UNPKG

dependency-check/readme.md

Version:

6.6 kBMarkdownView Raw

1# dependency-check
2
3checks which modules you have used in your code and then makes sure they are listed as dependencies in your package.json, or vice-versa
4
5[![dat](https://img.shields.io/badge/Development%20sponsored%20by-dat-green.svg?style=flat)](http://dat-data.com/)
6[![Build Status](https://travis-ci.com/dependency-check-team/dependency-check.svg?branch=master)](https://travis-ci.org/dependency-check-team/dependency-check)
7[![dependencies Status](https://david-dm.org/dependency-check-team/dependency-check/status.svg)](https://david-dm.org/dependency-check-team/dependency-check)
8[![Known Vulnerabilities](https://snyk.io/test/github/dependency-check-team/dependency-check/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dependency-check-team/dependency-check?targetFile=package.json)
9
10[![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)
11
12## requirements
13
14dependency-check `4.x` supports Node.js 10 and later
15
16dependency-check `3.x` supports Node.js 6 and later
17
18dependency-check `2.x` supports Node.js 0.10 and later (Dev note: published using the `legacy` tag)
19
20## how it works
21
22`dependency-check` parses your module code starting from the default entry files (e.g. `index.js` or `main` and any `bin` commands defined in package.json or if specific files has been defined, then those) and traverses through all relatively required JS files, ultimately producing a list of non-relative modules
23
24* **relative** - e.g. `require('./a-relative-file.js')`, if one of these are encountered the required file will be recursively parsed by the `dependency-check` algorithm
25* **non-relative** - e.g. `require('a-module')`, if one of these are encountered it will get added to the list of dependencies, but subdependencies of the module will not get recursively parsed
26
27the goal of this module is to simply check that all non-relative modules that get `require()`'d are in package.json, which prevents people from getting 'module not found' errors when they install your module that has missing deps which was accidentally published to NPM (happened to me all the time, hence the impetus to write this module).
28
29## cli usage
30
31```
32$ npm install dependency-check -g
33$ dependency-check <path to module file(s), package.json or module folder>
34
35# e.g.
36
37$ dependency-check ./package.json --verbose
38Success! All dependencies used in the code are listed in package.json
39Success! All dependencies in package.json are used in the code
40$ dependency-check ./package.json --missing --verbose
41Success! All dependencies used in the code are listed in package.json
42$ dependency-check ./package.json --unused --verbose
43Success! All dependencies in package.json are used in the code
44
45# or with file input instead:
46
47$ dependency-check ./index.js
48
49# even with globs and multiple inputs:
50
51$ dependency-check ./test/**/*.js ./lib/*.js
52```
53
54`dependency-check` exits with code 1 if there are discrepancies, in addition to printing them out
55
56To always exit with code 0 pass `--ignore`
57
58### --missing 
59
60running `dependency-check ./package.json --missing` will only do the check to make sure that all modules in your code are listed in your package.json
61
62### --unused
63
64running `dependency-check ./package.json --unused` will only do the inverse of the missing check and will tell you which modules in your package.json dependencies **were not used** in your code
65
66### --no-dev
67
68running `dependency-check ./package.json --unused --no-dev` will not tell you if any devDependencies in your package.json were missing or unused
69
70### --no-peer
71
72running `dependency-check ./package.json --unused --no-peer` will not tell you if any peerDependencies in your package.json were missing or unused
73
74### --ignore-module, -i
75
76ignores a module. This works for both `--unused` and `--missing`. You can specify as many separate `--ignore-module` arguments as you want. For example running `dependency-check ./package.json --unused --ignore-module foo` will not tell you if the `foo` module was not used in your code.  Supports globbing patterns through the use of [micromatch](https://www.npmjs.com/package/micromatch), so eg. `--ignore-module "@types/*" is possible`
77
78### --entry
79
80adds more files to be checked to any of the default ones already added, like `tests.js` to the default ones resolved from package.json:
81
82```
83dependency-check package.json --entry tests.js
84```
85
86you can specify as many separate `--entry` arguments as you want. `--entry` also supports globbing like `**/*.js` and similar.
87
88you can also instead add additional entries directly after your main path, like:
89
90```
91dependency-check package.json tests.js
92```
93
94### --no-default-entries
95
96running eg. `dependency-check package.json --no-default-entries --entry tests.js` won't add any default entries despite the main path given being one to a package.json or module folder. So only the `tests.js` file will be checked
97
98### --extensions, -e
99
100running `dependency-check ./package.json -e js,jsx:precinct` will resolve require paths to `.js` and `.jsx` paths, and parse using [`precinct`](https://www.npmjs.com/package/precinct).
101
102### --detective
103
104running `dependency-check ./package.json --detective precinct` will `require()` the local `precinct` as the default parser. This can be set per-extension using using `-e`. Defaults to parsing with [`detective`](https://www.npmjs.com/package/detective).
105
106### --verbose
107
108Running with `--verbose` will enable a log message on success, otherwise dependency-check only logs on failure.
109
110### --help
111
112shows above options and all other available options
113
114## auto check before every npm publish
115
116add this to your `.bash_profile`/`.bashrc`
117
118```sh
119# originally from https://gist.github.com/mafintosh/405048d304fbabb830b2
120npm () {
121  ([ "$1" != "publish" ] || dependency-check .) && command npm "$@"
122}
123```
124
125now when you do `npm publish` and you have missing dependencies it won't publish, e.g.:
126
127```
128$ npm publish
129Fail! Dependencies not listed in package.json: siblings
130$ npm install --save siblings
131$ npm publish # works this time
132```
133
134## grunt usage
135
136See [grunt-dependency-check](https://github.com/sindresorhus/grunt-dependency-check).
137
138## protips
139
140- [detective](https://www.npmjs.org/package/detective) is used for parsing `require()` statements, which means it only does **static requires**. this means you should convert things like `var foo = "bar"; require(foo)` to be static, e.g. `require("bar")`
141- you can specify as many entry points as you like with multiple `--entry foo.js` arguments
142- use globbing to effectively add all the files you want to check

