makyo
/
zk_html
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update from sparkleup

This commit is contained in:
Madison Scott-Clary 2022-06-08 10:55:21 -07:00
parent da02927202
commit 45a0a19bc2
1 changed files with 147 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

248
work/ctm-399.html
View File

@ -54,7 +54,7 @@
<span class="na">This utility will walk you through creating a package.json file.</span><span class="w"></span>
<span class="na">It only covers the most common items, and tries to guess sensible defaults.</span><span class="w"></span>
<span class="na">See `npm help json` for definitive documentation on these fields</span><span class="w"></span>
<span class="na">See `npm help init` for definitive documentation on these fields</span><span class="w"></span>
<span class="na">and exactly what they do.</span><span class="w"></span>
<span class="na">Use `npm install &lt;pkg&gt;` afterwards to install a package and</span><span class="w"></span>
@ -69,14 +69,14 @@
<p>&lt;$&gt;[note]
<strong>Note:</strong> Node.js packages are expected to follow the <a href="https://semver.org/">Semantic Versioning</a> (semver) guide. Therefore, the first number will be the <code>MAJOR</code> version number that only changes when the API changes. The second number will be the <code>MINOR</code> version that changes when features are added. The last number will be the <code>PATCH</code> version that changes when bugs are fixed.
&lt;$&gt;</p>
<p>Press <code>ENTER</code> so the default version is accepted.</p>
<p>Press <code>ENTER</code> so the default version of <code>1.0.0</code> is accepted.</p>
<p>The next field is <code>description</code>—a useful string to explain what your Node.js module does. Our fictional <code>locator</code> project would get the user&rsquo;s IP address and return the country of origin. A fitting <code>description</code> would be <code>Finds the country of origin of the incoming request</code>, so type in something like this and press <code>ENTER</code>. The <code>description</code> is very useful when people are searching for your module.</p>
<p>The following prompt will ask you for the <code>entry point</code>. If someone installs and <code>requires</code> your module, what you set in the <code>entry point</code> will be the first part of your program that is loaded. The value needs to be the relative location of a JavaScript file, and will be added to the <code>main</code> property of the <code>package.json</code>. Press <code>ENTER</code> to keep the default value.</p>
<p>The following prompt will ask you for the <code>entry point</code>. If someone installs and <code>requires</code> your module, what you set in the <code>entry point</code> will be the first part of your program that is loaded. The value needs to be the relative location of a JavaScript file, and will be added to the <code>main</code> property of the <code>package.json</code>. Press <code>ENTER</code> to keep the default value of <code>index.js</code>.</p>
<p>&lt;$&gt;[note]
<strong>Note</strong>: Most modules have an <code>index.js</code> file as the main point of entry. This is the default value for a <code>package.json</code>&lsquo;s <code>main</code> property, which is the point of entry for npm modules. If there is no <code>package.json</code>, Node.js will try to load <code>index.js</code> by default.
