Code Monkey home page Code Monkey logo

npx's Introduction

⚠️ DEPRECATED: This project has been deprecated - npx is now part of the npm cli

npm license Travis AppVeyor Coverage Status

npx(1) -- execute npm package binaries

SYNOPSIS

npx [options] <command>[@version] [command-arg]...

npx [options] [-p|--package <pkg>]... <command> [command-arg]...

npx [options] -c '<command-string>'

npx --shell-auto-fallback [shell]

INSTALL

npm install -g npx

DESCRIPTION

Executes <command> either from a local node_modules/.bin, or from a central cache, installing any packages needed in order for <command> to run.

By default, npx will check whether <command> exists in $PATH, or in the local project binaries, and execute that. If <command> is not found, it will be installed prior to execution.

Unless a --package option is specified, npx will try to guess the name of the binary to invoke depending on the specifier provided. All package specifiers understood by npm may be used with npx, including git specifiers, remote tarballs, local directories, or scoped packages.

If a full specifier is included, or if --package is used, npx will always use a freshly-installed, temporary version of the package. This can also be forced with the --ignore-existing flag.

  • -p, --package <package> - define the package to be installed. This defaults to the value of <command>. This is only needed for packages with multiple binaries if you want to call one of the other executables, or where the binary name does not match the package name. If this option is provided <command> will be executed as-is, without interpreting @version if it's there. Multiple --package options may be provided, and all the packages specified will be installed.

  • --no-install - If passed to npx, it will only try to run <command> if it already exists in the current path or in $prefix/node_modules/.bin. It won't try to install missing commands.

  • --cache <path> - set the location of the npm cache. Defaults to npm's own cache settings.

  • --userconfig <path> - path to the user configuration file to pass to npm. Defaults to whatever npm's current default is.

  • -c <string> - Execute <string> inside an npm run-script-like shell environment, with all the usual environment variables available. Only the first item in <string> will be automatically used as <command>. Any others must use -p.

  • --shell <string> - The shell to invoke the command with, if any.

  • --shell-auto-fallback [<shell>] - Generates shell code to override your shell's "command not found" handler with one that calls npx. Tries to figure out your shell, or you can pass its name (either bash, fish, or zsh) as an option. See below for how to install.

  • --ignore-existing - If this flag is set, npx will not look in $PATH, or in the current package's node_modules/.bin for an existing version before deciding whether to install. Binaries in those paths will still be available for execution, but will be shadowed by any packages requested by this install.

  • -q, --quiet - Suppressed any output from npx itself (progress bars, error messages, install reports). Subcommand output itself will not be silenced.

  • -n, --node-arg - Extra node argument to supply to node when binary is a node script. You can supply this option multiple times to add more arguments.

  • -v, --version - Show the current npx version.

EXAMPLES

Running a project-local bin

$ npm i -D webpack
$ npx webpack ...

One-off invocation without local installation

$ npm rm webpack
$ npx webpack -- ...
$ cat package.json
...webpack not in "devDependencies"...

Invoking a command from a github repository

$ npx github:piuccio/cowsay
...or...
$ npx git+ssh://my.hosted.git:cowsay.git#semver:^1
...etc...

Execute a full shell command using one npx call w/ multiple packages

$ npx -p lolcatjs -p cowsay -c \
  'echo "$npm_package_name@$npm_package_version" | cowsay | lolcatjs'
...
 _____
< [email protected] >
 -----
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Run node binary with --inspect

$ npx --node-arg=--inspect cowsay
Debugger listening on ws://127.0.0.1:9229/....

Specify a node version to run npm scripts (or anything else!)

npx -p node@8 npm run build

SHELL AUTO FALLBACK

You can configure npx to run as your default fallback command when you type something in the command line with an @ but the command is not found. This includes installing packages that were not found in the local prefix either.

For example:

$ npm@4 --version
(stderr) npm@4 not found. Trying with npx...
4.6.1
$ asdfasdfasf
zsh: command not found: asfdasdfasdf

Currently, zsh, bash (>= 4), and fish are supported. You can access these completion scripts using npx --shell-auto-fallback <shell>.

To install permanently, add the relevant line below to your ~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish, or as needed. To install just for the shell session, simply run the line.

You can optionally pass through --no-install when generating the fallback to prevent it from installing packages if the command is missing.

For bash@>=4:

$ source <(npx --shell-auto-fallback bash)

For zsh:

$ source <(npx --shell-auto-fallback zsh)

For fish:

$ source (npx --shell-auto-fallback fish | psub)

ACKNOWLEDGEMENTS

Huge thanks to Kwyn Meagher for generously donating the package name in the main npm registry. Previously npx was used for a Tessel board Neopixels library, which can now be found under npx-tessel.

AUTHOR

Written by Kat Marchan.

REPORTING BUGS

Please file any relevant issues against the npm/cli repo.

LICENSE

This work is released by its authors into the public domain under CC0-1.0. See LICENSE.md for details.

