{"id":40358977,"url":"https://github.com/sompylasar/zmey-gorynych","last_synced_at":"2026-01-20T10:05:40.919Z","repository":{"id":57406307,"uuid":"103909474","full_name":"sompylasar/zmey-gorynych","owner":"sompylasar","description":"🐲 A Node.js package versioning and publishing tool for packages that may be maintained together (e.g. in the same repo), but do not necessarily belong to a single versioning unit (a dedicated monorepo).","archived":false,"fork":false,"pushed_at":"2019-10-21T22:16:49.000Z","size":23,"stargazers_count":12,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-09T19:46:56.353Z","etag":null,"topics":["monorepo","npm","publishing","versioning"],"latest_commit_sha":null,"homepage":"https://npm.im/zmey-gorynych","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sompylasar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-18T07:53:51.000Z","updated_at":"2023-11-05T10:44:12.000Z","dependencies_parsed_at":"2022-09-11T20:41:50.644Z","dependency_job_id":null,"html_url":"https://github.com/sompylasar/zmey-gorynych","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/sompylasar/zmey-gorynych","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sompylasar%2Fzmey-gorynych","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sompylasar%2Fzmey-gorynych/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sompylasar%2Fzmey-gorynych/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sompylasar%2Fzmey-gorynych/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sompylasar","download_url":"https://codeload.github.com/sompylasar/zmey-gorynych/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sompylasar%2Fzmey-gorynych/sbom","scorecard":{"id":837589,"data":{"date":"2025-08-11","repo":{"name":"github.com/sompylasar/zmey-gorynych","commit":"5aed01aae7765710a007b3ee7014cf2d33869ec4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/16 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-23T19:33:05.941Z","repository_id":57406307,"created_at":"2025-08-23T19:33:05.941Z","updated_at":"2025-08-23T19:33:05.941Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28601313,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T09:39:28.479Z","status":"ssl_error","status_checked_at":"2026-01-20T09:38:10.511Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["monorepo","npm","publishing","versioning"],"created_at":"2026-01-20T10:05:39.934Z","updated_at":"2026-01-20T10:05:40.906Z","avatar_url":"https://github.com/sompylasar.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1\u003eZmey Gorynych\u003c/h1\u003e\n\nA Node.js package versioning and publishing tool, an alternative to [Lerna](https://github.com/lerna/lerna).\n\n[![npm version](https://img.shields.io/npm/v/zmey-gorynych.svg?style=flat-square)](https://www.npmjs.com/package/zmey-gorynych)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Zmey Gorynych. Image © Dobrynya Nikitich and Zmey Gorynych, 2006\" src=\"https://user-images.githubusercontent.com/498274/30076044-8c36fa9a-922c-11e7-84e0-87d67cb8ea39.jpg\" width=\"480\"\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003csup\u003e\u003ci\u003eImage © Dobrynya Nikitich and Zmey Gorynych, 2006\u003c/i\u003e\u003c/sup\u003e\n\u003c/p\u003e\n\nThe tool helps to manage versioning and publishing of Node.js packages that are developed together but do not necessarily belong to a single project.\n\nRead more in the [Features](#features) and [Motivation](#motivation) sections.\n\n\n## Getting started\n\nVia [`npx`](https://medium.com/@maybekatz/introducing-npx-an-npm-package-runner-55f7d4bd282b):\n```\nnpx zmey-gorynych\n```\n\nVia global installation and the shorthand alias:\n```\nnpm install -g zmey-gorynych\nzmey\n```\n\nSee more CLI options with `--help`.\n\n\n## What it does\n\nThe tool needs to run from a package root directory, or a directory with a flat list of directories with packages.\n\nWithout command-line options, the tool does the following:\n\n- scans the directory to find publishable packages: those with `package.json` that has a `name` and doesn't have the `private` flag set;\n- attempts to install the latest version of each of the packages into a temporary directory;\n- attempts to install dependencies and prepare the package (assumes this happens during `npm install`);\n- imitates publish to the temporary directory;\n- compares the published package files with the previously installed latest version files;\n- suggests a version bump if any difference is found.