Skip to content

Pin your dependency versions based on lock file using installed versions.

License

Notifications You must be signed in to change notification settings

smarlhens/npm-pin-dependencies

Repository files navigation

NPM pin dependencies

CodeQL GitHub CI node-current (scoped) GitHub license code style: prettier Conventional Commits

npm-pin-dependencies will pin your dependency versions based on package-lock.json file using installed versions.


Table of Contents


Prerequisites

  • Node.JS version ^18.12.0 || ^20.0.0

Installation

Install globally:

npm install -g @smarlhens/npm-pin-dependencies

Or run with npx:

npx @smarlhens/npm-pin-dependencies

Usage

CLI

Will pin package.json dependency versions for the project in the current directory based on the npm package-lock.json file:

$ npd

Upgrade a project's package.json file:

$ npd -u

Node

import {
  pinDependenciesFromString,
  validatePackageJsonString,
  validatePackageLockString,
} from '@smarlhens/npm-pin-dependencies';

let packageJsonString = ''; // load content of package.json as stringified JSON
let packageLockString = ''; // load content of package-lock.json as stringified JSON

validatePackageJsonString({ packageJsonString }); // can throw Errors if unexpected format
validatePackageLockString({ packageLockString }); // can throw Errors if unexpected format

// packageJson is the content of your package.json with pinned dependencies
// versionsToPin contains changes if you want to display them
const { versionsToPin, packageJson } = pinDependenciesFromString({
  packageJsonString,
  packageLockString,
});
console.log(packageJson);
console.log(
  versionsToPin
    .map(({ pinnedVersion, version, dependency }) => `${dependency} version ${version} replaced by ${pinnedVersion}`)
    .join('\n'),
);

Options

Usage: npd [options]

Options:
  -q, --quiet    Enable quiet mode.                                [boolean] [default: false]
  -d, --debug    Enable debug mode. Can be used with environment variable DEBUG=npd.
                                                                   [boolean] [default: false]
  -v, --verbose  A little more detailed than the default output.   [boolean] [default: false]
  -u, --update   Update dependency versions in package.json file.  [boolean] [default: false]
      --enableSaveExact  Enable save exact.                        [boolean] [default: false]
      --help     Show help                                                          [boolean]
      --version  Show version number                                                [boolean]

Examples:
  npd     Check installed dependency versions based on package-lock.json file in the current
          working directory.
  npd -u  Pin package.json dependency versions based on package-lock.json file in the current
           working directory.