&lt;$&gt;</p>
<p>Next, you&rsquo;ll be asked for a <code>test command</code>, an executable script or command to run your project tests. In many popular Node.js modules, tests are written and executed with <a href="https://mochajs.org/">Mocha</a>, <a href="https://jestjs.io/">Jest</a>, <a href="https://jasmine.github.io/">Jasmine</a>, or other test frameworks. Since testing is beyond the scope of this article, leave this option empty for now, and press <code>ENTER</code> to move on.</p>
<p>The <code>init</code> command will then ask for the project&rsquo;s <a href="https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repositories">GitHub Repository</a>. You won&rsquo;t use this in this example, so leave it empty as well.</p>
<p>The <code>init</code> command will then ask for the project&rsquo;s git repository, which may live on a service such as GitHub (for more information, see <a href="https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repositories">GitHub&rsquo;s Repository documentation</a>). You won&rsquo;t use this in this example, so leave it empty as well.</p>
<p>After the repository prompt, the command asks for <code>keywords</code>. This property is an array of strings with useful terms that people can use to find your repository. It&rsquo;s best to have a small set of words that are really relevant to your project, so that searching can be more targeted. List these keywords as a string with commas separating each value. For this sample project, type <code>ip,geo,country</code> at the prompt. The finished <code>package.json</code> will have three items in the array for <code>keywords</code>.</p>
<p>The next field in the prompt is <code>author</code>. This is useful for users of your module who want to get in contact with you. For example, if someone discovers an exploit in your module, they can use this to report the problem so that you can fix it. The <code>author</code> field is a string in the following format: <code>"&lt;^&gt;Name&lt;^&gt; \&lt;&lt;^&gt;Email&lt;^&gt;\&gt; (&lt;^&gt;Website&lt;^&gt;)"</code>. For example, <code>"Sammy \&lt;sammy@your_domain\&gt; (https://your_domain)"</code> is a valid author. The email and website data are optional—a valid author could just be a name. Add your contact details as an author and confirm with <code>ENTER</code>.</p>
<p>Finally, you&rsquo;ll be prompted for the <code>license</code>. This determines the legal permissions and limitations users will have while using your module. Many Node.js modules are open source, so npm sets the default to <a href="https://www.npmjs.com/package/isc-license">ISC</a>.</p>
@ -109,17 +109,17 @@
<p>Once the information matches what you see here, press <code>ENTER</code> to complete this process and create the <code>package.json</code> file. With this file, you can keep a record of modules you install for your project.</p>
<p>Now that you have your <code>package.json</code> file, you can test out installing modules in the next step.</p>
<h2 id="step-2-installing-modules">Step 2 — Installing Modules</h2>
<p>It is common in software development to use external libraries to perform ancillary tasks in projects. This allows the developer to focus on the business logic and create the application more quickly and efficiently.</p>
<p>It is common in software development to use external libraries to perform ancillary tasks in projects. This allows the developer to focus on the business logic and create the application more quickly and efficiently by utilizing tools and code that others have written that accomplish tasks one needs.</p>
<p>For example, if our sample <code>locator</code> module has to make an external API request to get geographical data, we could use an HTTP library to make that task easier. Since our main goal is to return pertinent geographical data to the user, we could install a package that makes HTTP requests easier for us instead of rewriting this code for ourselves, a task that is beyond the scope of our project.</p>
<p>Let&rsquo;s run through this example. In your <code>locator</code> application, you will use the <a href="https://github.com/axios/axios">axios</a> library, which will help you make HTTP requests. Install it by entering the following in your shell:</p>
<div class="codehilite"><pre><span></span><code>npm install axios --save
</code></pre></div>
<p>You begin this command with <code>npm install</code>, which will install the package (for brevity you can use <code>npm i</code>). You then list the packages that you want installed, separated by a space. In this case, this is <code>axios</code>. Finally, you end the command with the optional <code>--save</code> parameter, which specifies that <code>axios</code> will be saved as a project dependency.</p>
<p>You begin this command with <code>npm install</code>, which will install the package (for brevity you can also use <code>npm i</code>). You then list the packages that you want installed, separated by a space. In this case, this is <code>axios</code>. Finally, you end the command with the optional <code>--save</code> parameter, which specifies that <code>axios</code> will be saved as a project dependency.</p>
<p>When the library is installed, you will see output similar to the following:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">...</span><span class="w"></span>
<span class="na">+ axios@0.19.0</span><span class="w"></span>
<span class="na">+ axios@0.27.2</span><span class="w"></span>
<span class="na">added 5 packages from 8 contributors and audited 5 packages in 0.764s</span><span class="w"></span>
<span class="na">found 0 vulnerabilities</span><span class="w"></span>
</code></pre></div>
@ -146,24 +146,24 @@
<span class="w"> </span><span class="nt">&quot;author&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Sammy sammy@your_domain (https://your_domain)&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="nt">&quot;license&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ISC&quot;</span><span class="p">,</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;dependencies&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;axios&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^0.19.0&quot;</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;axios&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^0.27.2&quot;</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="p">}</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>The <code>--save</code> option told npm to update the <code>package.json</code> with the module and version that was just installed. This is great, as other developers working on your projects can easily see what external dependencies are needed.</p>
<p>The <code>--save</code> option told <code>npm</code> to update the <code>package.json</code> with the module and version that was just installed. This is great, as other developers working on your projects can easily see what external dependencies are needed.</p>
<p>&lt;$&gt;[note]
<strong>Note</strong>: You may have noticed the <code>^</code> before the version number for the <code>axios</code> dependency. Recall that semantic versioning consists of three digits: <strong>MAJOR</strong>, <strong>MINOR</strong>, and <strong>PATCH</strong>. The <code>^</code> symbol signifies that any higher MINOR or PATCH version would satisfy this version constraint. If you see <code>~</code> at the beginning of a version number, then only higher PATCH versions satisfy the constraint.
