Class: Danger::DangerPackageJsonLockdown

Inherits:

Plugin

• Object
• Plugin
• Danger::DangerPackageJsonLockdown

Defined in:

lib/package_json_lockdown/plugin.rb

Overview

Force locking down of version numbers in package.json

Shrinkwrap isn’t the solution you want it to be, and none of the other tools quite do what you want. So you’ll get fed up and force manual management of your dependencies (after all, ‘npm outdated` is fairly easy to deal with.)

This plugin will warn you if you’re commiting anything that looks like:

- "^1.0.0"
- "~1.0.0"
- "<=1.0.0"
- "<1.0.0"
- ">=1.0.0"
- ">1.0.0"
- "1.0.x"
- "*"
- ""

So you can still specify a git hash, a tag, or a URL (and so on), and, most importantly, you can specify a version number.

Examples:

Basic operation, throwing warnings in specified package.json(s)

package_json_lockdown.verify('package.json')
package_json_lockdown.verify('path/to/sub/package.json')

Blacklisting specific dependencies nodes

# Will only check the `dependencies` node, but allow
#  `devDependencies` to contain non-specific versions
package_json_lockdown.dependency_keys = ['dependencies']
package_json_lockdown.verify('package.json')

Returning values to handle manually

problems = package_json_lockdown.inspect('package.json')
puts(problems)

Instance Attribute Summary

• #dependency_keys ⇒ Array<String>

  Allows you to specify dependency nodes to check.

Instance Method Summary

• #inspect(package_json) ⇒ Array<{Symbol => String}>

  Inspects the supplied ‘package.json` file and returns problems.

• #verify(package_json) ⇒ void

  Verifies the supplied ‘package.json` file.

Instance Attribute Details

#dependency_keys ⇒ Array<String>

Allows you to specify dependency nodes to check. By default it will check all nodes known to contain dependencies.

Returns:

• (Array<String>)

# File 'lib/package_json_lockdown/plugin.rb', line 47

def dependency_keys
  @dependency_keys
end

Instance Method Details

#inspect(package_json) ⇒ Array<{Symbol => String}>

Inspects the supplied ‘package.json` file and returns problems

Parameters:

• package_json (string) —

  Path to ‘package.json`, relative to current directory

Returns:

• (Array<{Symbol => String}>) —

  • ‘:package`: the offending package name

  • ‘:version`: the version as written in `package.json`

  • ‘:line`: (probably) the line number.

# File 'lib/package_json_lockdown/plugin.rb', line 81

def inspect(package_json)
  json = JSON.parse(File.read(package_json))

  suspicious_packages = []

  dependency_keys.each do |dependency_key|
    next unless json.key?(dependency_key)

    results = find_something_suspicious(json[dependency_key], package_json)
    suspicious_packages.push(*results)
  end

  suspicious_packages
end

#verify(package_json) ⇒ void

This method returns an undefined value.

Verifies the supplied ‘package.json` file

Parameters:

• package_json (string) —

  Path to ‘package.json`, relative to current directory

# File 'lib/package_json_lockdown/plugin.rb', line 64

def verify(package_json)
  inspect(package_json).each do |suspicious|
    warn(
      "`#{suspicious[:package]}` doesn't specify fixed version number",
      file: package_json,
      line: suspicious[:line]
    )
  end
end