npmpackage.info

Gathering detailed insights and metrics for npm-package-arg

npm-package-arg

Parse the things that can be arguments to `npm install`

12.0.0

125

ISC

JavaScript

2,245,575,293 6.9

Installations

npm install npm-package-arg

Pull Requests

Open

1

Total

169

Closed

76

Merged

92

Issues

Open

1

Total

26

Closed

25

Releases

v12.0.0

Published on 26 Sept 2024

v11.0.3

Published on 22 Jul 2024

v11.0.2

Published on 12 Apr 2024

v11.0.1

Published on 05 Sept 2023

v11.0.0

Published on 15 Aug 2023

v10.1.0

Published on 01 Dec 2022

View all 13 releases

Developer

npm

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

^18.17.0 || >=20.5.0

Typescript Support

No

Node Version

22.9.0

NPM Version

10.8.3 Statistics

125 Stars

253 Commits

37 Forks

27 Watching

3 Branches

89 Contributors

Updated on 03 Oct 2024

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

2,245,575,293

Last day

-7.9%

2,803,848

Compared to previous day

Last week

1.2%

16,391,598

Compared to previous week

Last month

10.8%

67,472,913

Compared to previous month

Last year

29.1%

697,562,006

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

hosted-git-info proc-log semver validate-npm-package-name

Dev Dependencies

@npmcli/eslint-config @npmcli/template-oss tap

Versions

npm-package-arg

Parses package name and specifier passed to commands like npm install or npm cache add, or as found in package.json dependency sections.

EXAMPLES

1var assert = require("assert")
2var npa = require("npm-package-arg")
3
4// Pass in the descriptor, and it'll return an object
5try {
6  var parsed = npa("@bar/foo@1.2")
7} catch (ex) {
8  …
9}

USING

var npa = require('npm-package-arg')

var result = npa(arg[, where])

arg - a string that you might pass to npm install, like: foo@1.2, @bar/foo@1.2, foo@user/foo, http://x.com/foo.tgz, git+https://github.com/user/foo, bitbucket:user/foo, foo.tar.gz, ../foo/bar/ or bar. If the arg you provide doesn't have a specifier part, eg foo then the specifier will default to latest.
where - Optionally the path to resolve file paths relative to. Defaults to process.cwd()

Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.

var result = npa.resolve(name, spec[, where])

name - The name of the module you want to install. For example: foo or @bar/foo.
spec - The specifier indicating where and how you can get this module. Something like: 1.2, ^1.7.17, http://x.com/foo.tgz, git+https://github.com/user/foo, bitbucket:user/foo, file:foo.tar.gz or file:../foo/bar/. If not included then the default is latest.
where - Optionally the path to resolve file paths relative to. Defaults to process.cwd()

Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.

var purl = npa.toPurl(arg, reg)

Returns the purl (package URL) form of the given package name/spec.

arg - A package/version string. For example: foo@1.0.0 or @bar/foo@2.0.0-alpha.1.
reg - Optionally the URL to the package registry. If not specified, assumes the default https://registry.npmjs.org.

Throws if the package name is invalid, or the supplied arg can't be resolved to a purl.

RESULT OBJECT

The objects that are returned by npm-package-arg contain the following keys:

type - One of the following strings:
- git - A git repo
- tag - A tagged version, like "foo@latest"
- version - A specific version number, like "foo@1.2.3"
- range - A version range, like "foo@2.x"
- file - A local .tar.gz, .tar or .tgz file.
- directory - A local directory.
- remote - An http url (presumably to a tgz)
- alias - A specifier with an alias, like myalias@npm:foo@1.2.3
registry - If true this specifier refers to a resource hosted on a registry. This is true for tag, version and range types.
name - If known, the name field expected in the resulting pkg.
scope - If a name is something like @org/module then the scope field will be set to @org. If it doesn't have a scoped name, then scope is null.
escapedName - A version of name escaped to match the npm scoped packages specification. Mostly used when making requests against a registry. When name is null, escapedName will also be null.
rawSpec - The specifier part that was parsed out in calls to npa(arg), or the value of spec in calls to `npa.resolve(name, spec).
saveSpec - The normalized specifier, for saving to package.json files. null for registry dependencies.
fetchSpec - The version of the specifier to be used to fetch this resource. null for shortcuts to hosted git dependencies as there isn't just one URL to try with them.
gitRange - If set, this is a semver specifier to match against git tags with
gitCommittish - If set, this is the specific committish to use with a git dependency.
hosted - If from === 'hosted' then this will be a hosted-git-info object. This property is not included when serializing the object as JSON.
raw - The original un-modified string that was provided. If called as npa.resolve(name, spec) then this will be name + '@' + spec.
subSpec - If type === 'alias', this is a Result Object for parsing the target specifier for the alias.

No vulnerabilities found.

10

Security-Policy

Determines if the project has published a security policy.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

License

Determines if the project has defined a license.

9

SAST

Determines if the project uses static code analysis.

7

Maintained

Determines if the project is "actively maintained".

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/audit.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/post-dependabot.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/post-dependabot.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/pull-request.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release-integration.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-package-arg/release.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 8 npmCommand dependencies pinned

0

Fuzzing

Determines if the project uses fuzzing.

Score

6.9

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More