&lt;$&gt;</p>
<p>When you are finished reviewing <code>package.json</code>, exit the file.</p>
<p>When you are finished reviewing <code>package.json</code>, close the file. If you used nano to edit the file, you can do so by pressing <code>CTRL + X</code> and then <code>ENTER</code>.</p>
<h3 id="development-dependencies">Development Dependencies</h3>
<p>Packages that are used for the development of a project but not for building or running it in production are called <em>development dependencies</em>. They are not necessary for your module or application to work in production, but may be helpful while writing the code.</p>
<p>For example, it&rsquo;s common for developers to use <a href="https://en.wikipedia.org/wiki/Lint_(software)"><em>code linters</em></a> to ensure their code follows best practices and to keep the style consistent. While this is useful for development, this only adds to the size of the distributable without providing a tangible benefit when deployed in production.</p>
<p>Install a linter as a development dependency for your project. Try this out in your shell:</p>
<div class="codehilite"><pre><span></span><code><span class="n">npm</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="n">eslint</span><span class="mf">@6.0.0</span><span class="w"> </span><span class="o">--</span><span class="n">save</span><span class="o">-</span><span class="n">dev</span><span class="w"></span>
<div class="codehilite"><pre><span></span><code><span class="n">npm</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="n">eslint</span><span class="mf">@8.0.0</span><span class="w"> </span><span class="o">--</span><span class="n">save</span><span class="o">-</span><span class="n">dev</span><span class="w"></span>
</code></pre></div>
<p>In this command, you used the <code>--save-dev</code> flag. This will save <code>eslint</code> as a dependency that is only needed for development. Notice also that you added <code>@6.0.0</code> to your dependency name. When modules are updated, they are tagged with a version. The <code>@</code> tells npm to look for a specific tag of the module you are installing. Without a specified tag, npm installs the latest tagged version. Open <code>package.json</code> again:</p>
<p>In this command, you used the <code>--save-dev</code> flag. This will save <code>eslint</code> as a dependency that is only needed for development. Notice also that you added <code>@8.0.0</code> to your dependency name. When modules are updated, they are tagged with a version. The <code>@</code> tells npm to look for a specific tag of the module you are installing. Without a specified tag, npm installs the latest tagged version. Open <code>package.json</code> again:</p>
<div class="codehilite"><pre><span></span><code>nano package.json
</code></pre></div>
@ -188,14 +188,14 @@
<span class="w"> </span><span class="nt">&quot;axios&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^0.19.0&quot;</span><span class="w"></span>
<span class="w"> </span><span class="p">},</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;devDependencies&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;eslint&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^6.0.0&quot;</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="nt">&quot;eslint&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;^8.0.0&quot;</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="w"> </span><span class="err">&lt;^&gt;</span><span class="p">}</span><span class="err">&lt;^&gt;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p><code>eslint</code> has been saved as a <code>devDependencies</code>, along with the version number you specified earlier. Exit <code>package.json</code>.</p>
<h3 id="automatically-generated-files-node_modules-and-package-lockjson">Automatically Generated Files: <code>node_modules</code> and <code>package-lock.json</code></h3>
<p>When you first install a package to a Node.js project, npm automatically creates the <code>node_modules</code> folder to store the modules needed for your project and the <code>package-lock.json</code> file that you examined earlier. </p>
<p>When you first install a package to a Node.js project, <code>npm</code> automatically creates the <code>node_modules</code> folder to store the modules needed for your project and the <code>package-lock.json</code> file that you examined earlier. </p>
