npm
Sign UpSign In

secure-dependencies

3.0.0 • Public • Published

secure-dependencies

Never run npm install in production again!

Creates a tarball of your app dependencies checked with npm audit. Just unpack it in production and you're ready to go.

Why

Usage

npx -p secure-dependencies secure-dependencies

{appname}-{nodeVersion}-{appVersion}.tgz is produced with all production dependencies unless nsp check complains.

Become left-pad proof!

Node support

This library could support versions 0.x but it doesn't. Consider this another reason to finally upgrade.

While it might work, the version of node in filename will be 0. Trivial to fix, but I believe I should not.

shrinkwrap

secure-dependencies will follow npm-shrinkwrap.json but if you want to use it for production and not locally, you can rename it to npm-shrinkwrap-production.json and it will work for installing the module for the bundle.

What does it do?

In summary:

npm install --production
npm prune
npm dedupe
npm audit (via npm-audit-resolver)
tar

But don't trust me with your security, read the code!

Try it out

cd exampleapp
npm install
npm start

exampleapp-node6-1.0.0.tgz is created

Get bundle name

If you're scripting your deployment with configuration managers (or bash) it's often annoying to deal with parsing package.json

secure-dependencies exposes a tiny script that generates the filename. You can use it to figure out what the bundle name is based on package.json in current directory

npx -p secure-dependencies get-bundle-name

or

npm install -g secure-dependencies
get-bundle-name

TODO

add paranoid mode add scp as artifact repository

Apache-2.0 License

Readme

Keywords

Package Sidebar

Install

npm i secure-dependencies

Repository

github.com/naugtur/secure-dependencies

Homepage

github.com/naugtur/secure-dependencies#readme

Weekly Downloads

3

Version

3.0.0

License

Apache-2.0

Unpacked Size

18.3 kB

Total Files

7

Last publish

Collaborators

  • naugtur
Try on RunKit
Report malware