check out my latest app: Icon Preview
and my latest blog post
Get metadata of a package from the npm registry
License: MIT License
check out my latest app: Icon Preview
and my latest blog post
Module "got" allows usage of http tunneling to work behind a proxy.
package-json doesn't seem to handle given htttp/https proxies (either within npm config or env)
and is not working behind a proxy (RequestError: connect ETIMEDOUT)
import _packageJson, {
Options,
AbbreviatedVersion,
AbbreviatedMetadata,
FullMetadataOptions,
FullMetadata,
} from 'package-json';
_packageJson('typescript', {
version: '^4.0.0-dev.20200615',
}).then((json) => {
console.dir(json)
})
console.dir(new Range('^4.0.0-dev.20200615'), {
depth: null,
})
should return 4.1.0-dev.20200811
but get 4.0.0-dev.20200803
semver range ^4.0.0-dev.20200615
same as >=4.0.0-dev.20200615 <5.0.0-0
Code written inside main.yml works for testing purposes so it should be named test.yml. It will help someone new to check it.
by using isomorphic-fetch or whatever equivalent (or making "got" isomorphic), we could make this module isomorphic, which would be nice for web apps wanting to check their version!
# custom registry for specific scope
# notice example.com doesn't end in a slash!
$ npm config set @dylang:registry http://example.com
// scoped package that matches custom registry
packageJson('@dylan/scoped-test').then(...)
Error
Registry error Basic authentication must be done with auth option
var url = registryUrl(scope) +
encodeURIComponent(name).replace(/^%40/, '@');
This results in the url:
http://example.com@dylang/%2Fscoped-test
/
if it's not there./
. 😄This is an absolutely wonderful and truly useful project, thank you. 😊
It is also an absolutely useless project for anyone using an enterprise repository 😦. The problem is that package-json
uses registry-url
, which you might as well replace that library with the hard coded value https://registry.npmjs.org/
.
I know registry-url
can be "configured", but their suggested method really isn't practical for large enterprise use.
Would you accept a PR which uses npm-conf
instead? It would address a number of issues (including #35) and enhance this project's wonderfulness!
(trying not to waste time putting together a PR that will be ignored)
Note: We are using JFrog, so all traffic is proxied through our private repo.
#43 was closed as a dupe of #22. And in #22 you said:
Not interested in adding extra stuff for proxy support here. Builtin proxy support is planned for got and you could help out with that instead.
However on Sept 4th, 2018 you then closed sindresorhus/got#79 saying:
It's just too complicated and would bloat Got.
You passed the issue upstream initially but now have passed it back downstream to yourself here. So, any chance of supporting HTTP_PROXY / HTTPS_PROXY?
It would be very useful :D
I think it has the same output as calling packageJson
without specifying a version?
Lines 54 to 84 in b4ee1c7
const metadata: AbbreviatedMetadata = await packageJson('react')
metadata.versions // actually undefined, but has type Readonly<Record<string, AbbreviatedVersion>>
metadata.version // actually a string, but has type unknown
It seems strange that the types are broken out-of-the-box. Am I doing something wrong here?
I have a .npmrc
file that looks like this:
always-auth=true
registry=https://npm.tn-dev.com/
If I try get the get the package info e.g. of mysql
it fails to find the corresponding token. The problem seems to be that it is looking for mysql:_authToken
instead of //npm.tn-dev.com/:_authToken
in the npmrc
the following change to the code solves the problem for me, but I'm not sure if this is really bug/problem of the library or if it is a problem with my setup:
var token = npmrc[scope + ':_authToken'] || npmrc['//registry.npmjs.org/:_authToken'] || npmrc[registryUrl(scope).replace(/^https:/,'')+':_authToken'];
A fix for version 6.5.0 should be done due to the moderate severity vulnerability alert shown via the npm audit command caused by got dependency. The adoption of the ESM-only package is quite slow.
npm i [email protected]
npm audit
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
Would be nice to support git urls as well.
require("package.json")("[email protected]:sindresorhus/package-json.git", console.log);
What do you think?
I see that since the proxy request was closed ( #22) proxy support has been added to got.
I would like to be able to pass options through to got so that I can use a tunneling agent over a proxy.
Would you consider a pull request to add this in? If you are I'd be happy to have a go.
Most commands in the yarn/npm CLIs support passing version after @
, would be great if package-json
has this too.
I'm interested in using update-notifier for scoped packages.
However, looking into package-json
and registry-url
, I don't believe it's possible to use update-notifier
with a package that has been installed via npm install @myco/mypackage
after having set the appropriate npm scope config option npm config set @myco:registry http://reg.example.com
.
It looks like registry-url will only retrieve a catch-all registry override, registry
, and not scope registries.
Perhaps it's possible to either pass in the name of a scope to registry-url
, or just have registry-url
return all registries in the .npmrc
file such that package-json
can choose the appropriate one?
And add a separate packageJson.all()
method for the existing behavior.
Will do it sometime in the future. Not soon.
can you update the version of 'registry-url' to 4.0.0? They solve this Issue: sindresorhus/registry-url#12
Here is the problem also discribed: https://nvd.nist.gov/vuln/detail/CVE-2018-3750
When getting the latest minor version of a package (e.g. ^4.5.0
) could we add an option to ignore package versions that are marked as "deprecated" on npmjs.org?