\n\nExample output:\n```\n ✔ zmey-gorynych found 2 publishable packages in ./\n   ✔ @example-company/some-package - no version bump: 1.0.0-alpha.4\n   ✔ @example-company/another-package - suggested version bump: 1.0.0-alpha.2 -\u003e 1.0.0-alpha.3\n```\n\nThe tool creates a temporary directory named `.zmey-gorynych-temp` in the current working directory and removes it upon finishing normally unless `--keep-temp` is set to keep it for manual investigation.\n\nThe tool exits with the zero code if no human attention is required, and with a non-zero code otherwise.\n\n\n\n## Features\n\n- [x] Processes the current directory when it contains a flat list of directories with packages.\n- [x] Processes the current directory when it's a package.\n- [x] Suggests to bump the version if the locally published files differ from the files from the latest version published to the registry.\n- [x] Shows the diff between the locally published files and the files from the latest version published to the registry: `--diff`.\n- [x] Suggests to publish if the version is already bumped.\n- [x] Optionally, updates the `package.json` files with the suggested versions: `--bump`.\n- [x] Optionally, upgrades the dependencies to the latest published versions of the locally developed packages: `--upgrade`.\n- [x] Optionally, publishes the next versions of the locally developed packages to the npm registry: `--publish`.\n- [x] Optionally, filters by directory name the packages that will be affected: `--glob \u003cwildcard\u003e`.\n\n##### Futures\n\n- [ ] Documentation: gather feedback and improve the \"Getting started\" and \"What it does\" sections.\n- [ ] Documentation: GIF FTW!\n- [ ] Documentation: list supported `node` and `npm` versions.\n- [ ] Tests: try on Lerna-controlled repositories.\n- [ ] Tests: cover utility code.\n- [ ] Tests: cover functions against [a locally spawnable npm registry](https://github.com/verdaccio/verdaccio).\n- [ ] Smarter scan: support for multiple package locations to look for the locally developed packages.\n- [ ] Smarter bump: detect minor changes (e.g. a README, documentation, or comments) and non-breaking changes (e.g. added a new export, added a new file without changing the existing ones).\n- [ ] Smarter upgrade: recursive without the need to publish intermediate versions.\n- [ ] Smarter publish: branch-awareness, [canary, commit-hash versioned](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#--canary--c) packages.\n- [ ] Smarter publish: [no version committed in package.json](https://github.com/semantic-release/semantic-release/blob/8c44c3176af3d41fd87ac9d9b7a1d2f2d441b75f/README.md#why-is-the-packagejsons-version-not-updated-in-my-repository).\n- [ ] Optionally, `git tag` in the specified format: version only, package name plus version, or a customizable template.\n- [ ] Custom path for the temporary directory.\n\n\n## Motivation\n\nAn organization can benefit from developing software as Node.js packages because they enable or greatly improve modularity and code reuse.\n\nWhen the code is in TypeScript or the latest JavaScript, pre-compiling the code into Node.js-compatible or browser-compatible JavaScript is required to reuse it.\nNode.js packages and an npm-compatible registry enable one-time build and allow to maintain the build configuration next to the reusable piece of code that requires compilation.\n\nThis tool was born as the second step in introducing Node.js packages in an organization which uses TypeScript and modern JavaScript code for Node.js and browser environments.\n\nIn the first step to make Node.js package development in the organization even possible, a few changes were implemented:\n\n- An organization-wide npm-compatible private registry was configured.\n- A repository which contained many half-baked Node.js packages in a nested directory structure with relative path dependencies was restructured to a flat structure [similar to the one required by Lerna](https://github.com/lerna/lerna#what-does-a-lerna-repo-look-like).\n- The `publishConfig.registry` option was added to the `package.json` of each package that was planned to be published or was a dependency of other packages.\n\nThe organization legacy that had to be kept in mind at the time of making this tool includes the following:\n\n- The packages can be located in one or more source code repositories; the relative paths to the packages may vary.\n- The packages serve more than one application, they are reused across applications, a few are applications of their own; thus, they cannot be versioned together and managed as a part of a single project [like Babel](https://github.com/babel/babel/blob/3cdb7d7f0fffa48a9181ceeb05ede5382b1ab669/doc/design/monorepo.md).\n- The packages need to be built and are unusable as `npm link`ed dependencies because of [the type definition resolution of the version of TypeScript in use](https://github.com/Microsoft/TypeScript/issues/6496). This may have changed since, but requires upgrade of TypeScript.