"Node Package Checker" - A tool to run various checks on npm modules
- Node.js - version 16.x or greater
To install globally: npm i -g npcheck
Npcheck requires a configuration file where custom behavior can be specified. The configuration file have to be named npcheck.json
in order for npcheck to pick it up.
-
modules
: The list of specified modules that npcheck will run checks on. (type: Array) -
[module].name
: The name of the npm module. (type: String) -
[module].npmLink
: Module's NPM url/link (type: String) -
licenses
: Config object to define custom license check behavior. (type: Object) -
licenses.allow
: List that defines global allowed licenses. (type: Array) -
licenses.rules
: Custom per module rules about license checks. (type: Object) -
licenses.rules[module].allow
: Allowed licenses only for the specified module. (type: Array) -
licenses.rules[modules].override
: List of licenses that the cli will treat as warnings (future license decisions to be made) but won't break the CI. (type: Array) -
citgm.skip[modules]
: Modules to be skipped by the CITGM checker (type: Array) -
allow
: Config object do define vulnerabilities that have been accessed as ok to ignore. (type: Object) -
allow[CVE]
: Module and effected modules that are allowed to be ignored for CVE. (type: Array) -
'allow[CVE][i].name`: Name of the module against which the CVE is reported. (type: String)
-
'allow[CVE][i].effects: Modules that include the module againts which the CVE is reported. (type: Array)
A simple npcheck configuration file.
{
"modules": [
{
"name": "express",
"npmLink": "https://www.npmjs.com/package/express"
}
],
"licenses": {
"allow": ["MIT", "Apache-2.0"],
"rules": {}
},
"citgm": {
"skip": ["rhea"]
},
"audit": {
"allow": {
"CVE-2022-0235": [{
"name": "node-fetch",
"effects": ["opencollective"]
}]
}
}
}
While npcheck is very opinionated about how it works there is also some extra options you can use to change it's behavior.
version
Outputs the current version of npcheck.
github-token
GitHub's OAuth token npcheck will use when contacting the GitHub API.
no-errors
Treats all errors as warnings.
help
Shows the below help.
Usage: npcheck [options]
Options:
--help Show help [boolean]
--version Show version number [boolean]
--github-token Custom GitHub token provided to the API for resources
(env variable GITHUB_TOKEN is also an option)
[string] [default: null]
--no-errors Treats every error as a warning [boolean] [default: false]