© 2023 Samuel MARLHENS

Debug

$ DEBUG=* npd -d
output with debug
[STARTED] Pinning dependency versions in package.json file...
[STARTED] Reading package-lock.json...
[SUCCESS] Reading package-lock.json...
[STARTED] Reading yarn.lock...
[SUCCESS] Reading yarn.lock...
[STARTED] Reading package.json...
[SUCCESS] Reading package.json...
[STARTED] Validating package-lock.json...
[SUCCESS] Validating package-lock.json...
[STARTED] Validating yarn.lock...
[SKIPPED] Validating yarn.lock...
[STARTED] Validating package.json...
[SUCCESS] Validating package.json...
[STARTED] Computing which dependency versions are to pin...
  npd Dependency fake-package-1 version is not pinned: ^1.0.0 -> 1.1.0. +0ms
  npd Dependency fake-package-2 version is not pinned: ~2.5.0 -> 2.5.2. +0ms
  npd Dependency fake-package-3 version is not pinned: 3.x -> 3.1.1. +0ms
  npd Dependency fake-package-4 version is not pinned: ^0.0.3 -> 0.0.3. +0ms
  npd Dependency fake-package-5 version is not pinned: ~0.0.3 -> 0.0.9. +0ms
  npd Dependency fake-package-6 version is not pinned: ^0.1.0 -> 0.1.0. +0ms
  npd Dependency fake-package-7 version is not pinned: ~0.1.0 -> 0.1.1. +0ms
  npd Dependency fake-package-8 version is already pinned. +0ms
  npd Dependency fake-package-9 version is not pinned: 1.0.0 - 1.2.0 -> 1.1.1. +0ms
  npd Dependency fake-package-10 version is not pinned: >2.1 -> 2.2.2. +0ms
  npd Dependency fake-package-11 version is not pinned: ^2 <2.2 || > 2.3 -> 2.1.6. +0ms
  npd Dependency fake-package-12 version is not pinned: ^2 <2.2 || > 2.3 -> 2.4.2. +1ms
  npd Dependency fake-dev-package-1 version is not pinned: ^4.0.0 -> 4.0.0. +0ms
  npd Dependency fake-dev-package-2 version is not pinned: ~5.0.0 -> 5.0.0. +0ms
  npd Dependency fake-dev-package-3 version is not pinned: 6.x -> 6.0.0. +0ms
  npd Dependency fake-optional-package-1 version is not pinned: ^7.0.0 -> 7.0.0. +0ms
  npd Dependency fake-optional-package-2 version is not pinned: ~8.0.0 -> 8.0.0. +0ms
  npd Dependency fake-optional-package-3 version is not pinned: 9.x -> 9.0.0. +0ms
[SUCCESS] Computing which dependency versions are to pin...
[STARTED] Output dependency versions that can be pinned...
[TITLE] Dependency versions that can be pinned:
[TITLE]
[TITLE]  fake-package-1           ^1.0.0            →  1.1.0
[TITLE]  fake-package-2           ~2.5.0            →  2.5.2
[TITLE]  fake-package-3           3.x               →  3.1.1
[TITLE]  fake-package-4           ^0.0.3            →  0.0.3
[TITLE]  fake-package-5           ~0.0.3            →  0.0.9
[TITLE]  fake-package-6           ^0.1.0            →  0.1.0
[TITLE]  fake-package-7           ~0.1.0            →  0.1.1
[TITLE]  fake-package-9           1.0.0 - 1.2.0     →  1.1.1
[TITLE]  fake-package-10          >2.1              →  2.2.2
[TITLE]  fake-package-11          ^2 <2.2 || > 2.3  →  2.1.6
[TITLE]  fake-package-12          ^2 <2.2 || > 2.3  →  2.4.2
[TITLE]  fake-dev-package-1       ^4.0.0            →  4.0.0
[TITLE]  fake-dev-package-2       ~5.0.0            →  5.0.0
[TITLE]  fake-dev-package-3       6.x               →  6.0.0
[TITLE]  fake-optional-package-1  ^7.0.0            →  7.0.0
[TITLE]  fake-optional-package-2  ~8.0.0            →  8.0.0
[TITLE]  fake-optional-package-3  9.x               →  9.0.0
[TITLE]
[TITLE] Run npd -d -u to upgrade package.json.
[SUCCESS] Output dependency versions that can be pinned...
[STARTED] Updating package.json...
[SKIPPED] Update is disabled by default.
[STARTED] Enabling save-exact using .npmrc...
[SKIPPED] Enabling save-exact is disabled by default.
[SUCCESS] Dependency versions that can be pinned:
[SUCCESS]
[SUCCESS]  fake-package-1           ^1.0.0            →  1.1.0
[SUCCESS]  fake-package-2           ~2.5.0            →  2.5.2
[SUCCESS]  fake-package-3           3.x               →  3.1.1
[SUCCESS]  fake-package-4           ^0.0.3            →  0.0.3
[SUCCESS]  fake-package-5           ~0.0.3            →  0.0.9
[SUCCESS]  fake-package-6           ^0.1.0            →  0.1.0
[SUCCESS]  fake-package-7           ~0.1.0            →  0.1.1
[SUCCESS]  fake-package-9           1.0.0 - 1.2.0     →  1.1.1
[SUCCESS]  fake-package-10          >2.1              →  2.2.2
[SUCCESS]  fake-package-11          ^2 <2.2 || > 2.3  →  2.1.6
[SUCCESS]  fake-package-12          ^2 <2.2 || > 2.3  →  2.4.2
[SUCCESS]  fake-dev-package-1       ^4.0.0            →  4.0.0
[SUCCESS]  fake-dev-package-2       ~5.0.0            →  5.0.0
[SUCCESS]  fake-dev-package-3       6.x               →  6.0.0
[SUCCESS]  fake-optional-package-1  ^7.0.0            →  7.0.0
[SUCCESS]  fake-optional-package-2  ~8.0.0            →  8.0.0
[SUCCESS]  fake-optional-package-3  9.x               →  9.0.0
[SUCCESS]
[SUCCESS] Run npd -d -u to upgrade package.json.