-
Notifications
You must be signed in to change notification settings - Fork 30k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PR-URL: #51913 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Richard Lau <[email protected]>
- Loading branch information
1 parent
4dfc9e0
commit 014cc53
Showing
396 changed files
with
8,964 additions
and
3,998 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,7 +27,7 @@ packages will *also* show the paths to the specified packages. For | |
example, running `npm ls promzard` in npm's source tree will show: | ||
|
||
```bash | ||
npm@10.3.0 /path/to/npm | ||
npm@10.5.0 /path/to/npm | ||
└─┬ [email protected] | ||
└── [email protected] | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,7 +28,7 @@ If no package name is specified, all packages in the specified location (global | |
or local) will be updated. | ||
|
||
Note that by default `npm update` will not update the semver values of direct | ||
dependencies in your project `package.json`, if you want to also update | ||
dependencies in your project `package.json`. If you want to also update | ||
values in `package.json` you can run: `npm update --save` (or add the | ||
`save=true` option to a [configuration file](/configuring-npm/npmrc) | ||
to make that the default behavior). | ||
|
@@ -80,7 +80,7 @@ However, if `app`'s `package.json` contains: | |
``` | ||
|
||
In this case, running `npm update` will install `[email protected]`. Even though the | ||
`latest` tag points to `1.2.2`, this version do not satisfy `~1.1.1`, which is | ||
`latest` tag points to `1.2.2`, this version does not satisfy `~1.1.1`, which is | ||
equivalent to `>=1.1.1 <1.2.0`. So the highest-sorting version that satisfies | ||
`~1.1.1` is used, which is `1.1.2`. | ||
|
||
|
@@ -94,8 +94,7 @@ Suppose `app` has a caret dependency on a version below `1.0.0`, for example: | |
} | ||
``` | ||
|
||
`npm update` will install `[email protected]`, because there are no other | ||
versions which satisfy `^0.2.0`. | ||
`npm update` will install `[email protected]`. | ||
|
||
If the dependence were on `^0.4.0`: | ||
|
||
|
@@ -294,7 +293,8 @@ will also prevent _writing_ `package-lock.json` if `save` is true. | |
|
||
#### `foreground-scripts` | ||
|
||
* Default: false | ||
* Default: `false` unless when using `npm pack` or `npm publish` where it | ||
defaults to `true` | ||
* Type: Boolean | ||
|
||
Run all build scripts (ie, `preinstall`, `install`, and `postinstall`) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,7 +14,7 @@ Note: This command is unaware of workspaces. | |
|
||
### Version | ||
|
||
10.3.0 | ||
10.5.0 | ||
|
||
### Description | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,7 +13,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector | |
- Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata | ||
- Consolidates redundant logic of similar query commands in `npm` (ex. `npm fund`, `npm ls`, `npm outdated`, `npm audit` ...) | ||
|
||
### Dependency Selector Syntax `v1.0.0` | ||
### Dependency Selector Syntax | ||
|
||
#### Overview: | ||
|
||
|
@@ -62,6 +62,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector | |
- `:path(<path>)` [glob](https://www.npmjs.com/package/glob) matching based on dependencies path relative to the project | ||
- `:type(<type>)` [based on currently recognized types](https://github.com/npm/npm-package-arg#result-object) | ||
- `:outdated(<type>)` when a dependency is outdated | ||
- `:vuln(<selector>)` when a dependency has a known vulnerability | ||
|
||
##### `:semver(<spec>, [selector], [function])` | ||
|
||
|
@@ -84,8 +85,8 @@ Some examples: | |
The `:outdated` pseudo selector retrieves data from the registry and returns information about which of your dependencies are outdated. The type parameter may be one of the following: | ||
|
||
- `any` (default) a version exists that is greater than the current one | ||
- `in-range` a version exists that is greater than the current one, and satisfies at least one if its dependents | ||
- `out-of-range` a version exists that is greater than the current one, does not satisfy at least one of its dependents | ||
- `in-range` a version exists that is greater than the current one, and satisfies at least one if its parent's dependencies | ||
- `out-of-range` a version exists that is greater than the current one, does not satisfy at least one of its parent's dependencies | ||
- `major` a version exists that is a semver major greater than the current one | ||
- `minor` a version exists that is a semver minor greater than the current one | ||
- `patch` a version exists that is a semver patch greater than the current one | ||
|
@@ -99,14 +100,29 @@ In addition to the filtering performed by the pseudo selector, some extra data i | |
Some examples: | ||
|
||
- `:root > :outdated(major)` returns every direct dependency that has a new semver major release | ||
- `.prod:outdated(in-range)` returns production dependencies that have a new release that satisfies at least one of its edges in | ||
- `.prod:outdated(in-range)` returns production dependencies that have a new release that satisfies at least one of its parent's dependencies | ||
|
||
##### `:vuln` | ||
|
||
The `:vuln` pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability. Only dependencies whose current version matches a vulnerability will be returned. For example if you have `[email protected]` in your tree, a vulnerability for `semver` which affects versions `<=6.3.1` will not match. | ||
|
||
You can also filter results by certain attributes in advisories. Currently that includes `severity` and `cwe`. Note that severity filtering is done per severity, it does not include severities "higher" or "lower" than the one specified. | ||
|
||
In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the `queryContext` attribute of each node under the `advisories` attribute. | ||
|
||
Some examples: | ||
|
||
- `:root > .prod:vuln` returns direct production dependencies with any known vulnerability | ||
- `:vuln([severity=high])` returns only dependencies with a vulnerability with a `high` severity. | ||
- `:vuln([severity=high],[severity=moderate])` returns only dependencies with a vulnerability with a `high` or `moderate` severity. | ||
- `:vuln([cwe=1333])` returns only dependencies with a vulnerability that includes CWE-1333 (ReDoS) | ||
|
||
#### [Attribute Selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors) | ||
|
||
The attribute selector evaluates the key/value pairs in `package.json` if they are `String`s. | ||
|
||
- `[]` attribute selector (ie. existence of attribute) | ||
- `[attribute=value]` attribute value is equivalant... | ||
- `[attribute=value]` attribute value is equivalent... | ||
- `[attribute~=value]` attribute value contains word... | ||
- `[attribute*=value]` attribute value contains string... | ||
- `[attribute|=value]` attribute value is equal to or starts with... | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.