
--hoist [glob]
Install external dependencies matching glob at the repo root so they're
available to all packages. Any binaries from these dependencies will be
linked into dependent package node_modules/.bin/ directories so they're
available for npm scripts. If the option is present but no glob is given
the default is ** (hoist everything). This option only affects the
bootstrap command.
1$ lerna bootstrap --hoist
For background on --hoist, see the hoist documentation.
Note: If packages depend on different versions of an external dependency, the most commonly used version will be hoisted, and a warning will be emitted.
Note: --hoist is incompatible with file: specifiers. Use one or the other.
Note: --hoist no longer accepts multiple string values since v3.18.0. Use the following instead:
a. Wrap string values by quotes:
$ lerna bootstrap --hoist "{rollup,postcss-cli,webpack-cli,babel-loader,npm-run-all}"
b. Specify the list of values in lerna.json:
1{ 2 "command": { 3 "bootstrap": { 4 "hoist": [ 5 "rollup", 6 "postcss-cli", 7 "webpack-cli", 8 "babel-loader", 9 "npm-run-all" 10 ] 11 } 12 }, 13 ... 14}
--strict
When used in conjunction with hoist will throw an error and stop bootstrapping after emitting the version warnings. Has no effect if you aren't hoisting, or if there are no version warnings.
1$ lerna bootstrap --hoist --strict
--nohoist [glob]
Do not install external dependencies matching glob at the repo root. This
can be used to opt out of hoisting for certain dependencies.
1$ lerna bootstrap --hoist --nohoist=babel-*
--ignore
1$ lerna bootstrap --ignore component-*
The --ignore flag, when used with the bootstrap command, can also be set in lerna.json under the command.bootstrap.ignore key. The command-line flag will take precedence over this option.
Example
1{ 2 "version": "0.0.0", 3 "command": { 4 "bootstrap": { 5 "ignore": "component-*" 6 } 7 } 8}
Hint: The glob is matched against the package name defined in
package.json, not the directory name the package lives in.
Options
--ignore-prepublish
Skip prepublish lifecycle scripts run by default in bootstrapped packages. Note, this lifecycle is deprecated, and will likely be removed in the next major version of Lerna.
1$ lerna bootstrap --ignore-prepublish
--ignore-scripts
Skip any lifecycle scripts normally run (prepare, etc) in bootstrapped packages.
1$ lerna bootstrap --ignore-scripts
--registry <url>
When run with this flag, forwarded npm commands will use the specified registry for your package(s).
This is useful if you do not want to explicitly set up your registry configuration in all of your package.json files individually when e.g. using private registries.
--npm-client <client>
Must be an executable that knows how to install npm package dependencies.
The default --npm-client is npm.
1$ lerna bootstrap --npm-client=yarn
May also be configured in lerna.json:
1{ 2 ... 3 "npmClient": "yarn" 4}
--use-workspaces
Enables integration with Yarn Workspaces (available since yarn@0.27+).
The values in the array are the commands in which Lerna will delegate operation to Yarn (currently only bootstrapping).
If --use-workspaces is true then packages will be overridden by the value from package.json/workspaces., and both --ignore and --scope will be ignored.
May also be configured in lerna.json:
1{ 2 ... 3 "npmClient": "yarn", 4 "useWorkspaces": true 5}
The root-level package.json must also include a workspaces array:
1{ 2 "private": true, 3 "devDependencies": { 4 "lerna": "^2.2.0" 5 }, 6 "workspaces": ["packages/*"] 7}
This list is broadly similar to lerna's packages config (a list of globs matching directories with a package.json),
except it does not support recursive globs ("**", a.k.a. "globstars").
--no-ci
When using the default --npm-client, lerna bootstrap will call npm ci instead of npm install in CI environments.
To disable this behavior, pass --no-ci:
1$ lerna bootstrap --no-ci
To force it during a local install (where it is not automatically enabled), pass --ci:
1$ lerna bootstrap --ci
This can be useful for "clean" re-installs, or initial installations after fresh cloning.
--force-local
1$ lerna bootstrap --force-local
When passed, this flag causes the bootstrap command to always symlink local dependencies regardless of matching version range.
publishConfig.directory
This non-standard field allows you to customize the symlinked subdirectory that will be the source directory of the symlink, just like how the published package would be consumed.
1 "publishConfig": { 2 "directory": "dist" 3 }
In this example, when this package is bootstrapped and linked, the dist directory will be the source directory (e.g. package-1/dist => node_modules/package-1).
How It Works
Let's use babel as an example.
babel-generatorandsource-map(among others) are dependencies ofbabel-core.babel-core'spackage.jsonlists both these packages as keys independencies, as shown below.
1// babel-core package.json 2{ 3 "name": "babel-core", 4 ... 5 "dependencies": { 6 ... 7 "babel-generator": "^6.9.0", 8 ... 9 "source-map": "^0.5.0" 10 } 11}
- Lerna checks if each dependency is also part of the Lerna repo.
- In this example,
babel-generatorcan be an internal dependency, whilesource-mapis always an external dependency. - The version of
babel-generatorin thepackage.jsonofbabel-coreis satisfied bypackages/babel-generator, passing for an internal dependency. source-mapisnpm installed (oryarned) like normal.
- In this example,
packages/babel-core/node_modules/babel-generatorsymlinks topackages/babel-generator- This allows nested directory imports
Notes
- When a dependency version in a package is not satisfied by a package of the same name in the repo, it will be
npm installed (oryarned) like normal. - Dist-tags, like
latest, do not satisfy semver ranges. - Circular dependencies result in circular symlinks which may impact your editor/IDE.
Webstorm locks up when circular symlinks are present. To prevent this, add node_modules to the list of ignored files and folders in Preferences | Editor | File Types | Ignored files and folders.
No vulnerabilities found.
Reason
10 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 14/27 approved changesets -- score normalized to 5
Reason
6 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:197: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/other-node-versions.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/other-node-versions.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/other-node-versions.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/other-node-versions.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/other-node-versions.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/other-node-versions.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/website-deploy.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/website-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/website-deploy.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/website-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/website-deploy.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/website-deploy.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/website-deploy.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/website-deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/website-deploy.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/lerna/lerna/website-deploy.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: tools/scripts/build.sh:20
- Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 5 third-party GitHubAction dependencies pinned
- Info: 3 out of 4 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/other-node-versions.yml:1
- Warn: no topLevel permission defined: .github/workflows/website-deploy.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 23 are checked with a SAST tool
Score
4.9
/10
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to @lerna/bootstrap
@erquhart/lerna-bootstrap
Link local packages together and install remaining package dependencies
@yoitsro/lerna-bootstrap
Link local packages together and install remaining package dependencies
@0x-lerna-fork/bootstrap
Link local packages together and install remaining package dependencies
@spryker-lerna/bootstrap
Link local packages together and install remaining package dependencies