I know there's a public API for getting NPM download counts, as well as tools built on top of it like npm-stat and npmtrends. However, I'd like to get more granular and see downloads for a particular package by version. I don't see this documented in the API docs anywhere. Is it possible?
Per version download counts are now available from the npm registry.
Download count for specific versions of a package are only available for the previous 7 days. They have a unique API end point
GET https://api.npmjs.org/versions/{package}/last-week
Note: for scoped packages, the / needs to be percent encoded. (#slack/client -> #slack%2Fclient).
They're also displayed in the Versions tab of the package's home page.
Related
I've been assuming that some percentage of the total download counts for my NPM packages must be coming from bots that have been programmed to automatically download any new version of a package that gets published. Is there any way to determine what percentage of downloads are coming from these sort of bots vs actual human users?
Apparently one of my repos has a vulnerable package, but when I look it up it doesn't exist. Any ideas?
https://github.com/substack/minimist
https://www.npmjs.com/package/minimist
TL;DR
I think the author's GitHub account was hidden, deleted, or suspended.
Reasoning
The page https://github.com/substack also leads to a 404.
I found a July 2022 snapshot of the minimist github repo on archive.org. It looks like there were 43 open issues and 28 open PRs at that point, and the latest commit was 4 months prior, in March 2022. While 4 months isn't a long time, the number of open items may indicate that the maintainer didn't have enough time to keep working on the project. This is pure speculation on my point - I haven't tried to make contact or anything like that.
While the NPM unpublish policy and the NPM acceptable use policy define scenarios where the package could be removed entirely from NPM, it doesn't even appear to be deprecated. The package page is still up on the website.
GitHub policy allows for suspending or hiding a user account, or the user could easily have chosen to delete it for whatever reason.
My recommendation
Both the repository's README and https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 indicate that 1.2.6 fixes that security issue, so I would force that in your lockfile as soon as you have the bandwidth. If this is a transitive dependency, it may also be worth warning the maintainers of whichever package directly depends on minimist.
You do have another option, since the code is licensed under an MIT license. You (and/or anyone else who is interested) can choose to fork the code and build a fully-compatible replacement version of the package. Of course, you can also choose to switch to another argument-parsing library.
I am using vuepress in order to make my static site so is their any risk that anyone else can see my site source as my site is not open-source and I am using NPM so I want to ask a question that will my vuepress package will be published openly? as it's really important to me and I don't want to reveal the source of my site.
About Is their any risk that anyone else can see my site source
There is no way to protect javascript intended to run in a browser from a determined viewer.
If the browser can run it, then any determined viewer can view/run it also.
About NPM:
npm is a package manager for the JavaScript programming language maintained by npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js.
The npm registry contains packages, many of which are also Node modules, or contain Node modules.
npm has two types of packages,
one is public which everyone can see while the other is,
private package which others can't see.
So if you fear that people will see the source code in your package, just make it private or just don't put your code on npm at all.
I have a test harness, in which I would like to verify the version number of a nuget package automatically.
I have been searching for a good while trying to find a way to get the latest version number (not the latest package) for a given package. But no luck.
Is there a way to get the latest version number of a package via an API? (Needs to be automatable).
If it matters, I am using ProGet for my NuGet repository.
This url template will get you the package info (in XML) of the latest version. You will then have to parse out the LatestVersion or AbosluteLatestVersion:
$"https://{yourNuGetRepositoryBaseUrl}/nuget/{feedName}/Packages()?$filter=Id%20eq%20%27{packageId}%27%20and%20IsLatestVersion&$top=1"
Note that this works with ProGet (that has many different feeds). You could probably omit the FeedName part to use it with NuGet.org.
I read npm's documentation for npm unpublish but I find it confusing that unpublished versions still show up under a module's versions history/tab.
What is the practical impact of unpublishing a version?
Is it normal that unpublished versions still show up in a module's versions tab?
How do I retrieve the list of active (not unpublished) versions associated with a module?
What happens if users try to install an unpublished version?
I assume that users who have cached an unpublished version locally won't be blocked from installing it. Is that correct?