<p>Confirm these are in your working directory. In your shell, type <code>ls</code> and press <code>ENTER</code>. You will observe the following output:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">node_modules package.json package-lock.json</span><span class="w"></span>
@ -222,7 +222,7 @@ mkdir cloned_locator
</code></pre></div>
<p>npm will check for a <code>package-lock.json</code> file to install the modules. If no lock file is available, it would read from the <code>package.json</code> file to determine the installations. It is usually quicker to install from <code>package-lock.json</code>, since the lock file contains the exact version of modules and their dependencies, meaning npm does not have to spend time figuring out a suitable version to install.</p>
<p>When deploying to production, you may want to skip the development dependencies. Recall that development dependencies are stored in the <code>devDependencies</code> section of <code>package.json</code>, and have no impact on the running of your app. When installing modules as part of the CI/CD process to deploy your application, omit the dev dependencies by running:</p>
<p>When deploying to production, you may want to skip the development dependencies. Recall that development dependencies are stored in the <code>devDependencies</code> section of <code>package.json</code>, and have no impact on the running of your app. When installing modules as part of the deployment process to deploy your application, omit the dev dependencies by running:</p>
<div class="codehilite"><pre><span></span><code>npm i --production
</code></pre></div>
@ -247,24 +247,25 @@ mkdir cloned_locator
<p>You will see output similar to:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">hexo-cli: 2.0.0</span><span class="w"></span>
<span class="na">os: Linux 4.15.0-64-generic linux x64</span><span class="w"></span>
<span class="na">http_parser: 2.7.1</span><span class="w"></span>
<span class="na">node: 10.14.0</span><span class="w"></span>
<span class="na">v8: 7.6.303.29-node.16</span><span class="w"></span>
<span class="na">uv: 1.31.0</span><span class="w"></span>
<span class="na">hexo-cli: 4.3.0</span><span class="w"></span>
<span class="na">os: linux 5.15.0-35-generic Ubuntu 22.04 LTS 22.04 LTS (Jammy Jellyfish)</span><span class="w"></span>
<span class="na">node: 18.3.0</span><span class="w"></span>
<span class="na">v8: 10.2.154.4-node.8</span><span class="w"></span>
<span class="na">uv: 1.43.0</span><span class="w"></span>
<span class="na">zlib: 1.2.11</span><span class="w"></span>
<span class="na">ares: 1.15.0</span><span class="w"></span>
<span class="na">modules: 72</span><span class="w"></span>
<span class="na">nghttp2: 1.39.2</span><span class="w"></span>
<span class="na">openssl: 1.1.1c</span><span class="w"></span>
<span class="na">brotli: 1.0.7</span><span class="w"></span>
<span class="na">napi: 4</span><span class="w"></span>
<span class="na">llhttp: 1.1.4</span><span class="w"></span>
<span class="na">icu: 64.2</span><span class="w"></span>
<span class="na">unicode: 12.1</span><span class="w"></span>
<span class="na">cldr: 35.1</span><span class="w"></span>
<span class="na">tz: 2019a</span><span class="w"></span>
<span class="na">brotli: 1.0.9</span><span class="w"></span>
<span class="na">ares: 1.18.1</span><span class="w"></span>
<span class="na">modules: 108</span><span class="w"></span>
<span class="na">nghttp2: 1.47.0</span><span class="w"></span>
<span class="na">napi: 8</span><span class="w"></span>
<span class="na">llhttp: 6.0.6</span><span class="w"></span>
<span class="na">openssl: 3.0.3+quic</span><span class="w"></span>
<span class="na">cldr: 41.0</span><span class="w"></span>
<span class="na">icu: 71.1</span><span class="w"></span>
<span class="na">tz: 2022a</span><span class="w"></span>
<span class="na">unicode: 14.0</span><span class="w"></span>
<span class="na">ngtcp2: 0.1.0-DEV</span><span class="w"></span>
<span class="na">nghttp3: 0.1.0-DEV</span><span class="w"></span>
</code></pre></div>
<p>So far, you have learned how to install modules with npm. You can install packages to a project locally, either as a production or development dependency. You can also install packages based on pre-existing <code>package.json</code> or <code>package-lock.json</code> files, allowing you to develop with the same dependencies as your peers. Finally, you can use the <code>-g</code> flag to install packages globally, so you can access them regardless of whether you&rsquo;re in a Node.js project or not. </p>
