Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check for new dependencies #681

Merged
merged 1 commit into from
Apr 1, 2023

Conversation

tommy-mitchell
Copy link
Collaborator

Closes #624.

Adds a confirmation step for new dependencies that have been added since the last release:

image

It's part of the same check as for new files, so there's no additional prompts.

@tommy-mitchell
Copy link
Collaborator Author

Is there a list anywhere of unsafe packages / packages with vulnerabilities? Could be nice to also warn about adding insecure dependencies.

@sindresorhus
Copy link
Owner

Is there a list anywhere of unsafe packages / packages with vulnerabilities? Could be nice to also warn about adding insecure dependencies.

Not that I'm aware of. If packages are unsafe, npm would usually take them down.

@tommy-mitchell
Copy link
Collaborator Author

@sindresorhus this can be kind of verbose:

Tall Photo

image

Text version
? The following new files will not be part of your published package:
- test/_utils.js
- test/fixtures/config/homedir4/.np-config.js
- test/fixtures/config/homedir5/.np-config.mjs
- test/fixtures/config/local4/.np-config.js
- test/fixtures/config/local4/package.json
- test/fixtures/config/local5/.np-config.mjs
- test/fixtures/config/package.json
- test/fixtures/files/dot-github/.github/pull_request_template.md
- test/fixtures/files/dot-github/index.js
- test/fixtures/files/dot-github/package.json
- test/fixtures/files/files-and-npmignore/package.json
- test/fixtures/files/files-and-npmignore/readme.md
- test/fixtures/files/files-and-npmignore/source/.npmignore
- test/fixtures/files/files-and-npmignore/source/bar.js
- test/fixtures/files/files-and-npmignore/source/foo.js
- test/fixtures/files/files-and-npmignore/source/index.d.ts
- test/fixtures/files/files-and-npmignore/source/index.test-d.ts
- test/fixtures/files/files-slash/index.js
- test/fixtures/files/files-slash/package.json
- test/fixtures/files/gitignore/dist/index.js
- test/fixtures/files/gitignore/gitignore
- test/fixtures/files/gitignore/index.d.ts
- test/fixtures/files/gitignore/index.js
- test/fixtures/files/gitignore/index.test-d.ts
- test/fixtures/files/gitignore/package.json
- test/fixtures/files/gitignore/readme.md
- test/fixtures/files/has-readme-and-license/index.js
- test/fixtures/files/has-readme-and-license/license.md
- test/fixtures/files/has-readme-and-license/package.json
- test/fixtures/files/has-readme-and-license/readme.md
- test/fixtures/files/main/bar.js
- test/fixtures/files/main/foo.js
- test/fixtures/files/main/package.json
- test/fixtures/files/npmignore-and-gitignore/.npmignore
- test/fixtures/files/npmignore-and-gitignore/dist/index.js
- test/fixtures/files/npmignore-and-gitignore/gitignore
- test/fixtures/files/npmignore-and-gitignore/package.json
- test/fixtures/files/npmignore-and-gitignore/readme.md
- test/fixtures/files/npmignore-and-gitignore/script/build.js
- test/fixtures/files/npmignore-and-gitignore/source/index.ts
- test/fixtures/files/npmignore/.npmignore
- test/fixtures/files/npmignore/index.d.ts
- test/fixtures/files/npmignore/index.js
- test/fixtures/files/npmignore/index.test-d.ts
- test/fixtures/files/npmignore/package.json
- test/fixtures/files/npmignore/readme.md
- test/fixtures/files/one-file/index.js
- test/fixtures/files/one-file/package.json
- test/fixtures/files/source-and-dist-dir/dist/index.js
- test/fixtures/files/source-and-dist-dir/package.json
- test/fixtures/files/source-and-dist-dir/source/bar.js
- test/fixtures/files/source-and-dist-dir/source/foo.js
- test/fixtures/files/source-dir/package.json
- test/fixtures/files/source-dir/source/bar.js
- test/fixtures/files/source-dir/source/foo.js
- test/new-files.js
The following new dependencies will be part of your published package:
- exit-hook
- path-exists
Continue? (y/N)

Maybe if there's more than X entries in a directory, np shows some/dir/*? So the example above would be:

? The following new files will not be part of your published package:
- test/_utils.js
- test/fixtures/*
- test/new-files.js
The following new dependencies will be part of your published package:
- exit-hook
- path-exists
Continue? (y/N)

@sindresorhus
Copy link
Owner

Maybe if there's more than X entries in a directory, np shows some/dir/*? So the example above would be:

👍 Maybe also show the file count?

