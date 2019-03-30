Check npm package dependencies size, licenses and impact on your package before installing it 🤔
npm install -g npm-consider
Note: this tool is more useful when your colleagues also use it 😉
Add new dependency
npm-consider has similar arguments as
npm install
npm-consider install --save express
The command recursively requests packages info from npm and builds dependencies graph. Size of the package determined via
HEAD request to
tarball download URL.
Analyze local package
When called without arguments in package directory it builds a dependency graph and calculates metrics for local package
Using for automation and continuous integration
You can specify maximum values of size and number as well as allowed license types in
config of your
package.json.
"config": {
"maxPackagesNumber": 100,
"maxSizeBites": 840400,
"allowedLicenseTypes": [
"permissive",
"publicDomain",
"uncategorized"
]
}
Once provided you can call
npm-consider install --test
If all limits are satisfied command will exit with
code=0; otherwise
code=1.
Note: in this mode,
npm-consider will not call
npm install or
yarn install.
Supported properties:
maxPackagesNumber max number of
npm dependencies incuding transitive dependencies
maxSizeBites max size of downloaded packages in bites
allowedLicenseTypes what types of dependency licenses are accpetable for the package
Supported types are
publicDomain,
permissive,
weaklyProtective,
protective,
networkProtective,
uncategorized.
If you are not sure which license types are appropriate check this artice.
If the project contains
yarn.lock file, then
npm-consider will do
yarn add with corresponding options.
npm-consider calculates license type for every dependency. The type defines license policy for linking as a librtary. Data collected from Comparison of free and open-source software licenses on Wikipedia.
Public Domain and
Permissive license allows you to do anything except sue the author
Weakly Protective license have a restriction to how can it be linked and combined with other licenses
Protective or Copyleft dependency license requires a dependent module to have a free license, which prevents it from being proprietary
Network Protective same as Protective but also triggers with network interaction
Uncategorized means that license was not found in a package info or was not categorised in terms of linking; feel free to contribute to license categorisation;
Note: that even permissive licenses have some restrictions. Check the following slide and article to learn about license compatibility:
The Free-Libre / Open Source Software (FLOSS) License Slide
npm install with the same arguments
--save or
--save-dev option. The second one takes into account already installed
dependencies and
devDepenedencies.
npm install; no changes in your project will apply.