I have a private, unpublished NPM package. Let's say it's named foo-test:
{
"name": "foo-test",
"version": "0.0.0",
"license": "MIT",
"private": true,
"scripts": {...},
"dependencies": {...}
}
It's not in the NPM registry, and I've marked it private.
I found out via a security audit that this is "vulnerable to dependency confusion attacks", but I don't know how.
If someone later comes along and publishes a real public package called foo-test to the NPM registry, will that affect my local development against my private package?
That is, let's say there's a real package foo-test#1.0.0 available on npmjs. If I run npm install locally against my own unrelated version of foo-test, will there be any side effects arising from the fact that the local package that I'm building has the same name as a public package on the registry?
Related
I am working on a monorepo with 2 packages, say child and parent, initially not dependent on each other and already published to registry.
However, when I add inter-package dependency, lerna version command fails.
npm workspaces was provided in root package.json
useWorkspaces was provided in lerna.json
All was fine, till I decided to add package parent as dependency of package child.
packages/child/package.json was updated like so:
{
"name": "child",
"version": "0.1.13",
"description": "this package is being updated to depend on parent",
"main": "dist/index.js",
"dependencies": {
"parent": "*" // I added this
}
}
I had updates to both child and parent. Lets say published versions of parent was 0.2.13 and child was 0.1.13 prior to update.
npm install and the symlinks worked.
Build was successful.
During version however, after prompting for version bump with conventional-commits, lerna attempts npm install command and fails due to package parent version 0.2.14 being not available in npm remote registry.
It will not be available, as this version is going to be published only now.
On version command (i am using conventional-commits),
Lerna asked if parent -> 0.2.14 and child -> 0.1.14 was okay, it was..
Lerna updated the package.json of package child to be as follows:
{
"name": "child",
"version": "0.1.14", // lerna changed this
"description": "this package is being updated to depend on parent",
"main": "dist/index.js",
"dependencies": {
"parent": "^0.2.14" // lerna changed this
}
}
Lerna updated the package.json of package parent to be as follows:
{
"name": "parent",
"version": "0.2.14", // lerna changed this
"description": "this package will be dependency of child",
"main": "dist/index.js",
}
Lerna tried to do npm install on both child and parent packages
This fails with reason being package parent version 0.2.14 is not yet available to install, since its just going to be published now.
I followed this https://lerna.js.org/docs/getting-started.
It says
The "header": "*" and "footer": "*" tell Lerna to link the contents of the header and footer as if they were published to the registry.
I was expecting the lerna version command to work and create new version commit and tag as it was doing before I added inter-package dependencies using "*".
Should I be publishing parent first with new version 0.2.14 and then update child to point to this ?
If that is the case, should I always publish parent first whenever there are breaking changes. ?
What is the right way to do this ?
PS: Looks like it fails here: https://github.com/lerna/lerna/blob/main/commands/version/index.js#L634
Should I just remove package-lock.json from root ?
If a package version, or peer dependency version is unavailable during an npm install, is it possible to configure NPM to ignore the version, and downgrade to the next lower version automatically (perhaps with a warning)?
No matching version found for #babel/generator#^7.18.9.
In most cases you or one of your dependencies are requesting
a package version that doesn't exist.
However, it exists here. While this is a issue probably for babel, we run a private npm-read-group that updates only every few hours, and it can be an issue when downloading packages that have just been updated.
As long as I know you should define "latest" as value. For example:
{
"name": "name",
"private": true,
"description": "",
"dependencies": {
"lodash": "latest"
}
}
I do not recommend doing this, but it should work for what you wish.
I've tried many different docs and tutorials to publish a scoped npm package on a private gitlab instance.
