-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
[Feat] Postinstall message about repo owner #619
[Feat] Postinstall message about repo owner #619
Conversation
Thanks! Could you explain the connection between |
You are right, the reason with this PR was addresses on the linked issue as someone asked to provide some message if the owner of this repo changed. I would have to add the extra check if |
I don't think it makes much sense to work with stdout from (post)install scripts anymore, since it's planned to get removed soonish: npm/rfcs#77 (comment) |
I managed to retrieve the list of this package owner as example by using a process child, not sure if it is the ideal way to do it. Of course we can apply the same logic for every package that is being updated. However, it have a big question about how the message should be displayed as I was thinking on displaying the entire list of packages whose owner changed on the postinstall script but noticed it was a DUMB idea as the author of the original issue was talking about every package being update and not only this one 🤦♂ I can provide such functionality and delete the postinstall script if someone helps me to clarify the author needs. Cheers! |
I think the original issue was referring to dependency owners. If a dependency owner changes, there is a security risk. npm-check-updates is not a runtime dependency so does not have the same risk. I would suggest the following output if an owner changed:
I have some concern about the performance implications of a separate network request for each package. For this reason I think it should be opt-in. |
Doesn't the owner ls endpoint just give the current owners? Is there a historical endpoint? As otherwise that wouldn't reliably work, I think |
@stoically Indeed, we would need a reliable historical owner endpoint. Or it could be cached locally but that seems fragile. |
I don't think npm has such historical owner endpoint... EDIT: A possible solution would be comparing the |
Querying npm for a specific package version gives the maintainer information from that very version. So querying all old versions first and comparing that to the new versions might actually work. |
Sounds good to me, I will make the changes, test and share a screenshot if the result is the expected one. After that, I will close this PR and open another in order to keep clean the commit history. UPDATE Pacote doesn't fetch author, maintainers or colaborators data. const pacote = require('pacote');
const npmConfig = require('libnpmconfig').read();
// npmConfig.cache = false;
function sample(packageName) {
return pacote.packument(packageName, npmConfig).then(result => {
console.log(`Package ${packageName} metadata`);
for (let key in result.versions) {
const versionVal = result.versions[key];
console.log(`Version ${key}`);
console.log(versionVal);
if (versionVal.author) {
console.log(`Author ${versionVal.author.name}`);
}
if (versionVal.contributors && versionVal.contributors.length) {
console.log(`Contributors count: ${versionVal.contributors.length}`);
}
if (versionVal.maintainers && versionVal.maintainers.length) {
console.log(`Maintainers count: ${versionVal.maintainers.length}`);
}
}
});
}
sample('express').then(() => console.log('All good')).catch(reason => console.error(reason.message)); Returns some properties for each version but none of them includes the important ones for this feature. I tried with |
Setting |
Thanks mate, that was really helpfull. 🚀 |
Fixes #465 and also some missing lint errors that were causing the travis build to fail.
The only thing that I don't understand is why the
chalk
color isn't being applied on the postinstall after using the one from npm while locally it works.