Gathering detailed insights and metrics for @npmcli/package-json
Gathering detailed insights and metrics for @npmcli/package-json
Installations
npm install @npmcli/package-jsonDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
^18.17.0 || >=20.5.0
Node Version
22.15.0
NPM Version
11.4.0
Releases
19
Languages
1
JavaScript
JavaScript (100%)
Developer
npm
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
NOASSERTION License
80 Stars
148 Commits
13 Forks
11 Watchers
3 Branches
75 Contributors
Updated on Jul 10, 2025
Maintainers
6
Package Meta Information
Latest Version
6.2.0
Package Id
@npmcli/package-json@6.2.0
Unpacked Size
49.94 kB
Size
13.83 kB
File Count
11
NPM Version
11.4.0
Node Version
22.15.0
Published on
May 21, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
@npmcli/package-json
Programmatic API to update package.json files. Updates and saves files the
same way the npm cli handles them.
Install
npm install @npmcli/package-json
Usage:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = await PackageJson.load(path) 3// $ cat package.json 4// { 5// "name": "foo", 6// "version": "1.0.0", 7// "dependencies": { 8// "a": "^1.0.0", 9// "abbrev": "^1.1.1" 10// } 11// } 12 13pkgJson.update({ 14 dependencies: { 15 a: '^1.0.0', 16 b: '^1.2.3', 17 }, 18 workspaces: [ 19 './new-workspace', 20 ], 21}) 22 23await pkgJson.save() 24// $ cat package.json 25// { 26// "name": "foo", 27// "version": "1.0.0", 28// "dependencies": { 29// "a": "^1.0.0", 30// "b": "^1.2.3" 31// }, 32// "workspaces": [ 33// "./new-workspace" 34// ] 35// }
There is also a helper function exported for opening a package.json file with no extra normalization or saving functionality.
1const { readPackage } = require('@npmcli/package-json/lib/read-package') 2const rawData = await readPackage('./package.json') 3// rawData will now have the package.json contents with no changes or normalizations
API:
constructor()
Creates a new empty instance of PackageJson.
async PackageJson.create(path)
Creates an empty package.json at the given path. If one already exists
it will be overwritten.
async PackageJson.load(path, opts = {})
Loads a package.json at the given path.
opts:Objectcan contain:create:Booleanif true, a new package.json will be created if one does not already exist. Will not clobber ane existing package.json that can not be parsed.
Example:
Loads contents of a package.json file located at ./:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = new PackageJson() 3await pkgJson.load('./')
Throws an error in case a package.json file is missing or has invalid contents.
static async PackageJson.load(path)
Convenience static method that returns a new instance and loads the contents of a package.json file from that location.
path:Stringthat points to the folder from where to read thepackage.jsonfrom
Example:
Loads contents of a package.json file located at ./:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = await PackageJson.load('./')
async PackageJson.normalize()
Intended for normalizing package.json files in a node_modules tree. Some light normalization is done to ensure that it is ready for use in @npmcli/arborist
path:Stringthat points to the folder from where to read thepackage.jsonfromopts:Objectcan contain:strict:Booleanenables optional strict mode when applying thenormalizeDatastepsteps:Arrayoptional normalization steps that will be applied to thepackage.jsonfile, replacing the default stepsroot:Pathoptional git root to provide when applying thegitHeadstepchanges:Arrayif provided, a message about each change that was made to the packument will be added to this array
static async PackageJson.normalize(path, opts = {})
Convenience static that calls load before calling normalize
path:Stringthat points to the folder from where to read thepackage.jsonfromopts:Objectcan contain:strict:Booleanenables optional strict mode when applying thenormalizeDatastepsteps:Arrayoptional normalization steps that will be applied to thepackage.jsonfile, replacing the default stepsroot:Pathoptional git root to provide when applying thegitHeadstepchanges:Arrayif provided, a message about each change that was made to the packument will be added to this array
async PackageJson.prepare()
Like normalize but intended for preparing package.json files for publish.
static async PackageJson.prepare(path, opts = {})
Convenience static that calls load before calling prepare
path:Stringthat points to the folder from where to read thepackage.jsonfromopts:Objectcan contain:strict:Booleanenables optional strict mode when applying thenormalizeDatastepsteps:Arrayoptional normalization steps that will be applied to thepackage.jsonfile, replacing the default stepsroot:Pathoptional git root to provide when applying thegitHeadstepchanges:Arrayif provided, a message about each change that was made to the packument will be added to this array
async PackageJson.fix()
Like normalize but intended for the npm pkg fix command.
PackageJson.update(content)
Updates the contents of a package.json with the content provided.
content:Objectcontaining the properties to be updated/replaced in thepackage.jsonfile.
Special properties like dependencies, devDependencies,
optionalDependencies, peerDependencies will have special logic to handle
the update of these options, such as sorting and deduplication.
Example:
Adds a new script named new-script to your package.json scripts property:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = await PackageJson.load('./') 3pkgJson.update({ 4 scripts: { 5 ...pkgJson.content.scripts, 6 'new-script': 'echo "Bom dia!"' 7 } 8})
NOTE: When working with dependencies, it's important to provide values for all known dependency types as the update logic has some interdependence in between these properties.
Example:
A safe way to add a devDependency AND remove all peer dependencies of an
existing package.json:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = await PackageJson.load('./') 3pkgJson.update({ 4 dependencies: pkgJson.content.dependencies, 5 devDependencies: { 6 ...pkgJson.content.devDependencies, 7 foo: '^foo@1.0.0', 8 }, 9 peerDependencies: {}, 10 optionalDependencies: pkgJson.content.optionalDependencies, 11})
get PackageJson.content
Getter that retrieves the normalized Object read from the loaded
package.json file.
Example:
1const PackageJson = require('@npmcli/package-json') 2const pkgJson = await PackageJson.load('./') 3pkgJson.content 4// -> { 5// name: 'foo', 6// version: '1.0.0' 7// }
async PackageJson.save()
Saves the current content to the same location used when calling
load().
LICENSE
No vulnerabilities found.
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 22 commits out of 30 are checked with a SAST tool
Reason
4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:25
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:247
- Info: topLevel 'contents' permission set to 'read': .github/workflows/audit.yml:12
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci-release.yml:22
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/ci-release.yml:23
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:17
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/post-dependabot.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/pull-request.yml:14
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release-integration.yml:23
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:13
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:275: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:304: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:62
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:45
- Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:45
- Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:56
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
- Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 12 third-party GitHubAction dependencies pinned
- Info: 0 out of 8 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.4
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More