npmpackage.info

Gathering detailed insights and metrics for @npmcli/package-json

Other packages similar to @npmcli/package-json

@types/npmcli__package-json

4.0.4

TypeScript definitions for @npmcli/package-json

@npmcli/arborist

8.0.0

Manage node_modules trees

@npmcli/git

6.0.1

a util for spawning git from npm CLI contexts

@npmcli/map-workspaces

4.0.2

Retrieves a name:pathname Map for a given workspaces config

Gathering detailed insights and metrics for @npmcli/package-json

@npmcli/package-json

Programmatic API to update package.json

6.1.0

NOASSERTION

JavaScript

342,212,740 6.9

Installations

npm install @npmcli/package-json

Pull Requests

Open

0

Total

123

Closed

42

Merged

81

Issues

Open

4

Total

11

Closed

7

Releases

v6.1.0

Published on 27 Nov 2024

v6.0.1

Published on 02 Oct 2024

v6.0.0

Published on 26 Sept 2024

v5.2.1

Published on 17 Sept 2024

v5.2.0

Published on 03 Jun 2024

v5.1.1

Published on 29 May 2024

View all 17 releases

Developer

npm

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

^18.17.0 || >=20.5.0

Typescript Support

No

Node Version

22.11.0

NPM Version

10.9.1 Statistics

69 Stars

135 Commits

9 Forks

11 Watching

1 Branches

74 Contributors

Updated on 27 Nov 2024

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

342,212,740

Last day

1.4%

1,075,306

Compared to previous day

Last week

7.2%

5,753,653

Compared to previous week

Last month

11.8%

23,202,612

Compared to previous month

Last year

111.2%

197,633,552

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@npmcli/git glob hosted-git-info json-parse-even-better-errors normalize-package-data proc-log semver

Dev Dependencies

@npmcli/eslint-config @npmcli/template-oss read-package-json read-package-json-fast tap

Versions

@npmcli/package-json

Programmatic API to update package.json files. Updates and saves files the same way the npm cli handles them.

Install

npm install @npmcli/package-json

Usage:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = await PackageJson.load(path)
3// $ cat package.json
4// {
5//   "name": "foo",
6//   "version": "1.0.0",
7//   "dependencies": {
8//     "a": "^1.0.0",
9//     "abbrev": "^1.1.1"
10//   }
11// }
12
13pkgJson.update({
14  dependencies: {
15    a: '^1.0.0',
16    b: '^1.2.3',
17  },
18  workspaces: [
19    './new-workspace',
20  ],
21})
22
23await pkgJson.save()
24// $ cat package.json
25// {
26//   "name": "foo",
27//   "version": "1.0.0",
28//   "dependencies": {
29//     "a": "^1.0.0",
30//     "b": "^1.2.3"
31//   },
32//   "workspaces": [
33//     "./new-workspace"
34//   ]
35// }

There is also a helper function exported for opening a package.json file with no extra normalization or saving functionality.

1const { readPackage } = require('@npmcli/package-json/lib/read-package')
2const rawData = await readPackage('./package.json')
3// rawData will now have the package.json contents with no changes or normalizations

API:

`constructor()`

Creates a new empty instance of PackageJson.

`async PackageJson.create(path)`

Creates an empty package.json at the given path. If one already exists it will be overwritten.

`async PackageJson.load(path, opts = {})`

Loads a package.json at the given path.

opts: Object can contain:
- create: Boolean if true, a new package.json will be created if one does not already exist. Will not clobber ane existing package.json that can not be parsed.

Example:

Loads contents of a package.json file located at ./:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = new PackageJson()
3await pkgJson.load('./')

Throws an error in case a package.json file is missing or has invalid contents.

static `async PackageJson.load(path)`

Convenience static method that returns a new instance and loads the contents of a package.json file from that location.

path: String that points to the folder from where to read the package.json from

Example:

Loads contents of a package.json file located at ./:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = await PackageJson.load('./')

