Gathering detailed insights and metrics for npm-package-arg
Gathering detailed insights and metrics for npm-package-arg
Gathering detailed insights and metrics for npm-package-arg
Gathering detailed insights and metrics for npm-package-arg
@types/npm-package-arg
TypeScript definitions for npm-package-arg
@pnpm/npm-package-arg
Parse the things that can be arguments to `npm install`
@zkochan/npm-package-arg
Parse the things that can be arguments to `npm install`
realize-package-specifier
Like npm-package-arg, but more so, producing full file paths and differentiating local tar and directory sources.
Parse the things that can be arguments to `npm install`
npm install npm-package-arg
Typescript
Module System
Min. Node Version
Node Version
NPM Version
99.5
Supply Chain
99
Quality
84.4
Maintenance
100
Vulnerability
100
License
Total
2,266,003,968
Last Day
645,794
Last Week
15,212,696
Last Month
65,986,530
Last Year
699,494,674
125 Stars
253 Commits
37 Forks
27 Watching
3 Branches
87 Contributors
Updated on 03 Oct 2024
Minified
Minified + Gzipped
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
-10.7%
645,794
Compared to previous day
Last week
1.9%
15,212,696
Compared to previous week
Last month
4.3%
65,986,530
Compared to previous month
Last year
28.9%
699,494,674
Compared to previous year
3
Parses package name and specifier passed to commands like npm install
or
npm cache add
, or as found in package.json
dependency sections.
1var assert = require("assert") 2var npa = require("npm-package-arg") 3 4// Pass in the descriptor, and it'll return an object 5try { 6 var parsed = npa("@bar/foo@1.2") 7} catch (ex) { 8 … 9}
var npa = require('npm-package-arg')
npm install
, like:
foo@1.2
, @bar/foo@1.2
, foo@user/foo
, http://x.com/foo.tgz
,
git+https://github.com/user/foo
, bitbucket:user/foo
, foo.tar.gz
,
../foo/bar/
or bar
. If the arg you provide doesn't have a specifier
part, eg foo
then the specifier will default to latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
foo
or @bar/foo
.1.2
, ^1.7.17
, http://x.com/foo.tgz
, git+https://github.com/user/foo
,
bitbucket:user/foo
, file:foo.tar.gz
or file:../foo/bar/
. If not
included then the default is latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
Returns the purl (package URL) form of the given package name/spec.
foo@1.0.0
or @bar/foo@2.0.0-alpha.1
.https://registry.npmjs.org
.Throws if the package name is invalid, or the supplied arg can't be resolved to a purl.
The objects that are returned by npm-package-arg contain the following keys:
type
- One of the following strings:
git
- A git repotag
- A tagged version, like "foo@latest"
version
- A specific version number, like "foo@1.2.3"
range
- A version range, like "foo@2.x"
file
- A local .tar.gz
, .tar
or .tgz
file.directory
- A local directory.remote
- An http url (presumably to a tgz)alias
- A specifier with an alias, like myalias@npm:foo@1.2.3
registry
- If true this specifier refers to a resource hosted on a
registry. This is true for tag
, version
and range
types.name
- If known, the name
field expected in the resulting pkg.scope
- If a name is something like @org/module
then the scope
field will be set to @org
. If it doesn't have a scoped name, then
scope is null
.escapedName
- A version of name
escaped to match the npm scoped packages
specification. Mostly used when making requests against a registry. When
name
is null
, escapedName
will also be null
.rawSpec
- The specifier part that was parsed out in calls to npa(arg)
,
or the value of spec
in calls to `npa.resolve(name, spec).saveSpec
- The normalized specifier, for saving to package.json files.
null
for registry dependencies.fetchSpec
- The version of the specifier to be used to fetch this
resource. null
for shortcuts to hosted git dependencies as there isn't
just one URL to try with them.gitRange
- If set, this is a semver specifier to match against git tags withgitCommittish
- If set, this is the specific committish to use with a git dependency.hosted
- If from === 'hosted'
then this will be a hosted-git-info
object. This property is not included when serializing the object as
JSON.raw
- The original un-modified string that was provided. If called as
npa.resolve(name, spec)
then this will be name + '@' + spec
.subSpec
- If type === 'alias'
, this is a Result Object for parsing the
target specifier for the alias.No vulnerabilities found.
Reason
all changesets reviewed
Reason
security policy file detected
Details
Reason
license file detected
Details
Reason
0 existing vulnerabilities detected
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
SAST tool detected but not run on all commits
Details
Reason
6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Score
Last Scanned on 2024-12-02
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More