So far I've:
Created a deploy token with package write & read permissions:
Setup a .npmrc file with the following contents:
#<scope>:registry=https://<domain>/api/v4/packages/npm/
//<domain>/api/v4/projects/<id>/packages/npm/:_authToken=<token>
//<domain>/api/v4/packages/npm/:_authToken=<token>
Added "publishConfig" to "package.json":
{
"name": "#<scope>/<name>",
"version": "1.0.0",
"main": "dist/index.js",
"license": "MIT",
"publishConfig": {
"#<scope>:registry": "https://<domain>/api/v4/projects/<id>/packages/npm"
},
"scripts": {
"build": "tsc",
"prepublish": "tsc"
},
"devDependencies": {
"ts-node": "^9.1.1"
}
}
Verified that the repo allows packages to be stored:
But everytime I try and run either npm publish or yarn publish, it builds, packages but fails to publish:
The log file verbosily repeats the error log above.
I'm trying to release a private SDK for an internal service and would need a way to publish it so only those with the correct credentials can install it on their projects.
The link provided (Not Found - PUT https:// <link...> ) redirects to npmjs.com, which I believe wasn't supposed to happen, since I'm trying to store it on Gitlab instead of purchasing an organization on npmjs.
I've tried this process both on the private domain (running gitlab 13.9.1) and on https://gitlab.com, both with the same result on the same repository configuration disclosed above.
Am I missing some step? Thanks in advance!
Your .npmrc file has both instance and project level endpoints, but if you're using a project deploy token, the authentication of the token you're providing is scoped to the project, so you should only have the project endpoint.
#<scope>:registry=https://<domain>/api/v4/projects/<ID>/packages/npm/
//<domain>/api/v4/projects/<ID>/packages/npm/:_authToken=<TOKEN>
The project ID in the redacted part of URL shown as part of error message resulting from attempted publish looks rather long. The project's ID isn't the project's slug. it's a numeric value instead.
If I have a monorepo with packageA and packageB, with the latter having a dependency on the former. If I then run lerna version major, for example, resulting in packageA's version number being bumped, does the listing of the dependency on it in packageB's package.json also get bumped automatically, or should that be done manually?
(I tried setting up a test repository to do this, but then Lerna was complaining it didn't have a remote yet, so I'm hoping someone with experience using Lerna knows the answer.)
For the sake of this answer, I'm going to assume you are not using conventional Commits. Please feel free to respond with more specifics if I assume wrong.
TL;DR
Yes, if you run lerna version major _all packages in your repo will be updated to a new major version and the package.json file for packageB will be updated with the new version number for packageA.
Details
Let's say you have your packageA and packageB packages in your monorepo and they have package.json files that look like this:
# packageA/package.json
{
"name": "packageA",
"version": "1.0.0,"
}
# packageB/package.json
{
"name": "packageB",
"version": "1.0.0",
"dependencies": {
"packageA": "^1.0.0"
}
}
When you run `lerna version major:
The version field in packageA/package.json will update to 2.0.0
The version field in packageB/package.json will update to 2.0.0
The dependencies.packageA field in packageB/package.json will update to ^2.0.0
# packageA/package.json
{
"name": "packageA",
"version": "2.0.0,"
}
# packageB/package.json
{
"name": "packageB",
"version": "2.0.0",
"dependencies": {
"packageA": "^2.0.0"
}
}
This is definitely a theoretical question, but why does running npm init ask a bunch of questions for setting up the fields below?
"name": "my-project-that's-definitely not going to npm",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
A very large percentage of us are using npm just for the package management aspect of it. It seems to me like there should be an option to not set it up as anything BUT a package manager, so just:
"dependencies": {
"#whatever/somepackage": ">=4.0.0-beta <5.0.0",
},
The only justification I can think of is that a lot of people also use npm as a build tool, so this provides an entry point for running scripts. Is that correct? Are there other reasons?
P.S. I know I can use -y flag to default the fields, but that still creates them.
You are correct that npm foremost purpose is a package manager.
And being a package manager, it manages various aspect of a package.
Being a package, it means your code should be able to distribute and reuse by others.
Thus that's why basic information such as name, version, and license are needed.
And npm init is the best place and best time to declare those.
As you mention, you can use npm init -y to use default values so that you don't have to answer them.