`async PackageJson.normalize()`

Intended for normalizing package.json files in a node_modules tree. Some light normalization is done to ensure that it is ready for use in @npmcli/arborist

path: String that points to the folder from where to read the package.json from
opts: Object can contain:
- strict: Boolean enables optional strict mode when applying the normalizeData step
- steps: Array optional normalization steps that will be applied to the package.json file, replacing the default steps
- root: Path optional git root to provide when applying the gitHead step
- changes: Array if provided, a message about each change that was made to the packument will be added to this array

static `async PackageJson.normalize(path, opts = {})`

Convenience static that calls load before calling normalize

path: String that points to the folder from where to read the package.json from
opts: Object can contain:
- strict: Boolean enables optional strict mode when applying the normalizeData step
- steps: Array optional normalization steps that will be applied to the package.json file, replacing the default steps
- root: Path optional git root to provide when applying the gitHead step
- changes: Array if provided, a message about each change that was made to the packument will be added to this array

`async PackageJson.prepare()`

Like normalize but intended for preparing package.json files for publish.

static `async PackageJson.prepare(path, opts = {})`

Convenience static that calls load before calling prepare

path: String that points to the folder from where to read the package.json from
opts: Object can contain:
- strict: Boolean enables optional strict mode when applying the normalizeData step
- steps: Array optional normalization steps that will be applied to the package.json file, replacing the default steps
- root: Path optional git root to provide when applying the gitHead step
- changes: Array if provided, a message about each change that was made to the packument will be added to this array

`async PackageJson.fix()`

Like normalize but intended for the npm pkg fix command.

`PackageJson.update(content)`

Updates the contents of a package.json with the content provided.

content: Object containing the properties to be updated/replaced in the package.json file.

Special properties like dependencies, devDependencies, optionalDependencies, peerDependencies will have special logic to handle the update of these options, such as sorting and deduplication.

Example:

Adds a new script named new-script to your package.json scripts property:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = await PackageJson.load('./')
3pkgJson.update({
4  scripts: {
5    ...pkgJson.content.scripts,
6    'new-script': 'echo "Bom dia!"'
7  }
8})

NOTE: When working with dependencies, it's important to provide values for all known dependency types as the update logic has some interdependence in between these properties.

Example:

A safe way to add a devDependency AND remove all peer dependencies of an existing package.json:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = await PackageJson.load('./')
3pkgJson.update({
4  dependencies: pkgJson.content.dependencies,
5  devDependencies: {
6    ...pkgJson.content.devDependencies,
7    foo: '^foo@1.0.0',
8  },
9  peerDependencies: {},
10  optionalDependencies: pkgJson.content.optionalDependencies,
11})

get `PackageJson.content`

Getter that retrieves the normalized Object read from the loaded package.json file.

Example:

1const PackageJson = require('@npmcli/package-json')
2const pkgJson = await PackageJson.load('./')
3pkgJson.content
4// -> {
5//   name: 'foo',
6//   version: '1.0.0'
7// }

`async PackageJson.save()`

Saves the current content to the same location used when calling load().

LICENSE

ISC

No vulnerabilities found.

10

Security-Policy

Determines if the project has published a security policy.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Maintained

Determines if the project is "actively maintained".

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

9

License

Determines if the project has defined a license.

9

SAST

Determines if the project uses static code analysis.

8

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/package-json/release.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 8 npmCommand dependencies pinned

Score

6.9

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to @npmcli/package-json

Other packages similar to @npmcli/package-json

@npmcli/package-json

Installations

Pull Requests

0

123

42

81

Issues

4

11

7

Releases

Developer

npm

Developer Guide

CommonJS

^18.17.0 || >=20.5.0

No

22.11.0

10.9.1

Statistics

Languages

Total Downloads

342,212,740

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

@npmcli/package-json

Install

Usage:

API:

constructor()

async PackageJson.create(path)

async PackageJson.load(path, opts = {})

Example:

static async PackageJson.load(path)

Example:

async PackageJson.normalize()

static async PackageJson.normalize(path, opts = {})

async PackageJson.prepare()

static async PackageJson.prepare(path, opts = {})

async PackageJson.fix()

PackageJson.update(content)

Example:

Example:

get PackageJson.content

Example:

async PackageJson.save()

LICENSE

10

10

10

10

10

9

9

8

0

0

0

0

6.9

/10

`constructor()`

`async PackageJson.create(path)`

`async PackageJson.load(path, opts = {})`

static `async PackageJson.load(path)`

`async PackageJson.normalize()`

static `async PackageJson.normalize(path, opts = {})`

`async PackageJson.prepare()`

static `async PackageJson.prepare(path, opts = {})`

`async PackageJson.fix()`

`PackageJson.update(content)`

get `PackageJson.content`

`async PackageJson.save()`