SEE ALSO

  • npm(1)
  • npm-run-script(1)
  • npm-config(7)

npx's People

Contributors

alrra avatar antoinereneleau avatar boyum avatar calinou avatar chrmoritz avatar claudiahdz avatar daliborgogic avatar darcyclarke avatar elidoran avatar felipemonobe avatar gorhgorh avatar haroenv avatar hibiyasleep avatar hisk avatar int64ago avatar isaacs avatar janl avatar jdalton avatar jridgewell avatar katemihalikova avatar lewiscowper avatar macrusher avatar nicknaso avatar outsideris avatar passcod avatar simonua avatar sobolevn avatar soul-wish avatar watilde avatar zkat avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

npx's Issues

How to find out which file NPX runs?

When you run, say, npx webpack in a terminal, NPX finds a webpack package somewhere and runs it. How to identify the exact location of the binary that NXP runs? I'm looking for a tool like which in NPX.

Maybe there is an option like this (warning, it's not a real code):

$ npx --which webpack
Local file /users/me/my-project/node_modules/.bin/webpack

$ npx --which rollup
Remote package https://www.npmjs.com/package/rollup

If there is no such feature, I request it.

Just in case, I use Node.js v10.16.3, NPM v6.12.0, NPX v6.12.0.

Is it possible to override the registry

What / Why

It would be great to be able to override the registry as we can do with npm install.

For example : npx create-react-app --registry https://registry.npmjs.org

This is useful for instance if you use a private registry and it's down for some reason. The only work around is to set the npm config and unset it later.

[FEATURE] Cache by commit hash when executing from git repo

What / Why

The whole idea of npx is to use the saved package, by package version. But if you are using a package by git repo like npx git+https://github.com/eslint/eslint.git, npx will always download the package since the source can be changed without updating the version of the package.

When

  • npx git+https://github.com/eslint/eslint.git multiple times

How

Current Behavior

  • When I installing eslint with npx git+https://github.com/eslint/eslint.git, it always downloading and installing the package:
> npx git+https://github.com/eslint/eslint.git
npx: installed 136 in 155.116s
> npx git+https://github.com/eslint/eslint.git
npx: installed 136 in 136.629s

Expected Behavior

  • Keep the commit hash to know if you already have the expected version.

Who

  • I can do that, I just need guidance.
  • But maybe it under the npm ownership?

[BUG] npx ignores my global config

Hi, I have a problem with with starting my application from my registry. I am doing it in Debian stretch-slim image, I installed nodejs package from official repository in version 10.18.1 and npx version 6.13.4.

When I run npm config ls I get:

root@7226cbe7a647:/# npm config ls
; cli configs
metrics-registry = "https://myrepo/repository/npm"
scope = ""
user-agent = "npm/6.13.4 node/v10.18.1 linux x64"

; globalconfig /usr/etc/npmrc
ca = "-----BEGIN CERTIFICATE-----\nTRUNC-----END CERTIFICATE-----"
registry = "https://myrepo/repository/npm"

; node bin location = /usr/bin/node
; cwd = /
; HOME = /root
; "npm config ls -l" to show all defaults.

root@7226cbe7a647:/#

And when I run npx hasura-admin-klient I get:

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/hasura-admin-klient - Not found
npm ERR! 404 
npm ERR! 404  'hasura-admin-klient@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2020-01-30T09_46_18_090Z-debug.log
Install for hasura-admin-klient@latest failed with code 1

But when I run npm search hasura-admin-klient I get:

NAME                      | DESCRIPTION          | AUTHOR          | DATE       | VERSION  | KEYWORDS
hasura-admin-klient       | Klient pro…          | =t-project-gen… | 2020-01-29 | 1.2.0    |   

Is it bug or am I doing something wrong? I have no user npmrc config and no project npmrc config.

Thank you!

[BUG] `npx` doesn't preserve whitespace in arguments on Windows

npx is not preserving arguments with internal white space correctly on Windows; it separates the arguments for the resulting executable. For example ...

$ # *nix
$ node -e "console.log(process.argv.slice(1))" "test this"
[ 'test this' ]
$ npx node -e "console.log(process.argv.slice(1))" "test this"
[ 'test this' ]
C:> rem Windows
C:> node -e "console.log(process.argv.slice(1))" "test this"
[ 'test this' ]
C:> npx node -e "console.log(process.argv.slice(1))" "test this"
[ 'test', 'this' ]

how to create an npx preset?

I can run npx envinfo@latest --preset nyc:

⟩ npx envinfo@latest --preset nyc
npx: installed 1 in 1.139s

  System:
    OS: macOS Mojave 10.14.6
    CPU: (8) x64 Intel(R) Core(TM) i7-3635QM CPU @ 2.40GHz
    Memory: 2.11 GB / 16.00 GB
  Binaries:
    Node: 12.5.0 - ~/.nvm/versions/node/v12.5.0/bin/node
    Yarn: 1.16.0 - ~/.nvm/versions/node/v12.5.0/bin/yarn
    npm: 6.9.0 - ~/.nvm/versions/node/v12.5.0/bin/npm
  npmPackages:
    nyc: ^15.0.0 => 15.0.0

could you write docs how to write an npx preset so when replacying nyc with my library name, I could obtain my custom result?

