delfrrr / npm-consider Goto Github PK

There is no chance to use npm-consider with private repositories.
It would be nice to have any of options:

• do not throw an exception (and stop the process) when try to get details for private package;
• config/flag option for package skip/ignore;

Some teams use yarn instead of npm maybe with some flag the command can be yarn add instead of npm save?

When using yarn workspaces, the yarn.lock file is located in the root folder.
If I run npm-consider install <pkg> inside a nested folder that represents a package in my monorepo (workspace), npm-consider does not detect this belongs to a yarn workspace and tries to use npm install instead.

For yarn workspaces see: https://yarnpkg.com/lang/en/docs/workspaces/

Hi,

Not a big deal, but I figure you may want to correct the spelling of the "maxSizeBites" option to "maxSizeBytes".

Thanks!

Hi,

My machine is behind a proxy, I set the npm proxy settings and 'npm install' works fine !
But when I try 'npm-consider install', it fails with this error:

GET https://registry.npmjs.org/http-proxy{ FetchError: request to https://registry.npmjs.org/@slack%2fclient failed, reason: connect ECONNREFUSED 104.18.95.96:443
    at ClientRequest.<anonymous> (/usr/lib/node_modules/npm-consider/node_modules/node-fetch/index.js:133:11)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:64:8)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)
  name: 'FetchError',
  message: 'request to https://registry.npmjs.org/@slack%2fclient failed, reason: connect ECONNREFUSED 104.18.95.96:443',
  type: 'system',
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED' }

It seems 104.18.95.96:443 is hard-coded as a proxy by the tool because it is not the proxy I configured !

Thanks.

Excellent tool and great article to go with it.

As someone who does open source license compliance for my company, I have a few suggestions on licenses to add/types to consider for them:

• Add EPL 2.0 to weaklyProtective
• Add CDDL 1.1 to weaklyProtective
• Consider "CDDL / GPLv2 with Classpath Exception" as a single entry, which is the license previously used for many Java projects. (They are gradually moving to EPL v2.) The CPE is intended to move is more toward the weaklyProtective group, but in reality, it sort of sits between the two.
• Add BSD+PATENTS to the weaklyProtective list. Hopefully this is quickly falling out of favor, but it is important to distinguish from regular BSD licenses due to its high risk and ineligibility for use with other major projects (like those run by Apache).
• Add SSPL to the networkProtective list. This is the license used by MongoDB, and it is uber-protective.
• Move WTFPL to publicDomain. Even though none of the licenses there are, strictly speaking, truly "public domain", these licenses all carry no obilgations for any type of use, and in that sense, WTFPL is the same.

Thanks, and keep up the good work spreading the gospel of licensing!

When redirecting output away from the TTY to a file or a pipe, I get this error:

TypeError: process.stdout.cursorTo is not a function
    at getPackageDetails.then (/Users/benjamin/.npm/_npx/27879/lib/node_modules/npm-consider/index.js:100:22)
    at process._tickCallback (internal/process/next_tick.js:68:7)

Steps to reproduce:

npx npm-consider install nodemon >/dev/null

It think it would be useful to include a way to check GPL2 and GPL3 compatibility, specifically flagging licenses that may be problematic, such as CC-BY-SA, Apache (for GPL2), GPL2 only (for GPL3), etc.

Hi,

@delfrrr , @DanielRuf : Thank you for such a valuable project.

As it has been some months since making some PRs without hearing back, I am wondering whether you are still maintaining the project though?

Thanks!

Hi,

I'm often most concerned if I've already installed some Protective or Uncategorized licenses (into a permissive or weakly protective package).

It'd be great if one could opt to get the details table showing only certain license types, e.g., Protective or Uncategorized ones.

The issue is exactly as the title says: npm-consider seems to fail when selecting Impact. Associated command output with stack trace is below (tested using express with command npm-consider install --save express):

***@***:~/proj/zifar$ npm-consider install --save express
[email protected] (updated 6 months ago)
Packages  51
Size      535.18 KB
Licenses  Permissive  51
? What is next? Impact
TypeError: Cannot read property 'saveDev' of undefined
    at getLocalPackage.then (/mnt/c/Users/***/AppData/Roaming/npm/node_modules/npm-consider/lib/showImpact.js:69:25)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7)

Note that this error also occurs if I attempt to use the module directly in the Windows command prompt.

The following command will install both express and feathers but it will only give information about express.

npm-consider install express @feathersjs/feathers

It would be great if npm-consider could give information either on each package in turn or on all packages together.

I was just playing around, and found that I can run the --test option together with the --production option, and it results in different results with much less packages. Our wish is to be able to run the --test only on the dependencies and not devDependencies.

This is the command I run. Does it actually do what I hope it is doing?

npx npm-consider install --test --production

Is there a way to see the details on ALL packages at once?
npm-consider install --test --details

or something of the like?

Great tool in any case! just have a lot of packages right now and I don't know which ones are "protective"

Hi!

Great package and concept. Also appreciated the Medium.com write-up.

I noticed that when providing the details of licenses, "[email protected]", whose license is listed as "GPL-3.0-or-later OR MIT" is categorized as "Protective". Since the "OR" is present with the permissive MIT, I would think it should go with "Permissive" instead. Only for "AND" would it make sense I think to be "Protective".

