Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tiagogouvea/package-locks-checks

Avoid package versions keeping right lock file, requiring exact dependencies versions, and using just one package manager.
https://github.com/tiagogouvea/package-locks-checks

lock npm package yarn

Last synced: 8 days ago
JSON representation

Avoid package versions keeping right lock file, requiring exact dependencies versions, and using just one package manager.

Host: GitHub
URL: https://github.com/tiagogouvea/package-locks-checks
Owner: TiagoGouvea
Created: 2021-10-10T14:16:04.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2022-06-02T12:30:46.000Z (over 2 years ago)
Last Synced: 2024-04-25T17:41:01.085Z (7 months ago)
Topics: lock, npm, package, yarn
Language: JavaScript
Homepage: https://www.npmjs.com/package/package-locks-checks
Size: 338 KB
Stars: 2
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: readme.md

Awesome Lists containing this project

README

        # package-locks-checks

> Validate packages inconsistenciesinconsistencies to protect your production environments from unexpected dependencies versions.

[![Package Version](https://img.shields.io/npm/v/package-locks-checks.svg?style=flat-square)](https://www.npmjs.com/package/package-locks-checks)

[![Downloads Status](https://img.shields.io/npm/dm/package-locks-checks.svg?style=flat-square)](https://npm-stat.com/charts.html?package=package-locks-checks&from=2021-10-10)

Prevent common situations (mainly when working on a dev team):

- Dev sometimes includes open wide version ranges on package.json, that later will be installed a most recent on your build/production environment and break your project

- Some devs on team uses npm to install packages while others uses yarn, causing a lock file inconsistency, probably breaking your build/production environment with messages like "Your project contains lock files generated by tools other than Yarn"

- Versions being updated on package.json file, without calling a `yarn` or `npm install` after that, to replicate that version to lock file 

**Default rules:**

- Disallow to have a versions range (ex: ^1.0.4 or 1.0.x) other than specific version (ex: 1.0.4) on package dependencies

- Disallow to have package-lock.json and yarn.lock at same time

- Disallow to have different hashed versions on package.json and yarn.lock file

Other rules could be added, suggest it on the [issues](https://github.com/tiagoGouvea/package-locks-checks/issues).

## Installation

Install globally:

```sh

yarn global add package-locks-checks

```

or 

```sh

npm install -g package-locks-checks 

```

Or run with npx:

```sh

npx package-locks-checks

```

## Usage

To force check with all default validator just run

```sh

package-locks-checks

```

This will validate all rules and return success if everything is ok.

. . .

To check on a different folder you can run

```sh

package-locks-checks --basePath './api'

```

## Options:

```text

Param                                     Default        Description

-pm, --packageManager      yarn           Select packageManager

-p, --basePath                      ./             Base path to load package files

-f, --packageFile               ./package.json Full path to package.json file

-r, --allowRange                 false          Allow to have a range (ex: 1 or 1.x or ^1.0.4) other than specific version (ex: 1.0 or 1.0.4) on package dependencies

-mlf, --allowMultipleLockFiles   false          Allow to have package-lock.json and yarn.lock at same time', false)

-uyl, --allowUnmatchedYarnLock   false          Allow to have different hashed versions on package.json and yarn.lock file', false)

```

## Exit codes

```text

0 = No errors

1 = Errors were founds in the package-lock.json files

2 = Folder or package.json was not found

```

## To be implemented

- Detect "preferred" package manager, to validate npm issues as well

- Validate package-lock.json with package.lock versions

- Use [hasLockfile](https://github.com/luftywiranda13/package-locks-checks) to validate multiple lock files

- Auto publish package on npm when merging do main

- Update exit codes with 2 other than 1 when folder missing

- Check for yarn.lock before integrity yarn check, pnpm-lock.yaml with pnpm, and so

## Related links

- [Lockfiles should be committed on all projects](https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/)

- [About semantic versioning](https://docs.npmjs.com/about-semantic-versioning)

- [Semantic Versioning 2.0.0](https://semver.org/)

- [yarn install --frozen-lockfile should be the default behavior](https://github.com/yarnpkg/yarn/issues/4147)

## Problems? Ideas?

[File an issue](https://github.com/tiagoGouvea/package-locks-checks/issues).

## License

MIT © [Tiago Gouvêa](https://github.com/tiagoGouvea/)