@ -285,37 +286,39 @@ mkdir cloned_locator
<p>You will see output like this:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">├─┬ axios@0.19.0</span><span class="w"></span>
<span class="na">│ ├─┬ follow-redirects@1.5.10</span><span class="w"></span>
<span class="na">│ │ └─┬ debug@3.1.0</span><span class="w"></span>
<span class="na">│ │ └── ms@2.0.0</span><span class="w"></span>
<span class="na">│ └── is-buffer@2.0.3</span><span class="w"></span>
<span class="na">└─┬ eslint@6.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">├─┬ @babel/code-frame@7.5.5</span><span class="w"></span>
<span class="w"> </span><span class="na">│ └─┬ @babel/highlight@7.5.0</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── chalk@2.4.2 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── esutils@2.0.3 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ └── js-tokens@4.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">├─┬ ajv@6.10.2</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── fast-deep-equal@2.0.1</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── fast-json-stable-stringify@2.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── json-schema-traverse@0.4.1</span><span class="w"></span>
<span class="w"> </span><span class="na">│ └─┬ uri-js@4.2.2</span><span class="w"></span>
<span class="na">...</span><span class="w"></span>
<span class="na">├── axios@0.27.2</span><span class="w"></span>
<span class="na">└── eslint@8.0.0</span><span class="w"></span>
</code></pre></div>
<p>By default, <code>ls</code> shows the entire dependency tree—the modules your project depends on and the modules that your dependencies depend on. This can be a bit unwieldy if you want a high-level overview of what&rsquo;s installed.</p>
<p>To only print the modules you installed without their dependencies, enter the following in your shell:</p>
<div class="codehilite"><pre><span></span><code>npm ls --depth 0
<p>The <code>--depth</code> option allows you to specify what level of the dependency tree you want to see. When it&rsquo;s <code>0</code>, you only see your top level dependencies. If you want to see the entire dependency tree, use the <code>--all</code> argument:</p>
<div class="codehilite"><pre><span></span><code>npm ls --all
</code></pre></div>
<p>Your output will be:</p>
<p>You will see output like the following:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">├── axios@0.19.0</span><span class="w"></span>
<span class="na">└── eslint@6.0.0</span><span class="w"></span>
<span class="na">├─┬ axios@0.27.2</span><span class="w"></span>
<span class="na">│ ├── follow-redirects@1.15.1</span><span class="w"></span>
<span class="na">│ └─┬ form-data@4.0.0</span><span class="w"></span>
<span class="na">│ ├── asynckit@0.4.0</span><span class="w"></span>
<span class="na">│ ├─┬ combined-stream@1.0.8</span><span class="w"></span>
<span class="na">│ │ └── delayed-stream@1.0.0</span><span class="w"></span>
<span class="na">│ └─┬ mime-types@2.1.35</span><span class="w"></span>
<span class="na">│ └── mime-db@1.52.0</span><span class="w"></span>
<span class="na">└─┬ eslint@8.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">├─┬ @eslint/eslintrc@1.3.0</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── ajv@6.12.6 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── debug@4.3.4 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── espree@9.3.2 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── globals@13.15.0 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── ignore@5.2.0</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── import-fresh@3.3.0 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── js-yaml@4.1.0 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ ├── minimatch@3.1.2 deduped</span><span class="w"></span>
<span class="w"> </span><span class="na">│ └── strip-json-comments@3.1.1 deduped</span><span class="w"></span>
<span class="na">. . .</span><span class="w"></span>
</code></pre></div>
<p>The <code>--depth</code> option allows you to specify what level of the dependency tree you want to see. When it&rsquo;s <code>0</code>, you only see your top level dependencies.</p>
<h3 id="updating-modules">Updating Modules</h3>
<p>It is a good practice to keep your npm modules up to date. This improves your likelihood of getting the latest security fixes for a module. Use the <code>outdated</code> command to check if any modules can be updated:</p>
<div class="codehilite"><pre><span></span><code>npm outdated