Would be nice to be able to print the dependency graph when you integrate this on a CI environment.
Something like

npm-consider install --production --test --details
## OR
npm-consider install --production --test_details

This way you get more details instead of just a success or an error with short details.

I gave a try to npm-consider today in my company environment.

We use Nexus from Sonatype as a private registry that mirrors npm's one and his hosting company's private modules.

For some reason (which might be a misconfiguration of the Nexus instance on our side), npm-consider can't fetch the package's dependencies size (everything is at 0).

When selecting Impact from the prompt, it gives me the following output:

? What is next? Impact
Packages  5    +4.31%
Size      0 B  +NaN%

After a quick read of the codebase, I can see that this is the line causing it to be NaN (divide by 0):

https://github.com/delfrrr/npm-consider/blob/master/lib/showImpact.js#L102

Do you think a PR that adds a check on currentPackageStats.size and setting everything to 0 or (option b) adding a message saying that something wrong happened while trying to fetch package size is appropriate ?

I am willing to work on this, just need your opinion before.

Regards

command I run:
npm-consider install

Packages I use:
"@fortawesome/fontawesome-svg-core": "^1.2.25",
"@fortawesome/pro-light-svg-icons": "^5.11.2",
"@fortawesome/vue-fontawesome": "^0.1.8",

Error I get:
Error: Response is not ok 401 Unauthorized https://npm.fontawesome.com/@fortawesome%2ffontawesome-svg-core
at checkResponse (/usr/local/lib/node_modules/npm-consider/lib/getPackageDetails.js:26:9)
at process._tickCallback (internal/process/next_tick.js:68:7)

Symptom

When I run npm-consider install, it goes through tens of packages and then at one point it gives ETIMEOUT. Every time I retry, it stops at different points.

Suggested Fix

Either retry, or expand timeout?

How to reproduce

I am using vue-cli.

vue create npm-consider-test
<<< click enter and then wait for a minute >>>
cd npm-consider-test
npm-consider install

Outputs I get

PS C:\temp\npm-consider-test> npm-consider install
[email protected]
GET https://registry.npmjs.org/p-limit{ FetchError: request to https://registry.npmjs.org/@babel%2fpreset-stage-2 failed, reason: connect ETIMEDOUT 104.16.20.35:443
    at ClientRequest.<anonymous> (C:\Users\kennethc\AppData\Roaming\npm\node_modules\npm-consider\node_modules\node-fetch\index.js:133:11)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:64:8)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)
  name: 'FetchError',
  message: 'request to https://registry.npmjs.org/@babel%2fpreset-stage-2 failed, reason: connect ETIMEDOUT 104.16.20.35:443',
  type: 'system',
  errno: 'ETIMEDOUT',
  code: 'ETIMEDOUT' }
PS C:\temp\npm-consider-test> npm-consider install
[email protected]
GET https://registry.npmjs.org/run-queue{ FetchError: request to https://registry.npmjs.org/cssnano failed, reason: connect ETIMEDOUT 104.16.20.35:443
    at ClientRequest.<anonymous> (C:\Users\kennethc\AppData\Roaming\npm\node_modules\npm-consider\node_modules\node-fetch\index.js:133:11)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:64:8)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickCallback (internal/process/next_tick.js:180:9)
  name: 'FetchError',
  message: 'request to https://registry.npmjs.org/cssnano failed, reason: connect ETIMEDOUT 104.16.20.35:443',
  type: 'system',
  errno: 'ETIMEDOUT',
  code: 'ETIMEDOUT' }
PS C:\temp\npm-consider-test>

Feature request: support for GitHub-based dependencies.

It was been drawn to my attention that there is really an even stronger category than "Network protective" as they put conditions on how the package is used even privately; yet is still considered by some as open source, and I think might be worth flagging, including with devDependencies.

• Reciprocal Public License (or RPL)
• Parity("License Zero")

While "Uncategorized" presumably already includes these (as well as any custom license terms), it might still be helpful to add "Reuse protective" as its own category.

Is it possible to give a list of dependencies to ignore when running for a whole project?
My team have some internal npm dependenies that aren't published.

When reading the details report, it would be great to understand what peer-dependencies are required of a package in addition to the dependencies that will be installed with a package.

Related to #10 which correctly observes that

no good way to pipe it to a file

There shall be non interactive way to call details. The other issue already gives an potential solution by adding --details arg

npm-consider install --test --details > detailsdump.txt

would solve both

• #10, where OP could parse detailsdump.txt
• my issue is two fold - monstrous large dependency list as well as trying to make this a swiss army knife 😄 - I'd like to parse the details dump (known structure) in the end to generate licence/attribution file to ship along the project (desktop Electron app)

Thanks!

Looks like it may be checking things in a specific order, so it's identifying it as "Unlicense" (which is a correct license).

https://docs.npmjs.com/files/package.json

Finally, if you do not wish to grant others the right to use a private or unpublished package under any terms:
{ "license": "UNLICENSED" }

I'd suggest doing a longest-fit search for the license, so it can get the correct category.

If someone puts the wrong license in their package.json then that is an issue for them to fix ;-)