Looking at package.json

First lets create a simple project and add a single module, in this case npm-api which will we use to access the main repository.

1
2

npm init -y
npm add npm-api

And lets see what's been installed in node_modules:

1
2

ls -l node_modules | wc -l 
du -sh node_modules

68 directories with 12M of code! Yowza! That's-a big package. Lets parse up the package-lock.js file to see if it agrees:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

  'use strict';

  const fs = require('fs');

  let rawdata = fs.readFileSync('package-lock.json');
  let lockfile = JSON.parse(rawdata);

  Object.keys(lockfile.dependencies).forEach( (elem,index) => {
      console.log( `| ${index+1} | ${elem} | ${lockfile.dependencies[elem].version} |` );
  });

There's one additional directory installed in node_modules called .bin which is where binary executables of installed packages live, so that's the difference.

We can see what commands are installed:

1

ls -l node_modules/.bin

total 20
lrwxrwxrwx 1 wschenk wschenk 20 Sep  9 14:26 JSONStream -> ../JSONStream/bin.js
lrwxrwxrwx 1 wschenk wschenk 23 Sep  9 14:26 sshpk-conv -> ../sshpk/bin/sshpk-conv
lrwxrwxrwx 1 wschenk wschenk 23 Sep  9 14:26 sshpk-sign -> ../sshpk/bin/sshpk-sign
lrwxrwxrwx 1 wschenk wschenk 25 Sep  9 14:26 sshpk-verify -> ../sshpk/bin/sshpk-verify
lrwxrwxrwx 1 wschenk wschenk 16 Sep  9 14:26 uuid -> ../uuid/bin/uuid

The structure of package-lock.json is much simpler than Gemfile.lock, and it doesn't show which modules are the ones that the developer specified and which are ones are derivatives. We can take a guess at this by looking at modules that aren't another's dependancy.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

  'use strict';

  const fs = require('fs');

  let rawdata = fs.readFileSync('package-lock.json');
  let lockfile = JSON.parse(rawdata);

  let deps = Object.keys(lockfile.dependencies);
  let possible_mains = new Map();

  deps.forEach( elem => {
      possible_mains.set( elem,  true )
  } );

  deps.forEach( elem => {
      let requires = Object.keys(lockfile.dependencies[elem].requires || {})
      requires.forEach( dep => {
          possible_mains.delete( dep );
      } )
  } )

  possible_mains.forEach( (value, key) => console.log( key ) );

Which happily yields:

npm-api

So that looks correct for this project.

The next thing we are looking for is the repository of the source code, so we can see what code there's out there, how well it's maintained, etc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

  var NpmApi = require('npm-api');

  (async () => {
      const repo = new NpmApi().repo( 'npm-api' );

      const pkg = await repo.package()

      console.log( "Name        ", pkg.name );
      console.log( "Version     ", pkg.version );
      console.log( "Description ", pkg.description );
      console.log( "License     ", pkg.license );
      console.log( "Homepage    ", pkg.homepage );
      console.log( "Repository  ", pkg.repository );
      console.log( "Clean repo  ", pkg.repository.url.replace( /git\+/g, '' ) );
      console.log( "Bug         ", pkg.bugs );
  })()

Name         npm-api
Version      1.0.0
Description  Base class for retrieving data from the npm registry.
License      MIT
Homepage     https://github.com/doowb/npm-api
Repository   { type: 'git', url: 'git+https://github.com/doowb/npm-api.git' }
Clean repo   https://github.com/doowb/npm-api.git
Bug          { url: 'https://github.com/doowb/npm-api/issues' }

Here we can see the repository is type git and the url has an unexplained git+ in front of it. Why? I'd love to know. But we can strip it out using the replace function to get something not pointlessly redundant from the type sibling attribute.

npm has a similar function to bundle outdated called… npm outdated. Exciting! Lets recreate that now.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

  'use strict';

  const NpmApi = require( 'npm-api' );
  const fs = require('fs');

  let rawdata = fs.readFileSync('package-lock.json');
  let lockfile = JSON.parse(rawdata);

  (async () => {    
      Object.keys(lockfile.dependencies).forEach( async (elem,index) => {
          const repo = new NpmApi().repo( elem );
          const pkg = await repo.package();

          const installed_version = lockfile.dependencies[elem].version;
          const current_version = pkg.version;

          console.log( `| ${elem} | ${installed_version} | ${current_version} | ${installed_version != current_version ? 'OUTDATED' : 'CURRENT'} |` );
      });
  })()

Which dumps out:

As with our Gemfile exploration, we can

1. Identify which modules are specified only from the lock file.
2. Look at all of the dependancies of the project to see which is out of date
3. Find the git repo that the original code is packaged from.

The next step will be to start looking into the repos themselves to ask a few questions:

1. Is the project maintained?
2. What is the project activity?
3. Is it a semver project?
4. What patch/minor/major code has changed?
5. How is the project connected to other projects?

Stay tuned!

1. https://docs.npmjs.com/configuring-npm/package-lock-json.html
2. https://docs.npmjs.com/about-packages-and-modules#npm-package-git-url-formats
3. https://github.com/doowb/npm-api