Gathering detailed insights and metrics for npm-packlist
Gathering detailed insights and metrics for npm-packlist
Walk through a folder and figure out what goes in an npm package
Installations
npm install npm-packlistDeveloper
npm
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
^20.17.0 || >=22.9.0
Typescript Support
No
Node Version
22.11.0
NPM Version
10.9.1
Statistics
110 Stars
285 Commits
32 Forks
14 Watching
2 Branches
89 Contributors
Updated on 25 Nov 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
2,254,029,378
Last day
0.9%
1,895,982
Compared to previous day
Last week
5%
10,201,684
Compared to previous week
Last month
12.6%
41,162,177
Compared to previous month
Last year
15.6%
457,276,197
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Versions
npm-packlist
Get a list of the files to add from a folder into an npm package.
These can be handed to tar like so to make an npm package tarball:
1const Arborist = require('@npmcli/arborist') 2const packlist = require('npm-packlist') 3const tar = require('tar') 4const packageDir = '/path/to/package' 5const packageTarball = '/path/to/package.tgz' 6 7const arborist = new Arborist({ path: packageDir }) 8arborist.loadActual().then((tree) => { 9 packlist(tree) 10 .then(files => tar.create({ 11 prefix: 'package/', 12 cwd: packageDir, 13 file: packageTarball, 14 gzip: true 15 }, files)) 16 .then(_ => { 17 // tarball has been created, continue with your day 18 }) 19 })
This uses the following rules:
-
If a
package.jsonfile is found, and it has afileslist, then ignore everything that isn't infiles. Always include the root readme, license, licence and copying files, if they exist, as well as the package.json file itself. Non-root readme, license, licence and copying files are included by default, but can be excluded using thefileslist e.g."!readme". -
If there's no
package.jsonfile (or it has nofileslist), and there is a.npmignorefile, then ignore all the files in the.npmignorefile. -
If there's no
package.jsonwith afileslist, and there's no.npmignorefile, but there is a.gitignorefile, then ignore all the files in the.gitignorefile. -
Everything in the root
node_modulesis ignored, unless it's a bundled dependency. If it IS a bundled dependency, and it's a symbolic link, then the target of the link is included, not the symlink itself. -
Unless they're explicitly included (by being in a
fileslist, or a!negatedrule in a relevant.npmignoreor.gitignore), always ignore certain common cruft files:- .npmignore and .gitignore files (their effect is in the package already, there's no need to include them in the package)
- editor junk like
.*.swp,._*and.*.origfiles .npmrcfiles (these may contain private configs)- The
node_modules/.binfolder - Waf and gyp cruft like
/build/config.gypiand.lock-wscript - Darwin's
.DS_Storefiles because wtf are those even npm-debug.logfiles at the root of a project
You can explicitly re-include any of these with a
fileslist inpackage.jsonor a negated ignore file rule.
Only the package.json file in the very root of the project is ever
inspected for a files list. Below the top level of the root package,
package.json is treated as just another file, and no package-specific
semantics are applied.
Interaction between package.json and .npmignore rules
In previous versions of this library, the files list in package.json
was used as an initial filter to drive further tree walking. That is no
longer the case as of version 6.0.0.
If you have a package.json file with a files array within, any top
level .npmignore and .gitignore files will be ignored.
If a directory is listed in files, then any rules in nested .npmignore files within that directory will be honored.
For example, with this package.json:
1{ 2 "files": [ "dir" ] 3}
a .npmignore file at dir/.npmignore (and any subsequent
sub-directories) will be honored. However, a .npmignore at the root
level will be skipped.
Additionally, with this package.json:
{
"files": ["dir/subdir"]
}
a .npmignore file at dir/.npmignore will be honored, as well as dir/subdir/.npmignore.
Any specific file matched by an exact filename in the package.json files list will be included, and cannot be excluded, by any .npmignore files.
API
Same API as ignore-walk, except providing a tree is required and there are hard-coded file list and rule sets.
The Walker class requires an arborist tree, and if any bundled dependencies are found will include them as well as their own dependencies in the resulting file set.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: ISC License: LICENSE:0
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 25 commits out of 30 are checked with a SAST tool
Reason
7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:21
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:22
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/post-dependabot.yml:8
- Warn: no topLevel permission defined: .github/workflows/pull-request.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-integration.yml:1
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:13
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/post-dependabot.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-dependabot.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/post-dependabot.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/pull-request.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-integration.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release-integration.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:199: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/npm-packlist/release.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/ci-release.yml:58
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:42
- Warn: npmCommand not pinned by hash: .github/workflows/post-dependabot.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/pull-request.yml:42
- Warn: npmCommand not pinned by hash: .github/workflows/release-integration.yml:52
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:50
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:130
- Info: 0 out of 26 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 12 third-party GitHubAction dependencies pinned
- Info: 0 out of 8 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.7
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More