Gathering detailed insights and metrics for @npmcli/installed-package-contents
Gathering detailed insights and metrics for @npmcli/installed-package-contents
Get the list of files installed in a package in node_modules, including bundled dependencies
Installations
npm install @npmcli/installed-package-contentsDeveloper
npm
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
^18.17.0 || >=20.5.0
Typescript Support
No
Node Version
22.9.0
NPM Version
10.8.3
Statistics
11 Stars
112 Commits
11 Forks
6 Watching
4 Branches
72 Contributors
Updated on 26 Sept 2024
Bundle Size
5.90 kB
Minified
2.14 kB
Minified + Gzipped
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
809,456,913
Last day
2.3%
1,369,649
Compared to previous day
Last week
7.3%
7,360,314
Compared to previous week
Last month
11.6%
29,528,066
Compared to previous month
Last year
31.8%
315,504,673
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
Dev Dependencies
3
Versions
@npmcli/installed-package-contents
Get the list of files installed in a package in node_modules, including bundled dependencies.
This is useful if you want to remove a package node from the tree without removing its child nodes, for example to extract a new version of the dependency into place safely.
It's sort of the reflection of npm-packlist,
but for listing out the installed files rather than the files that will
be installed. This is of course a much simpler operation, because we don't
have to handle ignore files or package.json files lists.
USAGE
1// programmatic usage 2const pkgContents = require('@npmcli/installed-package-contents') 3 4pkgContents({ path: 'node_modules/foo', depth: 1 }).then(files => { 5 // files is an array of items that need to be passed to 6 // rimraf or moved out of the way to make the folder empty 7 // if foo bundled dependencies, those will be included. 8 // It will not traverse into child directories, because we set 9 // depth:1 in the options. 10 // If the folder doesn't exist, this returns an empty array. 11}) 12 13pkgContents({ path: 'node_modules/foo', depth: Infinity }).then(files => { 14 // setting depth:Infinity tells it to keep walking forever 15 // until it hits something that isn't a directory, so we'll 16 // just get the list of all files, but not their containing 17 // directories. 18})
As a CLI:
1$ installed-package-contents node_modules/bundle-some -d1 2node_modules/.bin/some 3node_modules/bundle-some/package.json 4node_modules/bundle-some/node_modules/@scope/baz 5node_modules/bundle-some/node_modules/.bin/foo 6node_modules/bundle-some/node_modules/foo
CLI options:
Usage:
installed-package-contents <path> [-d<n> --depth=<n>]
Lists the files installed for a package specified by <path>.
Options:
-d<n> --depth=<n> Provide a numeric value ("Infinity" is allowed)
to specify how deep in the file tree to traverse.
Default=1
-h --help Show this usage information
OPTIONS
depthNumber, default1. How deep to traverse through folders to get contents. Typically you'd want to set this to either1(to get the surface files and folders) orInfinity(to get all files), but any other positive number is supported as well. If set to0or a negative number, returns the path provided and (if it is a package) its set of linked bins.pathRequired. Path to the package innode_moduleswhere traversal should begin.
RETURN VALUE
A Promise that resolves to an array of fully-resolved files and folders
matching the criteria. This includes all bundled dependencies in
node_modules, and any linked executables in node_modules/.bin that the
package caused to be installed.
An empty or missing package folder will return an empty array. Empty
directories within package contents are listed, even if the depth
argument would cause them to be traversed into.
CAVEAT
If using this module to generate a list of files that should be recursively removed to clear away the package, note that this will leave empty directories behind in certain cases:
- If all child packages are bundled dependencies, then the
node_modulesfolder will remain. - If all child packages within a given scope were bundled dependencies,
then the
node_modules/@scopefolder will remain. - If all linked bin scripts were removed, then an empty
node_modules/.binfolder will remain.
In the interest of speed and algorithmic complexity, this module does not
do a subsequent readdir to see if it would remove all directory entries,
though it would be easier to look at if it returned node_modules or
.bin in that case rather than the contents. However, if the intent is to
pass these arguments to rimraf, it hardly makes sense to do two
readdir calls just so that we can have the luxury of having to make a
third.
Since the primary use case is to delete a package's contents so that they can be re-filled with a new version of that package, this caveat does not pose a problem. Empty directories are already ignored by both npm and git.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: ISC License: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 25 commits out of 30 are checked with a SAST tool
Reason
10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:22
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:21
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/post-dependabot.yml:8
- Warn: no topLevel permission defined: .github/workflows/pull-request.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-integration.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:13
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/installed-package-contents/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
- Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
- Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
- Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 12 third-party GitHubAction dependencies pinned
- Info: 0 out of 8 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More