@ -323,8 +326,8 @@ mkdir cloned_locator
<p>You will get output like the following: </p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">Package Current Wanted Latest Location</span><span class="w"></span>
<span class="na">eslint 6.0.0 &lt;^&gt;6.7.1&lt;^&gt; &lt;^&gt;6.7.1&lt;^&gt; locator</span><span class="w"></span>
<span class="na">Package Current Wanted Latest Location Depended by</span><span class="w"></span>
<span class="na">eslint 8.0.0 8.17.0 8.17.0 node_modules/eslint locator</span><span class="w"></span>
</code></pre></div>
<p>This command first lists the <code>Package</code> that&rsquo;s installed and the <code>Current</code> version. The <code>Wanted</code> column shows which version satisfies your version requirement in <code>package.json</code>. The <code>Latest</code> column shows the most recent version of the module that was published.</p>
@ -335,13 +338,26 @@ mkdir cloned_locator
<p>The output of the command will contain the version installed:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">npm WARN locator@1.0.0 No repository field.</span><span class="w"></span>
<span class="na">+ eslint@&lt;^&gt;6.7.1&lt;^&gt;</span><span class="w"></span>
<span class="na">added 7 packages from 3 contributors, removed 5 packages, updated 19 packages, moved 1 package and audited 184 packages in 5.818s</span><span class="w"></span>
<span class="na">removed 7 packages, changed 4 packages, and audited 91 packages in 1s</span><span class="w"></span>
<span class="na">14 packages are looking for funding</span><span class="w"></span>
<span class="w"> </span><span class="na">run `npm fund` for details</span><span class="w"></span>
<span class="na">found 0 vulnerabilities</span><span class="w"></span>
</code></pre></div>
<p>To see which version of <code>eslint</code> that you are using now, you can use <code>npm ls</code> using the package name as an argument:</p>
<div class="codehilite"><pre><span></span><code>npm ls eslint
</code></pre></div>
<p>The output will resemble the <code>npm ls</code> command you used before, but include only the <code>eslint</code> package&rsquo;s versions:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">└─┬ eslint@8.17.0</span><span class="w"></span>
<span class="w"> </span><span class="na">└─┬ eslint-utils@3.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">└── eslint@8.17.0 deduped</span><span class="w"></span>
</code></pre></div>
<p>If you wanted to update all modules at once, then you would enter:</p>
<div class="codehilite"><pre><span></span><code>npm up
</code></pre></div>
@ -355,19 +371,22 @@ mkdir cloned_locator
<p>Your output will be similar to:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">npm WARN locator@1.0.0 No repository field.</span><span class="w"></span>
<span class="na">removed 8 packages, and audited 83 packages in 542ms</span><span class="w"></span>
<span class="na">13 packages are looking for funding</span><span class="w"></span>
<span class="w"> </span><span class="na">run `npm fund` for details</span><span class="w"></span>
<span class="na">removed 5 packages and audited 176 packages in 1.488s</span><span class="w"></span>
<span class="na">found 0 vulnerabilities</span><span class="w"></span>
</code></pre></div>
<p>It doesn&rsquo;t explicitly say that <code>axios</code> was removed. To verify that it was uninstalled, list the dependencies once again:</p>
<div class="codehilite"><pre><span></span><code>npm ls --depth 0
<div class="codehilite"><pre><span></span><code>npm ls
</code></pre></div>
<p>Now, we only see that <code>eslint</code> is installed:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">└── eslint@&lt;^&gt;6.7.1&lt;^&gt;</span><span class="w"></span>
<span class="na">locator@1.0.0 /home/ubuntu/locator</span><span class="w"></span>
<span class="na">└── eslint@8.17.0</span><span class="w"></span>
</code></pre></div>
<p>This shows that you have successfully uninstalled the <code>axios</code> package.</p>
@ -378,46 +397,67 @@ mkdir cloned_locator
<p>When you install this outdated version of <code>request</code>, you&rsquo;ll notice output similar to the following:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">+ request@2.60.0</span><span class="w"></span>
<span class="na">added 54 packages from 49 contributors and audited 243 packages in 7.26s</span><span class="w"></span>
<span class="na">found 6 moderate severity vulnerabilities</span><span class="w"></span>