Related: ng-packagr/ng-packagr#2434
Please update registry-auth-token
to fix deep-extend
vulnerability - rexxars/registry-auth-token#26
While debugging yeoman/update-notifier#100 I noticed this module does not use npm-config ssl properties:
I want to create a PR for this issue how would you proceed?
registry-url
or registry-auth-token
which returns this information
got
. Is it possible to switch the request lib?My connection to the npm registry is so bad, it always timeout.
So today I install yeoman from the Taobao registry and it hangs on post-install script yo doctor
after printing out npm version
.
After some time debugging I find yo doctor
when checking yo-version
, it uses latest-version
which uses package-json
to fetch package.json from the network. https://github.com/yeoman/doctor/blob/master/lib/rules/yo-version.js#L17
Then I find that, in https://github.com/sindresorhus/package-json/blob/master/index.js#L71, the gotOptions
contains no timeout and retry, after trying some breakpoints I find out why it gets stuck.
got
defaults to no retry limit, and have a random increasing delay between retries, while feeding it no retry option, it always gets an ETIMEOUT on HTTP request and retries, retries, and retries. So my yo doctor
hangs, and no further output, thus yeoman cannot be installed until I choose --ignore-scripts
. I tried adding a timeout but it still always retries, so in my view a retry limit is necessary.
Though the version of package-json
is 4.0.1 in dependencies of yo doctor
, there's still no retry limit in the current version v6.50 I figure.
I tried adding retry: 3
and after retries, it returns an ETIMEOUT error, and package-json
can catch it and rethrow, and yo doctor
succeed to run the remaining code.
I suggest that package-json
provide a default retry limit of 5 or 3 or what makes sense, and also provides retry and timeout as options. When a user cannot connect to the registry, it can at least provide some error messages, instead of always retrying so hanging.
If you bump the minimum supported node
version to at least >=4
, you can bump got
to ^6.0.0
, which has half the dependencies of the current version.
Based on this issue (npm/npm#9164), which was a follow up to pull request #6 , it looks like the <PACKAGE NAME>/<VERSION>
API end-point is going to be deprecated in the future.
If there is a private scoped package you have access to, the registry will return the info instead of a 404.
However, it seems that if auth data is not included in the request, the registry doesn't know who you are and will always return a 404 for private packages.
As mentioned here, npm's by-field
API end-point is no longer supported.
hi,
React ~16 or React 17 (don't matter)
When this code is in my app all is broken (my app crashed when the first render) I test many times and that's sure this code will provoke the error .... I havn't use it but when require the package .... :
const packageJson = require('package-json');
no need more code unfortunaly : /
I had node 16.3.
I don't know why my node version is important for http request but anyway now current nodejs is v14 so ...
if don't matter it will be nice to add "no react support" or "no browser support" ? .
I haven't test yet whithout react [...]
The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.
Affected Versions: >= 12.0.0, < 12.1.0, < 11.8.5
Patched versions: 12.1.0, 11.8.5
References
It's a major bump, so sometime in the future. Not soon.
registry-auth-token
needs upgraded to clear NODE-SECURITY-813 CVE - related to js-yaml 3.10.0 (fixed in >=3.13.1)
Updating semver to the latest version should fix this issue.
I'm using the latest-version
package to fetch the latest version of one of my modules that is published to an internal Docker-containerized sinopia repo. It relies on package-json
to fetch the latest package from npm.
The url that gets built by this package-json
for purposes of fetching the package file is incorrect in my case.
If the package-json
method is called with:
name @scope/package-name
version latest
The value of url
winds up being http://<npm server>@scope/package-name
. (note the lack of a slash after the server, as well as the unencoded slash in the`scope/package-name).
Our Sinopia repo is unable to locate the package unless the url is of the format http://<npm server>/@scope%2fpackage-name
. Is this a bug in this module? Or would you consider it to be a bug with out Sinopia server?
Was trying this module with an invalid version of hapi and noticed that it doesn't hit my catch()
block, and returns undefined
for data
.
var check = require('requiresafe/lib/check');
var formatters = require('requiresafe/lib/formatters/index');
var packageJson = require('package-json');
// checkPackage('gulp-cli');
// checkPackage('hapi', 'latest');
checkPackage('hapi', '6.6.6');
function checkPackage(name, version) {
version = version || 'latest';
packageJson(name, version).then(function (data) {
console.log('name: %s, version: %s', name, version);
console.log(data);
check({package: data}, function (err, results) {
var output = formatters.summary(err, results);
console.log('%s@%s', name, version);
console.log(output);
});
}).catch(function (err) {
console.log('Unexpected error:');
console.log(err);
});
}
Explicitly throw
an Error from my .then()
if data
is falsey:
if (!data) {
throw new Error('Unexpected name/version. Got: ' + name + '@' + version);
}
Asserting string error messages is bad. It would be better if an error code/name could be checked against, e.g. if (err.name === 'PackageNotFoundError')
.
This is so that update-notifier will correctly handle proxies
See https://www.npmjs.com/package/got#proxies for information about using proxies with got
Hi there,
Are there any plans to add possibility to work with custom NPM registry? (Sinopia)
Can create PR if needed.
I am using Verdaccio with Active Directory authentication. I wanted to use auto-dist-tag
which uses package-json
.
In your README, you specify that
Both public and private registries are supported, for both scoped and unscoped packages, as long as the registry uses either bearer tokens or basic authentication.
It does not seem that Verdaccio with Active Directory uses either.
Because of this, I ask that we add a parameter to use a specific registry. Other solutions are welcome.
More details of my setup in Turbo87/auto-dist-tag#8
[email protected]
implements [email protected]
which implements [email protected]
[email protected]
contains a security vulnerability:
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-33502
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.