\n- The source code repositories contain code that uses multiple technologies at the same time. Lerna, on the other hand, assumes the repository is reserved for Node.js packages, [manipulates it with git](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#publish) and [requires extra effort to prevent this](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#--skip-git).\n- The organization engineers have no objective to maintain internal packages as if they were open-source, unify and groom commit messages, produce nice changelogs.\n- The organization engineers have diverse technology backgrounds and have no objective to learn and follow a Node.js-centric development workflow.\n- [`semantic-release` requires Node 8](https://github.com/semantic-release/semantic-release/blob/8c44c3176af3d41fd87ac9d9b7a1d2f2d441b75f/README.md#why-does-semantic-release-require-node-version--8) while the organization hasn't yet upgraded.\n- Lerna has a buggy command-line interface (ANSI color markers leaking), maybe related to a similar bug of `npm publish` in the version of `npm` in use.\n\nAdding the idealistic, open-source-centric, Node.js-centric [development conventions](https://github.com/commitizen) and [automation tools](https://github.com/semantic-release/semantic-release)\nthat are currently being built by the Node.js open-source community turned out to require too much commitment from the engineers that they cannot afford accepting:\n\n- Restructure existing code repositories or create new ones to make them compatible with the open-source community tools. This is unrealistic because the tools should serve the organization, not vice versa.\n- Learn many new tools and constantly follow the high pace of updates. This is accepted as a given in Node.js and Frontend communities but feels alien in slower-pace technology communities.\n- Implement full [API test](https://github.com/semantic-release/cracks) and [API documentation](https://github.com/bcherny/india) coverage for all packages. This is nice-to-have but unrealistic in an organization with a relatively small engineering team.\n- Introduce [the open-source commit message convention](https://conventionalcommits.org/). This is nice-to-have but unrealistic within combined code repositories where not everything follows the open-source way of doing things.\n- Maintain internal packages as if they were open-source. This is nice-to-have but not an objective in a product-driven organization.\n\nThe above produced the following technical requirements to the tool:\n\n- The tool should automate package-related tasks in a developer-friendly way: require less typing and explain itself clearly.\n- The tool should not [require per-repo configuration](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#lernajson).\n- The tool should not [rely on the open-source commit message convention](https://github.com/semantic-release/semantic-release/blob/8c44c3176af3d41fd87ac9d9b7a1d2f2d441b75f/README.md#how-does-it-work).\n- The tool should not [rely on commits to determine changes in the packages](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#updated).\n- The tool should not [enforce a source code management workflow (commit, tag)](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#publish).\n- The tool should allow [independent versioning](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#independent-mode---independent).\n- The tool should use [the same configuration `npm` uses to publish](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#--registry-registry).\n- The tool should not [use `npm link` or similar symlink-to-source technology](https://github.com/lerna/lerna/blob/54761ba26f8cb6d50d16a4c920d1a9594c19d6e9/README.md#bootstrap).\n- The tool should not rely on package tests as they can be missing or incomplete.\n\n\n#### References\n\n- https://github.com/lerna/lerna\n- https://github.com/sindresorhus/np\n- https://github.com/semantic-release/semantic-release\n- https://github.com/semantic-release/cracks\n- https://github.com/bcherny/india , https://github.com/semantic-release/semantic-release/issues/66\n- https://conventionalcommits.org/ , https://github.com/commitizen\n- https://github.com/Microsoft/TypeScript/issues/6496\n- https://twitter.com/dan_abramov/status/908371953844617218\n- https://github.com/chbrown/npm-reallink\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsompylasar%2Fzmey-gorynych","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsompylasar%2Fzmey-gorynych","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsompylasar%2Fzmey-gorynych/lists"}