npmpackage.info

Gathering detailed insights and metrics for @npmcli/installed-package-contents

@npmcli/installed-package-contents

Get the list of files installed in a package in node_modules, including bundled dependencies

3.0.0

ISC

JavaScript

810,736,355 7

Installations

npm install @npmcli/installed-package-contents

Pull Requests

Open

1

Total

89

Closed

42

Merged

46

Issues

Open

0

Total

2

Closed

2

Releases

v3.0.0

Published on 26 Sept 2024

v2.1.0

Published on 23 Apr 2024

v2.0.2

Published on 27 Feb 2023

v2.0.1

Published on 19 Oct 2022

v2.0.0

Published on 14 Oct 2022

View all 5 releases

Developer

npm

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

^18.17.0 || >=20.5.0

Typescript Support

No

Node Version

22.9.0

NPM Version

10.8.3 Statistics

11 Stars

112 Commits

11 Forks

6 Watching

4 Branches

72 Contributors

Updated on 26 Sept 2024

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

810,736,355

Last day

-2.5%

1,279,442

Compared to previous day

Last week

6.7%

7,327,734

Compared to previous week

Last month

8.1%

29,588,448

Compared to previous month

Last year

31.7%

315,731,839

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

npm-bundled npm-normalize-package-bin

Dev Dependencies

@npmcli/eslint-config @npmcli/template-oss tap

Versions

@npmcli/installed-package-contents

Get the list of files installed in a package in node_modules, including bundled dependencies.

This is useful if you want to remove a package node from the tree without removing its child nodes, for example to extract a new version of the dependency into place safely.

It's sort of the reflection of npm-packlist, but for listing out the installed files rather than the files that will be installed. This is of course a much simpler operation, because we don't have to handle ignore files or package.json files lists.

USAGE

1// programmatic usage
2const pkgContents = require('@npmcli/installed-package-contents')
3
4pkgContents({ path: 'node_modules/foo', depth: 1 }).then(files => {
5  // files is an array of items that need to be passed to
6  // rimraf or moved out of the way to make the folder empty
7  // if foo bundled dependencies, those will be included.
8  // It will not traverse into child directories, because we set
9  // depth:1 in the options.
10  // If the folder doesn't exist, this returns an empty array.
11})
12
13pkgContents({ path: 'node_modules/foo', depth: Infinity }).then(files => {
14  // setting depth:Infinity tells it to keep walking forever
15  // until it hits something that isn't a directory, so we'll
16  // just get the list of all files, but not their containing
17  // directories.
18})

As a CLI:

1$ installed-package-contents node_modules/bundle-some -d1
2node_modules/.bin/some
3node_modules/bundle-some/package.json
4node_modules/bundle-some/node_modules/@scope/baz
5node_modules/bundle-some/node_modules/.bin/foo
6node_modules/bundle-some/node_modules/foo

CLI options:

Usage:
  installed-package-contents <path> [-d<n> --depth=<n>]

Lists the files installed for a package specified by <path>.

Options:
  -d<n> --depth=<n>   Provide a numeric value ("Infinity" is allowed)
                      to specify how deep in the file tree to traverse.
                      Default=1
  -h --help           Show this usage information

OPTIONS

depth Number, default 1. How deep to traverse through folders to get contents. Typically you'd want to set this to either 1 (to get the surface files and folders) or Infinity (to get all files), but any other positive number is supported as well. If set to 0 or a negative number, returns the path provided and (if it is a package) its set of linked bins.
path Required. Path to the package in node_modules where traversal should begin.

RETURN VALUE

A Promise that resolves to an array of fully-resolved files and folders matching the criteria. This includes all bundled dependencies in node_modules, and any linked executables in node_modules/.bin that the package caused to be installed.

An empty or missing package folder will return an empty array. Empty directories within package contents are listed, even if the depth argument would cause them to be traversed into.

CAVEAT

If using this module to generate a list of files that should be recursively removed to clear away the package, note that this will leave empty directories behind in certain cases:

If all child packages are bundled dependencies, then the node_modules folder will remain.
If all child packages within a given scope were bundled dependencies, then the node_modules/@scope folder will remain.
If all linked bin scripts were removed, then an empty node_modules/.bin folder will remain.

In the interest of speed and algorithmic complexity, this module does not do a subsequent readdir to see if it would remove all directory entries, though it would be easier to look at if it returned node_modules or .bin in that case rather than the contents. However, if the intent is to pass these arguments to rimraf, it hardly makes sense to do two readdir calls just so that we can have the luxury of having to make a third.

Since the primary use case is to delete a package's contents so that they can be re-filled with a new version of that package, this caveat does not pose a problem. Empty directories are already ignored by both npm and git.

No vulnerabilities found.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Security-Policy

Determines if the project has published a security policy.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

9

SAST

Determines if the project uses static code analysis.

8

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 8 npmCommand dependencies pinned

0

Fuzzing

Determines if the project uses fuzzing.

Score

7

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More