1	`# dependency-check`
2
3	`checks which modules you have used in your code and then makes sure they are listed as dependencies in your package.json, or vice-versa`
4
5	`[![dat](https://img.shields.io/badge/Development%20sponsored%20by-dat-green.svg?style=flat)](http://dat-data.com/)`
6	`[![Build Status](https://travis-ci.com/dependency-check-team/dependency-check.svg?branch=master)](https://travis-ci.org/dependency-check-team/dependency-check)`
7	`[![dependencies Status](https://david-dm.org/dependency-check-team/dependency-check/status.svg)](https://david-dm.org/dependency-check-team/dependency-check)`
8	`[![Known Vulnerabilities](https://snyk.io/test/github/dependency-check-team/dependency-check/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dependency-check-team/dependency-check?targetFile=package.json)`
9
10	`[![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)`
11
12	`## requirements`
13
14	dependency-check `4.x` supports Node.js 10 and later
15
16	dependency-check `3.x` supports Node.js 6 and later
17
18	dependency-check `2.x` supports Node.js 0.10 and later (Dev note: published using the `legacy` tag)
19
20	`## how it works`
21
22	`dependency-check` parses your module code starting from the default entry files (e.g. `index.js` or `main` and any `bin` commands defined in package.json or if specific files has been defined, then those) and traverses through all relatively required JS files, ultimately producing a list of non-relative modules
23
24	* relative - e.g. `require('./a-relative-file.js')`, if one of these are encountered the required file will be recursively parsed by the `dependency-check` algorithm
25	* non-relative - e.g. `require('a-module')`, if one of these are encountered it will get added to the list of dependencies, but subdependencies of the module will not get recursively parsed
26
27	the goal of this module is to simply check that all non-relative modules that get `require()`'d are in package.json, which prevents people from getting 'module not found' errors when they install your module that has missing deps which was accidentally published to NPM (happened to me all the time, hence the impetus to write this module).
28
29	`## cli usage`
30
31	```
32	`$ npm install dependency-check -g`
33	`$ dependency-check <path to module file(s), package.json or module folder>`
34
35	`# e.g.`
36
37	`$ dependency-check ./package.json --verbose`
38	`Success! All dependencies used in the code are listed in package.json`
39	`Success! All dependencies in package.json are used in the code`
40	`$ dependency-check ./package.json --missing --verbose`
41	`Success! All dependencies used in the code are listed in package.json`
42	`$ dependency-check ./package.json --unused --verbose`
43	`Success! All dependencies in package.json are used in the code`
44
45	`# or with file input instead:`
46
47	`$ dependency-check ./index.js`
48
49	`# even with globs and multiple inputs:`
50
51	`$ dependency-check ./test/*/.js ./lib/*.js`
52	```
53
54	`dependency-check` exits with code 1 if there are discrepancies, in addition to printing them out
55
56	To always exit with code 0 pass `--ignore`
57
58	`### --missing`
59
60	running `dependency-check ./package.json --missing` will only do the check to make sure that all modules in your code are listed in your package.json
61
62	`### --unused`
63
64	running `dependency-check ./package.json --unused` will only do the inverse of the missing check and will tell you which modules in your package.json dependencies were not used in your code
