Keep your npm projects healthy

Beside working on JavaScript that will run in the client that you have developped by your own you will probably also have from the node.js ecosystem packages for

• Client-side JavaScript code from others
• Server-side JavaScript code from others
• Developper Tools written in JavaScript

that you have to keep clean and healthy.

In short:

npm doctor
npm outdated -g
npm update -g
npm outdated
npm update
npm audit

Check your environment

Before you have a look to a specific project it is a good idea to inspect the environment health.

The npm doctor command gives you a quiet good overview on some general topics.

>npm doctor

npm WARN verifyCachedFiles Content garbage-collected: 156 (170728794 bytes)
npm WARN verifyCachedFiles Cache issues have been fixed
Check                    Value   Recommendation/Notes
npm ping                 ok
npm -v                   not ok  Use npm v9.1.2
node -v                  not ok  Use node v18.12.1 (current: v16.13.2)
npm config get registry  ok      using default registry (https://registry.npmjs.org/)
which git                ok      C:\Program Files\Git\cmd\git.EXE
Verify cache contents    ok      verified 4761 tarballs
npm ERR! Some problems found. See above for recommendations.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\Matthias\AppData\Local\npm-cache\_logs\2022-...Z-debug-0.log

Keeping the cache in a clean state is done by checking and fixing the cache folder. You can also run npm cache verify individually.

If you have persistant problems it is recommended on the npm help cache documentation to eventually run npm cache clean -f to force a clean cache.

The not ok lines marked in red are hints to eventually update the npm package and node.js itself.

In CI/CD pipelines this command should be present as a hint for possible problems in the runner package.

Check for outdated global packages

To list all globally installed packages use the command npm list -g.

>npm list -g

C:\Users\Matthias\AppData\Roaming\npm
├── eslint@7.2.0
├── markdown-link-check@3.10.3
├── mkcert@1.5.1
├── npm@8.18.0
├── sass@1.56.1
├── tslab@1.0.15
└── typescript@4.9.3

Another place to look for problems are the globally installed packages and find out about new versions using the npm outdated -g command.

>npm outdated -g

Package  Current  Wanted  Latest  Location             Depended by
eslint    8.28.0  8.29.0  8.29.0  node_modules/eslint  global
npm       8.18.0   9.1.3   9.1.3  node_modules/npm     global

Here the outdated libraries are shown and you can update then by running
npm update -g to upgrade to the Wanted version.

In case you like to switch to the latest version use npm update -g

Check for outdated project packages

>npm outdated
Package    Current   Wanted   Latest  Location                Depended by
eslint      8.28.0   8.29.0   8.29.0  node_modules/eslint     project
stylelint  14.15.0  14.16.0  14.16.0  node_modules/stylelint  project
terser      5.16.0   5.16.1   5.16.1  node_modules/terser     project

Same as with the global installed packages. I am used to include it in the test task like in package.json:

"test": "npm outdated && npm run test:ts && npm run test:server && npm run test:css"

Check for known vulnerabilities

The npm package system also includes some hints on known audit issues in packages you have installed.

Using the command npm audit all dependencies are scanned for known vulnerabilities. Hopefully you get:

 >npm audit
  found 0 vulnerabilities

But it may happen:

 >npm audit

  # npm audit report

  qs  <6.2.4
  Severity: high
  qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
  fix available via `npm audit fix --force`
  Will install @11ty/eleventy@0.3.3, which is a breaking change
  node_modules/qs
    browser-sync  >=2.12.1
    Depends on vulnerable versions of qs
    node_modules/browser-sync
      @11ty/eleventy  0.3.4 - 1.0.2
      Depends on vulnerable versions of browser-sync
      node_modules/@11ty/eleventy
  
  3 high severity vulnerabilities
  
  To address all issues (including breaking changes), run:
    npm audit fix --force

Usually this is a temporary problem as the maintainers of the packages will be informed about audit issues as well and will likely fix them in a short time. So npm update will help.

• The provided link will guide you to the GitHub Advisory Database where you find details.
• Here you will find the problem reference material like https://nvd.nist.gov/vuln/detail/CVE-2022-24999 provided link will guide you to the GitHub Advisory Database where you find details.
• The dependency tree can be seen here:
  @11ty/eleventy ==> browser-sync ==> qs
• npm audit fix will possibly downgrade some package versions - unwanted side effects like loosing functionality may happen
• npm v qs shows you details about the package and you can see when there are new versions available.
• This is tricky.

Do you have a CI/CD pipeline ?

See Also

• https://devhints.io/npm
• https://docs.npmjs.com/cli/v6/commands

Tags