<span class="w"> </span><span class="na">run `npm audit fix` to fix them, or `npm audit` for details</span><span class="w"></span>
<span class="na">npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).</span><span class="w"></span>
<span class="na">npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.</span><span class="w"></span>
<span class="na">npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).</span><span class="w"></span>
<span class="na">npm WARN deprecated node-uuid@1.4.8: Use uuid module instead</span><span class="w"></span>
<span class="na">npm WARN deprecated har-validator@1.8.0: this library is no longer supported</span><span class="w"></span>
<span class="na">npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).</span><span class="w"></span>
<span class="na">npm WARN deprecated request@2.60.0: request has been deprecated, see https://github.com/request/request/issues/3142</span><span class="w"></span>
<span class="na">npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.</span><span class="w"></span>
<span class="na">added 56 packages, and audited 139 packages in 4s</span><span class="w"></span>
<span class="na">13 packages are looking for funding</span><span class="w"></span>
<span class="w"> </span><span class="na">run `npm fund` for details</span><span class="w"></span>
<span class="na">9 vulnerabilities (5 moderate, 2 high, 2 critical)</span><span class="w"></span>
<span class="na">To address all issues, run:</span><span class="w"></span>
<span class="w"> </span><span class="na">npm audit fix --force</span><span class="w"></span>
<span class="na">Run `npm audit` for details.</span><span class="w"></span>
</code></pre></div>
<p>npm is telling you that you have vulnerabilities in your dependencies. To get more details, audit your entire project with:</p>
<p>npm is telling you that you have deprecations and vulnerabilities in your dependencies. To get more details, audit your entire project with:</p>
<div class="codehilite"><pre><span></span><code>npm audit
</code></pre></div>
<p>The <code>audit</code> command shows tables of output highlighting security flaws:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="w"> </span><span class="o">=</span><span class="s">== npm audit security report ===</span><span class="w"></span>
<span class="c1"># npm audit report</span><span class="w"></span>
<span class="c1"># Run npm install request@2.88.0 to resolve 1 vulnerability</span><span class="w"></span>
<span class="na">┌───────────────┬──────────────────────────────────────────────────────────────┐</span><span class="w"></span>
<span class="na">│ Moderate │ Memory Exposure │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Package │ tunnel-agent │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Dependency of │ request │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Path │ request &gt; tunnel-agent │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ More info │ https://npmjs.com/advisories/598 │</span><span class="w"></span>
<span class="na">└───────────────┴──────────────────────────────────────────────────────────────┘</span><span class="w"></span>
<span class="na">bl &lt;1.2.3</span><span class="w"></span>
<span class="na">Severity: moderate</span><span class="w"></span>
<span class="na">Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r</span><span class="w"></span>
<span class="na">fix available via `npm audit fix`</span><span class="w"></span>
<span class="na">node_modules/bl</span><span class="w"></span>
<span class="w"> </span><span class="na">request 2.16.0 - 2.86.0</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of bl</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of hawk</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of qs</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of tunnel-agent</span><span class="w"></span>
<span class="w"> </span><span class="na">node_modules/request</span><span class="w"></span>
<span class="c1"># Run npm update request --depth 1 to resolve 1 vulnerability</span><span class="w"></span>
<span class="na">┌───────────────┬──────────────────────────────────────────────────────────────┐</span><span class="w"></span>
<span class="na">│ Moderate │ Remote Memory Exposure │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Package │ request │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Dependency of │ request │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ Path │ request │</span><span class="w"></span>
