1. Home
  2. Categories
  3. Support
  4. pgutil: PackageLockOnly for npm projects

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

pgutil: PackageLockOnly for npm projects

  • C

    Hi,

    I see that the Dependency Scanner for npm projects is able to handle "packageLockOnly" (like it was the case in pgscan). But I can't seem to find an option to set this flag from the outside.

    Maybe this option has been overlooked? Or I am missing it?
    I appreciate the help.

    Thanks,
    Caterina

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @caterina

    It's very possible this was overlooked; we seem to have accepted a lot of pull requests without documenting them or knowing how they work 😅

    We want to make sure the tool is well documented... can you share what all this does, and how we can document it? It might be easy to add back in ... we just want to make sure all these switches are documented and still make sense.

    Thanks,
    Alana

    0
  • C

    Hi @atripp,

    the default behavior of the NpmDependencyScanner is to read the input file as well as all package-lock.json files found in the node_modules directory.

    Rich and I had a longer discussion about this behavior last year (https://forums.inedo.com/topic/3934/pgscan-different-results-for-npm-dependencies/13).
    Result of this discussion was to add "--package-lock-only" to be able to ignore the package-lock.json files in node_modules.

    The code for this is already part of pgutil ('packageLockOnly'-property in NpmDependencyScanner). The only thing missing here is the possibility to set this property from the outside.

    Thanks,
    Caterina

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    @caterina thanks, we'll discuss this internally and get back to you soon!

    0
  • rhessinger
    inedo-engineer

    Hi @caterina,

    We are working to add this back, but the hold up has been trying to properly document this. Here is our thoughts, but wanted to get your feedback.

    We are looking to change the parameter name to --do-not-scan-node_modules with a command line description of:

    Do not scan the node_modules directory when scanning for package-lock.json files

    What are your thoughts on this?

    Thanks,
    Rich

    0
  • C

    Hi @rhessinger,

    sorry for the late response, this somehow slipped my mind.

    Your suggestion looks good to me. The description is easy to understand and also the parameter name is very descriptive.

    Thanks,
    Caterina

    0
  • rhessinger
    inedo-engineer

    Hi @caterina,

    No problem, thanks for getting back to us. We have an upcoming release of pgutil that will include this flag. We also have improved this command a bit by allowing you to use the working directory which will search for the right files instead of --input having to specify the path to the file (although you still can). It will now also automatically audit the scan directly after, you can use --noaudit to skip the audit. We should have those updates pushed this week.

    Thanks,
    Rich

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation