I've got the following scripts in my root package.json in my lerna repo:
"scripts": {
"lerna:changed": "npx lerna changed",
"lerna:diff": "npx lerna diff",
"lerna:publish": "npx lerna publish"
}
After running npm run lerna:publish I see a gitHead key in my package.json file of all packages (not the root.json). This becomes a big problem when it comes to versioning because all packages will get bumped when this change is added. Why is this happening and how can I stop it?
I used to have a publish command in my root package.json file and I know this could have caused this problem originally but I've since removed it. Now, the package.json files for my sub packages look basically like this:
{
"name": "#myProject/appOne",
"version": "0.0.15-alpha.0",
"description": "",
"main": "index.js",
"directories": {
"lib": "lib"
},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
UPDATE: It seems like gitHead is added as a temporary key during the publish phase. My publish creates tags and commits them to GIT but my deployment to my registry is failing and that's probably why the cleanup isn't happening.
Related
Apologies if this is really simple, I really don't understand the fundamentals involved here.
I recently got a string of emails from GitHub letting me know that there were security vulnerabilities in my package-lock.json files, but since I do not actually have any packages in my package.json files (except parcel bundler, which was auto generated?), I wasn't sure if that was an issue. The only reason either file exists is because I used the Webstorm HTML5-Boilerplate template for the project, which auto generated them.
This is the entirety of my package.json file.
{
"name": " ",
"version": "0.0.1",
"description": "",
"keywords": "",
"license": "",
"author": "",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"parcel-bundler": "^1.12.4"
}
}
To the best of my knowledge the only other external code used is jsdelivr and two research scripts, jquery and proliferate; none of these are raising any flags on GitHub.
Are there vulnerabilities simply by virtue of having outdated packages in package-lock.json even if they are never used? Should I just delete the files or is there a better solution?
The only real bug fix I've tried so far is generating a new HTML5-Boilerplate template using Webstorm to see if it had updated the package-lock, but that didn't do anything.
I want to write my own npm package to analyse the structure of a vue project (vueanalyser). So I created a new package with npm init --scope=#my-username and set the "main" property to index.js.
// package.json of the custom package
{
"name": "#my-username/vueanalyser",
"version": "1.0.0",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"repository": {
"type": "git",
"url": "..."
},
"bugs": {
"url": "..."
},
"homepage": "...",
"description": ""
}
I published the package and added it to my vue project (.node_modules/#my-username/vueanalyser). Now I want to add a command like "analyse": "vueanalyser start" to the script property of the package.json of the vue project. If I do so I obviously get an error, that the command is unknown.
So I realized, that I can call the index.js with "analyse": "node node_modules/#my-username/vueanalyser/index.js, but I have seen packages where scripts can be called with a much shorter way e.g. "styleguide:build": "vue-styleguidist build". What do I have to change in order to call my script this way ("analyse": "vueanalyser start")?
the npm bin property
This specifies executables to copy into node_modules/.bin.
Add the executable header to your index.js
Add this to the first line: #!/usr/bin/env bash
Make the file executable
chmod +x index.js
Edit package.json
Add the bin property:
{
...
"bin": { "vueanalyser": "index.js" }
Republish package
Install package
Find node_modules/.bin/vueanalyser is a symlink to ../<package_name>/index.js!
I've had no problems manually publishing my scoped package to the NPM registry however I found the np module could be used to ensure no steps were skipped in the process.
I've configured only a couple options in my package.json as the defaults are otherwise sensible for me. (This is the package.json for the npm package itself)
{
"name": "#scope/package",
"version": "0.0.6",
"description": "blah",
"main": "index.js",
"scripts": {
"prepublishOnly": "npm run release",
"release": "npm run build:dev && npm run build:prod",
"build:prod": "NODE_ENV=production rollup -c",
"build:dev": "NODE_ENV=development rollup -c",
"test": "echo \"No tests specified\""
},
"repository": {
"type": "git",
"url": "http://blah/blah/blah"
},
"author": "blah",
"license": "ISC",
"devDependencies": {
...
},
"peerDependencies": {
...
},
"np": { <----
"yarn": false, <----
}, <----
"publishConfig": { <----
"access": "public" <----
} <----
}
Unfortunately when I run np I receive the error:
Command failed with exit code 128 (Unknown system error -128): git log --format=%s %h commit sha commit sha..HEAD
The first commit sha is the initial commit from Gatsby.
If you've used Gatsby you may have seen it:
Initial commit from gatsby: (https://github.com/gastbyjs/gatsby-starter-hello-world.git)
For context: I'm creating a component library where the parent dir is setup using GatsbyJS so that I can use it for the demo site while the child dirs under src/packages will be the individual components that will be published to the npm registry. So the demo site is bundled with Gatsby while the packages are bundled using rollup.
Why am I receiving this -128 error code and how do I fix it?
I am setting up my local module to be installed via npm install --save ../path/to/my/project.
When running the npm install, the node_modules/my_project directory gets populated with all source files - not just the dist/ folder as configured in package.json. I'm not sure why.
Here's my setup:
Test Project (main project)
Files:
index.js
package.json
dist/
index.js
package.json
{
"name": "test",
"version": "1.0.0",
"description": "a test",
"main": "dist/index.js",
"files": [
"dist"
],
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [
"test"
],
"author": "Me",
"license": "MIT"
}
-
Test Project2 (to import main project as a dependency)
package.json
{
"name": "test2",
"version": "1.0.0",
"description": "test2",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "Me",
"license": "MIT",
"dependencies": {
"test": "file:../test"
}
}
Once I run npm install, my node_modules/ directory looks like this:
test/
index.js
package.json
dist/
index.js
Is there something I'm overlooking? I'm under the assumption that the files: [] field is used to specify which files are included when the package is installed.
Additionally, I've tried running npm cache clean -f and npm cache verify, neither of which solve my issue.
It seems that this only occurs when attempting to install a local module. To test, I made a test repo on github and installed from there, only the dist/ file was included. Not sure why.
I've been following this Gulp install by CSS tricks - https://css-tricks.com/gulp-for-beginners/ I noticed that when I get to their folder shot of what should be in the node_module folder... they only have bin and gulp. I have 40+ folders that get added. Is this suppose to happen? Does Gulp need these dependencies? If not why is it happening? Here is my package.json with certain info emitted and a screenshot of 1/2 the folders made on install. I start the project clean (no folders or crazy installs uninstalls were done).
{
"name": "---",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+-----.git"
},
"keywords": [
"---",
"---'",
"---",
"---"
],
"author": "-----",
"license": "ISC",
"homepage": "------",
"devDependencies": {
"gulp": "^3.9.0"
}
}
This is due to changes in the new npm 3, which I assume you're using here (you can check by doing npm -v if you want to make sure). All modules and their dependencies are now in /node_modules instead of being nested in sub-folders of the module that depended on them (like it used to be).
Your dependencies will now be installed maximally flat. Insofar as is possible, all of your dependencies, and their dependencies, and THEIR dependencies will be installed in your project's node_modules folder with no nesting.
Source: http://dailyjs.com/2015/06/26/npm-3/