pin-dependencies-checker

[![License](https://img.shields.io/npm/l/pin-dependencies-checker.svg)](./LICENSE) [![npm](https://img.shields.io/npm/v/pin-dependencies-checker.svg)](https://www.npmjs.com/package/pin-dependencies-checker) [![Badge](https://github.com/raulfdm/pin-depende

Usage no npm install needed!

<script type="module">
  import pinDependenciesChecker from 'https://cdn.skypack.dev/pin-dependencies-checker';
</script>

README

Pin Dependencies Checker CLI

License npm Badge Maintainability Test Coverage

Sometimes you need some reminder for boring tasks

Table of Contents

Why

The development world is wild. Every team has its own ways to do things.

Some, trust that those open source libraries always strictly follow semantic versing and when installing dependencies, just accept that the caret (^) will be fine. But some... want to have max control about everything and like to have all dependencies under their control.

Personally, I don't mind and don't judge. Both approaches have pros and cons. At Renovate's blog, they wrote an entire post explaining when we should pin dependencies version.

What I do mind is having to remember to pin a dependency version every time I install one. Also when my PR is almost ready to be merged and I receive a comment message like:

"Hey, you forgot to pin this dependency. (;"

So then I've decided to automate this process. :)

How it works

The idea is quite simple. This CLI:

  1. Reads a package.json file from the folder you're calling it;
  2. Based on the config (default or args passed), it'll search in each dependency version if it has caret (^);
  3. If so, it'll print a list of all dependencies unpinned and exit with error (process.exit(1)), otherwise no errors and exit with process.exit(0)

Getting started

You can use this CLI globally or as a project dependency.

Global

yarn global add pin-dependencies-checker

## Or

npm install -g pin-dependencies-checker

Then, in your project root dir (where the package.json file is located), you can just call

pin-checker

From registry (npx)

An alternative from installing it globally it might be using it via npx. If you're not familiar with this concept check this blog post but in a nutshell, it can execute packages directly from the registry.

It's good for CLI environments where you can create a step to run this CLI and based on the output, it'll fail or not your pipeline.

npx pin-dependencies-checker

Local

If you want to have it as part of your project:

yarn global add pin-dependencies-checker

# Or via npm...

npm install -g pin-dependencies-checker

Then, in your project root dir (where the package.json file is located), you can just call

yarn pin-checker

Git hooks

The goal of this project is automating a boring task, right? So you can add as a pre-commit hook using husky.

For that, install husky as devDependency:

yarn add -D husky

# Or via npm...

npm install --save-dev husky

After that, open your package.json file and add husky config with pre-commit:

{
  "husky": {
    "pre-commit": "pin-checker"
  }
}

Arguments

Maybe you only want to check for devDependency or only for dependency. You can customize that via cli args:

Note: you can combine multiple args.

--peerDeps

Default: false

To enable peerDependencies:

yarn pin-checker --peerDeps=true

All perDependencies, dependencies, and devDependencies will be evaluated.

--deps

Default: true

To disable dev dependencies:

yarn pin-checker --deps=false

Only devDependencies will be evaluated.

--devDeps

Default: true

To disable dev dependencies:

yarn pin-checker --devDeps=false

Only dependencies will be evaluated.

TODOS

  • Accept --path for a custom package.json path
  • Maybe check for tilde by default and other characters like <, > via arguments

License

MIT