0.0.4 • Published 2 years ago
check-for-pinned-deps v0.0.4
check-for-pinned-deps
check-for-pinned-deps is a convenient Node.js CLI script designed to check for unpinned dependencies within your package.json.
It supports checking dependencies from the following fields:
🕰️ How it works
- Loops above-mentioned dependency fields in package.jsonin current working directory
- Checks the dependency version- for valid semver pattern like 1.2.3or4.5.6.alpha
- URLs (or GitHub repositories) need to contain a commitish string or semver string
- file:version values are marked as pinned
 
- for valid semver pattern like 
- Exits with- 0 in case all dependencies are pinned
- 1 if the dependencies were found that are not pinned and prints their names
 
🎯 Motivation
Pinning dependencies has several advantages in terms of reproducibility and security.
Renovate has a good blog post about this topic: Should you Pin your JavaScript Dependencies?
🚀 Usage
To use check-for-pinned-deps, you can easily invoke it with npx as follows:
npx check-for-pinned-deps🧰 Requirements
- node.js 18 or higher