<span class="na">├───────────────┼──────────────────────────────────────────────────────────────┤</span><span class="w"></span>
<span class="na">│ More info │ https://npmjs.com/advisories/309 │</span><span class="w"></span>
<span class="na">└───────────────┴──────────────────────────────────────────────────────────────┘</span><span class="w"></span>
<span class="na">...</span><span class="w"></span>
<span class="na">cryptiles &lt;</span><span class="o">=</span><span class="s">4.1.1</span><span class="w"></span>
<span class="na">Severity: critical</span><span class="w"></span>
<span class="na">Insufficient Entropy in cryptiles - https://github.com/advisories/GHSA-rq8g-5pc5-wrhr</span><span class="w"></span>
<span class="na">Depends on vulnerable versions of boom</span><span class="w"></span>
<span class="na">fix available via `npm audit fix`</span><span class="w"></span>
<span class="na">node_modules/cryptiles</span><span class="w"></span>
<span class="w"> </span><span class="na">hawk &lt;</span><span class="o">=</span><span class="s">9.0.0</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of boom</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of cryptiles</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of hoek</span><span class="w"></span>
<span class="w"> </span><span class="na">Depends on vulnerable versions of sntp</span><span class="w"></span>
<span class="w"> </span><span class="na">node_modules/hawk</span><span class="w"></span>
<span class="na">. . .</span><span class="w"></span>
<span class="na">9 vulnerabilities (5 moderate, 2 high, 2 critical)</span><span class="w"></span>
<span class="na">To address all issues, run:</span><span class="w"></span>
<span class="w"> </span><span class="na">npm audit fix</span><span class="w"></span>
</code></pre></div>
<p>You can see the path of the vulnerability, and sometimes npm offers ways for you to fix it. You can run the update command as suggested, or you can run the <code>fix</code> subcommand of <code>audit</code>. In your shell, enter:</p>
@ -426,13 +466,19 @@ mkdir cloned_locator
<p>You will see similar output to:</p>
<div class="codehilite"><pre><span></span><code><span class="k">[secondary_label Output]</span><span class="w"></span>
<span class="na">+ request@2.88.0</span><span class="w"></span>
<span class="na">added 19 packages from 24 contributors, removed 32 packages and updated 12 packages in 6.223s</span><span class="w"></span>
<span class="na">fixed 2 of 6 vulnerabilities in 243 scanned packages</span><span class="w"></span>
<span class="w"> </span><span class="na">4 vulnerabilities required manual review and could not be updated</span><span class="w"></span>
<span class="na">npm WARN deprecated har-validator@5.1.5: this library is no longer supported</span><span class="w"></span>
<span class="na">npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.</span><span class="w"></span>
<span class="na">npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142</span><span class="w"></span>
<span class="na">added 19 packages, removed 34 packages, changed 13 packages, and audited 124 packages in 3s</span><span class="w"></span>
<span class="na">14 packages are looking for funding</span><span class="w"></span>
<span class="w"> </span><span class="na">run `npm fund` for details</span><span class="w"></span>
<span class="na">found 0 vulnerabilities</span><span class="w"></span>
</code></pre></div>
<p>npm was able to safely update two of the packages, decreasing your vulnerabilities by the same amount. However, you still have four vulnerabilities in your dependencies. The <code>audit fix</code> command does not always fix every problem. Although a version of a module may have a security vulnerability, if you update it to a version with a different API then it could break code higher up in the dependency tree.</p>
<p>npm was able to safely update two of the packages, decreasing your vulnerabilities by the same amount. However, you still have three deprecations in your dependencies. The <code>audit fix</code> command does not always fix every problem. Although a version of a module may have a security vulnerability, if you update it to a version with a different API then it could break code higher up in the dependency tree.</p>
<p>You can use the <code>--force</code> parameter to ensure the vulnerabilities are gone, like this:</p>
<div class="codehilite"><pre><span></span><code>npm audit fix --force
</code></pre></div>