npmpackage.info

Gathering detailed insights and metrics for normalize-package-data

Other packages similar to normalize-package-data

@types/normalize-package-data

2.4.4

TypeScript definitions for normalize-package-data

read-pkg

9.0.1

Read a package.json file

normalize-path

3.0.0

Normalize slashes in a file path to be posix/unix-like forward slashes. Also condenses repeat slashes to a single slash and removes and trailing slashes, unless disabled.

normalize-url

8.0.1

Normalize a URL

Gathering detailed insights and metrics for normalize-package-data

normalize-package-data

normalizes package metadata, typically found in package.json file.

7.0.0

197

NOASSERTION

JavaScript

19.92 kB

8,106,548,849 6.8

Installations

npm install normalize-package-data

Pull Requests

Open

1

Total

181

Closed

88

Merged

92

Issues

Open

20

Total

59

Closed

39

Releases

v7.0.0

Published on 25 Sept 2024

v6.0.2

Published on 25 Jun 2024

v6.0.1

Published on 04 May 2024

v6.0.0

Published on 15 Aug 2023

v5.0.0

Published on 14 Oct 2022

v4.0.1

Published on 15 Aug 2022

View all 7 releases

Developer

npm

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

^18.17.0 || >=20.5.0

Typescript Support

No

Node Version

22.9.0

NPM Version

10.8.3 Statistics

197 Stars

344 Commits

48 Forks

31 Watching

2 Branches

104 Contributors

Updated on 27 Nov 2024

Bundle Size

63.47 kB

Minified

19.92 kB

Minified + Gzipped

Bundlephobia

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

8,106,548,849

Last day

-1%

9,823,987

Compared to previous day

Last week

5.4%

54,077,495

Compared to previous week

Last month

23.2%

208,472,181

Compared to previous month

Last year

11.8%

2,091,308,952

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

hosted-git-info semver validate-npm-package-license

Dev Dependencies

@npmcli/eslint-config @npmcli/template-oss tap

Versions

normalize-package-data

normalize-package-data exports a function that normalizes package metadata. This data is typically found in a package.json file, but in principle could come from any source - for example the npm registry.

normalize-package-data is used by read-package-json to normalize the data it reads from a package.json file. In turn, read-package-json is used by npm and various npm-related tools.

Installation

npm install normalize-package-data

Usage

Basic usage is really simple. You call the function that normalize-package-data exports. Let's call it normalizeData.

1normalizeData = require('normalize-package-data')
2packageData = require("./package.json")
3normalizeData(packageData)
4// packageData is now normalized

Strict mode

You may activate strict validation by passing true as the second argument.

1normalizeData = require('normalize-package-data')
2packageData = require("./package.json")
3normalizeData(packageData, true)
4// packageData is now normalized

If strict mode is activated, only Semver 2.0 version strings are accepted. Otherwise, Semver 1.0 strings are accepted as well. Packages must have a name, and the name field must not have contain leading or trailing whitespace.

Warnings

Optionally, you may pass a "warning" function. It gets called whenever the normalizeData function encounters something that doesn't look right. It indicates less than perfect input data.

1normalizeData = require('normalize-package-data')
2packageData = require("./package.json")
3warnFn = function(msg) { console.error(msg) }
4normalizeData(packageData, warnFn)
5// packageData is now normalized. Any number of warnings may have been logged.

You may combine strict validation with warnings by passing true as the second argument, and warnFn as third.

When private field is set to true, warnings will be suppressed.

Potential exceptions

If the supplied data has an invalid name or version field, normalizeData will throw an error. Depending on where you call normalizeData, you may want to catch these errors so can pass them to a callback.

What normalization (currently) entails

The value of name field gets trimmed (unless in strict mode).
The value of the version field gets cleaned by semver.clean. See documentation for the semver module.
If name and/or version fields are missing, they are set to empty strings.
If files field is not an array, it will be removed.
If bin field is a string, then bin field will become an object with name set to the value of the name field, and bin set to the original string value.
If man field is a string, it will become an array with the original string as its sole member.
If keywords field is string, it is considered to be a list of keywords separated by one or more white-space characters. It gets converted to an array by splitting on \s+.
All people fields (author, maintainers, contributors) get converted into objects with name, email and url properties.
If bundledDependencies field (a typo) exists and bundleDependencies field does not, bundledDependencies will get renamed to bundleDependencies.
If the value of any of the dependencies fields (dependencies, devDependencies, optionalDependencies) is a string, it gets converted into an object with familiar name=>value pairs.
The values in optionalDependencies get added to dependencies. The optionalDependencies array is left untouched.
As of v2: Dependencies that point at known hosted git providers (currently: github, bitbucket, gitlab) will have their URLs canonicalized, but protocols will be preserved.
As of v2: Dependencies that use shortcuts for hosted git providers (org/proj, github:org/proj, bitbucket:org/proj, gitlab:org/proj, gist:docid) will have the shortcut left in place. (In the case of github, the org/proj form will be expanded to github:org/proj.) THIS MARKS A BREAKING CHANGE FROM V1, where the shortcut was previously expanded to a URL.
If description field does not exist, but readme field does, then (more or less) the first paragraph of text that's found in the readme is taken as value for description.
If repository field is a string, it will become an object with url set to the original string value, and type set to "git".
If repository.url is not a valid url, but in the style of "[owner-name]/[repo-name]", repository.url will be set to git+https://github.com/[owner-name]/[repo-name].git
If bugs field is a string, the value of bugs field is changed into an object with url set to the original string value.
If bugs field does not exist, but repository field points to a repository hosted on GitHub, the value of the bugs field gets set to an url in the form of https://github.com/[owner-name]/[repo-name]/issues . If the repository field points to a GitHub Gist repo url, the associated http url is chosen.
If bugs field is an object, the resulting value only has email and url properties. If email and url properties are not strings, they are ignored. If no valid values for either email or url is found, bugs field will be removed.
If homepage field is not a string, it will be removed.
If the url in the homepage field does not specify a protocol, then http is assumed. For example, myproject.org will be changed to http://myproject.org.
If homepage field does not exist, but repository field points to a repository hosted on GitHub, the value of the homepage field gets set to an url in the form of https://github.com/[owner-name]/[repo-name]#readme . If the repository field points to a GitHub Gist repo url, the associated http url is chosen.

Rules for name field

If name field is given, the value of the name field must be a string. The string may not:

start with a period.
contain the following characters: /@\s+%
contain any characters that would need to be encoded for use in urls.
resemble the word node_modules or favicon.ico (case doesn't matter).

Rules for version field

If version field is given, the value of the version field must be a valid semver string, as determined by the semver.valid method. See documentation for the semver module.

Rules for license field

The license/licence field should be a valid SPDX license expression or one of the special values allowed by validate-npm-package-license. See documentation for the license field in package.json.

Credits

This package contains code based on read-package-json written by Isaac Z. Schlueter. Used with permission.

License

No vulnerabilities found.

10

Security-Policy

Determines if the project has published a security policy.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

9

License

Determines if the project has defined a license.

9

SAST

Determines if the project uses static code analysis.

7

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/post-dependabot.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release-integration.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/normalize-package-data/release.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 8 npmCommand dependencies pinned

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Fuzzing

Determines if the project uses fuzzing.

Score

6.8

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More