- test/fixtures/*  (134 files)

@Drarig29
Copy link
Contributor

Drarig29 commented Apr 6, 2023

I could make a package for this, and reuse it here. Or would you rather not have a dependency for this? @sindresorhus

(I'd first search for an existing package, of course.)

@sindresorhus
Copy link
Owner

I don't see the need to have a dependency for just this.

Vylpes pushed a commit to Vylpes/random-bunny that referenced this pull request Sep 11, 2023
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [np](https://github.com/sindresorhus/np) | devDependencies | major | [`^7.7.0` -> `^8.0.0`](https://renovatebot.com/diffs/npm/np/7.7.0/8.0.4) |

---

### Release Notes

<details>
<summary>sindresorhus/np (np)</summary>

### [`v8.0.4`](https://github.com/sindresorhus/np/releases/tag/v8.0.4)

[Compare Source](sindresorhus/np@v8.0.3...v8.0.4)

-   Handle first time display of dependencies ([#&#8203;707](sindresorhus/np#707))  [`3f43d78`](sindresorhus/np@3f43d78)

### [`v8.0.3`](https://github.com/sindresorhus/np/releases/tag/v8.0.3)

[Compare Source](sindresorhus/np@v8.0.2...v8.0.3)

-   Fix skipping publish step ([#&#8203;706](sindresorhus/np#706))  [`51dcc2d`](sindresorhus/np@51dcc2d)

### [`v8.0.2`](https://github.com/sindresorhus/np/releases/tag/v8.0.2)

[Compare Source](sindresorhus/np@v8.0.1...v8.0.2)

-   Fix publish not working with Yarn  [`3d448c2`](sindresorhus/np@3d448c2)
-   Include stack trace in errors  [`12fce88`](sindresorhus/np@12fce88)

### [`v8.0.1`](https://github.com/sindresorhus/np/releases/tag/v8.0.1)

[Compare Source](sindresorhus/np@v8.0.0...v8.0.1)

-   Fix a crash in the new dependency check  [`beb7db1`](sindresorhus/np@beb7db1)

### [`v8.0.0`](https://github.com/sindresorhus/np/releases/tag/v8.0.0)

[Compare Source](sindresorhus/np@v7.7.0...v8.0.0)

##### Breaking

-   Require Node.js 16 ([#&#8203;683](sindresorhus/np#683))  [`72879e0`](sindresorhus/np@72879e0)

##### Improvements

-   Add 2FA support for npm version 9+ ([#&#8203;693](sindresorhus/np#693))  [`9cb4bfd`](sindresorhus/np@9cb4bfd)
-   Improve startup time ([#&#8203;688](sindresorhus/np#688))  [`eba203f`](sindresorhus/np@eba203f)
-   Improve the reliability of detecting which files will be included in the package ([#&#8203;682](sindresorhus/np#682))  [`a6ce792`](sindresorhus/np@a6ce792)
-   Add check for new dependencies ([#&#8203;681](sindresorhus/np#681))  [`6867fb9`](sindresorhus/np@6867fb9)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC43NC4yIiwidXBkYXRlZEluVmVyIjoiMzYuODkuMCIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AifQ==-->

Reviewed-on: https://gitea.vylpes.xyz/RabbitLabs/random-bunny/pulls/67
Co-authored-by: Renovate Bot <renovate@vylpes.com>
Co-committed-by: Renovate Bot <renovate@vylpes.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Warn about new dependencies
3 participants