DEV Community

Cover image for Using npm's `ls` command for Fun and Insight

Using npm's `ls` command for Fun and Insight

Tierney Cyren on March 21, 2019

One of my biggest problems with JavaScript and Node.js dependency trees is that it's... never been super easy to understand what you've got and wha...
Collapse
 
georgecoldham profile image
George

Out of curiosity, if you are running nmp install within your CI/CD pipeline, would inconsistencies between package.lock and package.json not be picked up there? And if so, what’s the benefit of this?

Collapse
 
bnb profile image
Tierney Cyren

This is assuming that a package-lock.json file exists. Some projects (like most of mine) opt out of this because it adds maintainer burden for no tangible benefit, at least in the case of modules. It's definitely recommended for applications, but since package-lock.json doesn't get published to the registry there's really very little point to keeping it around.

That said, as far as I know (and I could totally be wrong!) you can still have unmet dependencies that wouldn't be caught between package-lock.json and package.json.

Collapse
 
qm3ster profile image
Mihail Malo

shrinkwrap.json gets published :v

Thread Thread
 
bnb profile image
Tierney Cyren

Indeed it does, but it’s an antiquated approach that I try to keep out of my open-source packages.

IMO the cost of maintaining an npm-shrinkwrap.json is higher than writing high-quality code that will be resilient enough to handle dynamic dependency resolution.

If I am feeling especially picky about a certain module or set of modules, I’ll generally pin the versions in my projects’ package.json

Thread Thread
 
qm3ster profile image
Mihail Malo

It doesn't matter what kind of code you write if your dependencies introduce bugs or change published API with a patch version :D

Thread Thread
 
bnb profile image
Tierney Cyren

You could not include those dependencies 😂

Thread Thread
 
qm3ster profile image
Mihail Malo

Be serious 😂

Collapse
 
lirantal profile image
Liran Tal

George, if you have inconsistencies between the package manifest and the package lock, an npm install or a yarn install will produce different install results. Meaning to say, the lockfile will not be used as the source of truth.

Exactly for that you should actually use npm ci in order to force the lockfile.
I wrote about it in short here: dev.to/lirantal/so-you-think-youre...

Collapse
 
hdv profile image
Hussein Duvigneau

Is there a way to npm ls ... for below a version number? For example, if I do npm -ls lodash I get a huge tree, mostly all on the latest version. I just want to see where the non-latest versions of the package are.

Collapse
 
bnb profile image
Tierney Cyren

As far as I know, not currently. If you were absolutely dead-set on doing this, you could output the command text to a file and then grep that file (or use JSON output and then parse the JSON with jq).

Collapse
 
ghinks profile image
Glenn

I mostly live behind the corporate firewall and only pop out now and then. I have had similar issues when I want to discover what or how a module is used in an app. In the end I wrote mod-dep-mod. Which my friends and I find useful as you can run it locally and point it to github to search the dependency tree when you cannot actually install locally.

I appreciate the article, I often these pointers really helpful as we get comfortable with what we think the commands do and stop investigating, and I had not heard of dev.to either till this morning.

Collapse
 
justboris profile image
Boris Serdiuk

From running npm ls --production on the same project, we get a... much smaller result

The gist below that line shows the same long list of dependencies. I guess you wanted to show a different gist?

Collapse
 
bnb profile image
Tierney Cyren • Edited

I had to trim the first gist, since it was literally longer than the content of the post – added a link to the full gist at the bottom of the updated first gist. I'll update the post to include that in the content too!

Edit: Updated!

Collapse
 
abdu_manaz profile image
Abdu Manaz

Great article. When I run npm ls from the root project directory, I'm not getting the list of sub dependencies rather only the dependencies in package.json. Do you know why that's the case ?