Maintained fork of npm-consider
with full tests (as reflecting current behavior).
Check npm package dependencies size, licenses and impact on your package before installing it 🤔
If you like it, please, ⭐️ this repo!
- calculate dependencies size recursively
- show dependencies license policy for linking
- calculates impact on current package
- show a full dependency graph
- analyses packages without downloading it
- supports yarn and pnpm
- analyzes local package
- provides continuous integration (CI) mode
npm install -g npm-reflect
Note: this tool is more useful when your colleagues also use it 😉
Add new dependency
npm-reflect
has similar arguments as npm install
npm-reflect install --save express
The command recursively requests packages info from npm and builds dependencies graph. Size of the package determined via HEAD
request to tarball
download URL.
Analyze local package
When called without arguments in package directory it builds a dependency graph and calculates metrics for local package
npm-reflect install
Using for automation and continuous integration
You can specify maximum values of size and number as well as allowed license types in config
of your package.json
.
"config": {
"maxPackagesNumber": 100,
"maxSizeBites": 840400,
"allowedLicenseTypes": [
"permissive",
"publicDomain",
"uncategorized"
]
}
Once provided you can call
npm-reflect install --test
If all limits are satisfied command will exit with code=0
; otherwise code=1
.
Note: in this mode, npm-reflect
will not call npm install
, pnpm install
,
or yarn install
.
Supported properties:
maxPackagesNumber
max number ofnpm
dependencies incuding transitive dependenciesmaxSizeBites
max size of downloaded packages in bitesallowedLicenseTypes
what types of dependency licenses are accpetable for the package
Supported types are publicDomain
, permissive
, weaklyProtective
, protective
, networkProtective
, useOrModifyProtective
, uncategorized
.
If you are not sure which license types are appropriate check this artice.
Note that networkProtective
now includes the Parity licenses which refer to
publishing "through a freely accessible distribution system widely used for
similar source code".
useOrModifyProtective
was later added to categorize those which can only be
used under certain conditions beyond any sharing requirements (e.g.,
non-commercial use only and/or not being permitted to modify the code).
If the project contains yarn.lock
file, then npm-reflect
will do yarn add
with corresponding options. Also supports pnpm
usage if a pnpm-lock.yaml
file is found.
npm-reflect
calculates license type for every dependency. The type defines license policy for linking as a librtary. Data collected from Comparison of free and open-source software licenses on Wikipedia.
Public Domain
andPermissive
license allows you to do anything except sue the authorWeakly Protective
license have a restriction to how can it be linked and combined with other licensesProtective
or Copyleft dependency license requires a dependent module to have a free license, which prevents it from being proprietaryNetwork Protective
same as Protective but also triggers with network interactionUse or Modify Protective
Adds restrictions on usage (e.g., non-commercial) or against modifying code (restrictions which cause the license not to be considered "open source")Uncategorized
means that license was not found in a package info or was not categorised in terms of linking; feel free to contribute to license categorisation;
Note: that even permissive licenses have some restrictions. Check the following slide and article to learn about license compatibility:
The Free-Libre / Open Source Software (FLOSS) License Slide
- Install runs
npm install
with the same arguments - Impact takes onto account already installed dependencies and shows relative impact. It behaves differently, depending on
--save
or--save-dev
option. The second one takes into account already installeddependencies
anddevDepenedencies
. - Details prints dependencies graph
- Skip cancels
npm install
; no changes in your project will apply.
- Investigate why
getPackageDetails
(e.g., as used bywalkDependencies
) is not gettingsize
(apparentlycontent-length
header is missing forfetch
response on octet-stream)