How to make `npm install <package_a>` actually install `#myfancyname/package_a` - node.js

Let's say I published few years back a npm package package_a.
Now I actually "namespaced" all my packages under #myfancyname/package_a.
Is there a way to transform package_a install process so that
npm install -g package_a
actually just run
npm install -g #myfancyname/package_a
(of course this should work also for npm install package_a -> npm install #myfancyname/package_a)
This might be bad practice, so please advice in this case as well.

TL;DR: It's likely that the best solution is to use npm deprecate on your old package to provide people with a message directing them to the new package name.
This issue in the npm issue tracker suggests contacting support#npmjs.com. The issue is quite old, though, and also only seems to suggest contacting support for a large number of packages. Although the issue may be out of date, if there's a better way to do things, I'm sure the support team would redirect you there.
That said, while that npm issue title asks about a redirect (implying, to me at least, automatic redirect like what you want), the answers seem to be more about "redirecting" by informing users. Chances are, that's the recommended way, for better or worse. So you can use npm deprecate on your old package to provide people with a message directing them to the new package name.

Related

Why do I receive deprecated package warnings when using npm install

I hope you are doing well!
I got asked about why should I use -f to force npm install packages to install. In the documentation it states that
force npm to fetch remote resources even if a local copy exists on disk.
But does this mean that it redownloads global packages for the local project or what does it solve exactly?
Another thing happens is when I use npm install, I see a lot of warnings in the console that
WARNING: X package is deprecated
But when I run npm outdated I see that all packages are all fairly up to date (all match the recommended version to download), so I assume this might be a dependency for a certain package. But does it affect our work negatively? Why does this happen?
For the packages I download, I generally look for packages that have in the 6 digits Weekly Downloads from npm so I don't think we are using unfamiliar packages.
I am asking these questions because they have been asked to me but I don't have a straight answer to them.
Thank You!
I don't understand how npm install -f works

How to prevent npm from resolving devDependencies on production install

I'm building a microservice app in a monorepo containing a bunch of microservices and a commons package. This commons package is never published to npm. (packages are managed with yarn workspaces)
Using parcel, the commons package is bundled into the production code, so I don't need to install it at run time.
Each microservice runs in its own docker container. So, when I build the docker container, Ideally, I'd want to ignore this "commons" dependency and install all the other ones. AFAIK, the only way to do this is to place the "commons" package in devDependencies.
However, it seems that even if I add it only to devDependencies and run npm i --only=production, npm still tries to resolve the package and still throws an ETARGET error.
Is there some way to completely ignore the devDependencies? My only other Idea is to write a script that removes the devDependencies field from the package.json before running npm install, but I wanted to ask here first to make sure I'm not missing anything.
There is a GitHub issue on the npm/cli repo tracking this issue here (#4967), where this behaviour is categorized as a bug.
So to answer your question, as far as the current status of the GitHub issue indicates, the intended behaviour is that devDependencies don't get attempted to be resolved in --production mode, and you shouldn't need to do anything extra to get this behaviour once the fix is made. I don't think you are missing anything.
The workaround you have thought of sounds reasonable to me.
On the GitHub issue, you can indicate "me too" with a thumbs up reaction (please don't spam the comments with "me too" comments).
To install packages only at production without devDependencies,
npm install --production
Docs about npm install is here.

How to install/download packages without using npm install <package_name> or yarn install

I work in a banking domain company so here many link and websites are blocked. Currently I am working on a project where I am using react and Node.js as tech stack.
So whenever I want to install any new dependency or just npm install I get access problem.
Is there any other solution to download the dependencies from package.json file apart from npm install
It'll be really tough not having yarn or npm do dependency management for you but there are options.
I highly recommend you set up a private npm registry just for your company. There are many paid and free services that can do this as well as open source self-hosted solutions. Once set up, all you have to do is edit your npm or yarn configurations and you're good to go.
Here is a link with plenty of options to get this going. A few that come to mind of the top of my head are Artifactory and npm itself.
If none of these work for you, you can always just manually download npm packages from their Github repositories but this will be very tedious and time consuming (maybe you can write your custom package manager?) but I definitely don't recommend this route.

How can you make sure your npm dependencies are safe?

For example, when you do npm init and install express, you end up with a node_modules folder with 20 other folders in it.
I never ran into this issue... but isn't it something that may be a concern?
First, it's important to do our homework before installing a package.
Read the package's page on npmjs.com and look at who published the package, the number of versions and the number of weekly downloads. If these numbers are very low, I would pass or definitely inspect the source code.
Another thing to do is to pay attention when you type the package name, when you install. Typo squatting is possible and there are published packages which have names close to popular packages.
In terms of how secure is NPM (the registry), they do periodic penetration testing and outgoing code reviews. Also, they report vulnerabilities to package authors and handle vulnerabilities reports from other users. But, it's a continuous fight against spammers, malware, etc.
Commands you can run:
npm outdated (for locals) and npm outdated -g --depth=0 (for globals)
This will check which packages are outdated and it will list "Current Wanted Latest" versions for each outdated package.
npm audit
This will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, etc.
Also, npm audit automatically runs when you install a package with npm install.
npm audit fix
This automatically install compatible updates to vulnerable dependencies.
More:
(https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities)
(https://www.youtube.com/watch?v=H48KuESn2sk)
When writing Node.js applications, ending up with hundreds or even thousands of dependencies can easily happen.
For example, if you depend on Express, you depend on 27 other modules directly, and of course on those dependencies' as well, so manually checking all of them is not an option!
The only option is to automate the update / security audit of your dependencies. For that there are free and paid options:
npm outdated
Trace by RisingStack
NSP
GreenKeeper
Snyk
Yea, it is def something to keep in mind. That being said, most of the time, you will be dealing with pretty popular libraries/packages that are safe to assume they are secure. However, if you DO need to download one that isn't super popular, just take a look at the source code.
Edit: A concern for security becomes more off an issue when you install packages globally. NEVER install a package globally that you have any doubts about.
Of course, there may be malicious code in it. It's just like installing a software, you do not install random modules. Just make sure the packages you install are trustworthy.

Create an offline installer of npm package

Problem:
I have a very flaky internet connection at my place.
Due to this when I try to do
npm install -g glup
it stops the download before completion.
I have tried downloading several times but all in vain.
Thinking about my options
I have a friend in other city with high speed internet, I can ask him to somehow package the glup and provided it to me using dropbox, then i can use any download manager to download it partially with my flaky connection.
But the sad thing is he doesn't know how to do it. (help on this front is also appreciated)
Can anyone help me out with this situation?
P.S: I am doing a course from Udacity and due to my flaky internet connection I am kind of facing lot of issues.
According to the docs, npm install supports installing from a tarball file sitting on your filesystem. So, as long as your friend can create and supply you a tarball of the npm package you are looking for - you should be good to go.
Below is a quote from the docs.
UPDATE: To create a tarball file from an npm package, you can just run npm pack package_name. For example,
npm pack underscore
will create a .tgz file for the latest version of underscore.js npm package. See the documentation for npm pack here.
Not answering directly your question, but I was just struggling with network connection behind a corporate firewall with npm for hours. Then I tried yarn, the package manager from Facebook. Wow, it worked like a charm, install of the package I needed plus deps. done within a minute.

Resources