65
66	`### --no-dev`
67
68	running `dependency-check ./package.json --unused --no-dev` will not tell you if any devDependencies in your package.json were missing or unused
69
70	`### --no-peer`
71
72	running `dependency-check ./package.json --unused --no-peer` will not tell you if any peerDependencies in your package.json were missing or unused
73
74	`### --ignore-module, -i`
75
76	ignores a module. This works for both `--unused` and `--missing`. You can specify as many separate `--ignore-module` arguments as you want. For example running `dependency-check ./package.json --unused --ignore-module foo` will not tell you if the `foo` module was not used in your code. Supports globbing patterns through the use of [micromatch](https://www.npmjs.com/package/micromatch), so eg. `--ignore-module "@types/*" is possible`
77
78	`### --entry`
79
80	adds more files to be checked to any of the default ones already added, like `tests.js` to the default ones resolved from package.json:
81
82	```
83	`dependency-check package.json --entry tests.js`
84	```
85
86	you can specify as many separate `--entry` arguments as you want. `--entry` also supports globbing like `*/.js` and similar.
87
88	`you can also instead add additional entries directly after your main path, like:`
89
90	```
91	`dependency-check package.json tests.js`
92	```
93
94	`### --no-default-entries`
95
96	running eg. `dependency-check package.json --no-default-entries --entry tests.js` won't add any default entries despite the main path given being one to a package.json or module folder. So only the `tests.js` file will be checked
97
98	`### --extensions, -e`
99
100	running `dependency-check ./package.json -e js,jsx:precinct` will resolve require paths to `.js` and `.jsx` paths, and parse using [`precinct`](https://www.npmjs.com/package/precinct).
101
102	`### --detective`
103
104	running `dependency-check ./package.json --detective precinct` will `require()` the local `precinct` as the default parser. This can be set per-extension using using `-e`. Defaults to parsing with [`detective`](https://www.npmjs.com/package/detective).
105
106	`### --verbose`
107
108	Running with `--verbose` will enable a log message on success, otherwise dependency-check only logs on failure.
109
110	`### --help`
111
112	`shows above options and all other available options`
113
114	`## auto check before every npm publish`
115
116	add this to your `.bash_profile`/`.bashrc`
117
118	```sh
119	`# originally from https://gist.github.com/mafintosh/405048d304fbabb830b2`
120	`npm () {`
121	`([ "$1" != "publish" ] \|\| dependency-check .) && command npm "$@"`
122	`}`
123	```
124
125	now when you do `npm publish` and you have missing dependencies it won't publish, e.g.:
126
127	```
128	`$ npm publish`
129	`Fail! Dependencies not listed in package.json: siblings`
130	`$ npm install --save siblings`
131	`$ npm publish # works this time`
132	```
133
134	`## grunt usage`
135
136	`See [grunt-dependency-check](https://github.com/sindresorhus/grunt-dependency-check).`
137
138	`## protips`
139
140	- [detective](https://www.npmjs.org/package/detective) is used for parsing `require()` statements, which means it only does static requires. this means you should convert things like `var foo = "bar"; require(foo)` to be static, e.g. `require("bar")`
141	- you can specify as many entry points as you like with multiple `--entry foo.js` arguments
142	`- use globbing to effectively add all the files you want to check`