[FEATURE] Is that possible to added a "--env-file" option?

What / Why

Is that possible to support an option -e ( which is short of --env-file)
so that I can put all my environment variables in .env file. and then I can run npx -e webpack or npx -e other.env webpack (default to use .env file, and also you can specify a file)

There is a similar project called dotenv, which allow you to add your runtime environment variables by:

node -r dotenv/config yourscript.js

When you are using a cli library which like webpack, it will become much more complicated. like this:

node -r dotenv/config ./node_modules/.bin/webpack

So I wish we could have it in npx.

References

[BUG] `findNodeScript()` cannot find correct node script path in win32 (at least webpack package))

What / Why

In my Windows 10 Box, I cannot run npx webpack produces following outputs

see following cmd log.

C:\prj\webpack-demo>type package.json
{
  "name": "webpack-demo",
  "version": "1.0.0",
  "description": "",
  "private": true,
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "webpack --mode production && exit 0"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "devDependencies": {
    "http-server": "^0.12.1",
    "webpack": "^4.42.1",
    "webpack-cli": "^3.3.11"
  },
  "dependencies": {
    "lodash": "^4.17.15"
  }
}

C:\prj\webpack-demo>dir node_modules\webpack*
 C 드라이브의 볼륨: SSD
 볼륨 일련 번호: 1E07-5DF1

 C:\prj\webpack-demo\node_modules 디렉터리

2020-03-26  오후 02:54    <DIR>          webpack
2020-03-26  오후 02:54    <DIR>          webpack-cli
2020-03-26  오후 02:54    <DIR>          webpack-sources
               0개 파일                   0 바이트
               3개 디렉터리  40,466,583,552 바이트 남음

C:\prj\webpack-demo>npx webpack
Command failed: webpack spawn EPERM

As seen, npx webpack should produce some webpack commands.

On the other hand, when I run webpack directory, it just works.

C:\WorkSpace\prj\study\webpack\webpack-demo>node_modules\.bin\webpack
Hash: 029a3c105afe97d2be1b
Version: webpack 4.42.1
Time: 298ms
Built at: 2020-03-26 15:46:51
  Asset      Size  Chunks             Chunk Names
main.js  72.1 KiB       0  [emitted]  main
Entrypoint main = main.js
[1] d:/WorkSpace/prj/study/webpack/webpack-demo/src/index.js 242 bytes {0} [built]
[2] (webpack)/buildin/global.js 472 bytes {0} [built]
[3] (webpack)/buildin/module.js 497 bytes {0} [built]
    + 1 hidden module

WARNING in configuration
The 'mode' option has not been set, webpack will fallback to 'production' for this value. Set 'mode' option to 'development' or 'production' to enable defaults for each environment.
You can also set it to 'none' to disable any default behavior. Learn more: https://webpack.js.org/configuration/mode/

C:\WorkSpace\prj\study\webpack\webpack-demo>

When

See above

Where

I'm not node.js developer guy 😢 with just a handful amount of javascript knowledge, so I did kinda console.log debugging of this issue. and figured out followings code findNodeScript() in index.js does not work correctly

In that function,

         // findNodeScript() function body....

          const cmd = /"%~dp0\\node\.exe"\s+"%~dp0\\(.*)"\s+%\*/
          const mingw = /"\$basedir\/node"\s+"\$basedir\/(.*)"\s+"\$@"/i
          return str.match(cmd) || str.match(mingw)

actually cannot see the cmd pattern in batch script(c:\prj\webpack-demo\node_modules\.bin\webpack.cmd script in my case) of which contents is

@ECHO off
SETLOCAL
CALL :find_dp0

IF EXIST "%dp0%\node.exe" (
  SET "_prog=%dp0%\node.exe"
) ELSE (
  SET "_prog=node"
  SET PATHEXT=%PATHEXT:;.JS;=;%
)

"%_prog%"  "%dp0%\..\webpack\bin\webpack.js" %*
ENDLOCAL
EXIT /b %errorlevel%
:find_dp0
SET dp0=%~dp0
EXIT /b

With that script, the findNodeScript() cannot find actual node script's path which is supposed to be like C:\prj\webpack-demo\node_modules\webpack\bin\webpack.js in my case.

How

Current Behavior

See above

Steps to Reproduce

See above

Expected Behavior

findNodeScript() should parse the correct node script file path from script in win32 environment. See above.

Who

  • n/a

References

  • n/a

npx throwing Error : EPERM : operation not permitted with spaces in path : on windows

npx returns above Error while running npx create-react-app my-app

This error is due to spaces in username or in path
like : C:\Users\Rohit Bakoliya

node --version 
v12.16.1 (even with v13.11.0 and v10.16.3)
npm --version
16.13.4
npx --version
16.13.4

##Error Log

C:\Users\UserName>npx create-react-app practical-react
Error: EPERM: operation not permitted, mkdir 'C:\Users\UserName'
TypeError: Cannot read property 'loaded' of undefined
at exit (D:\Program Files D\nodejs\node_modules\npm\lib\utils\error-handler.js:98:27)
at errorHandler (D:\Program Files D\nodejs\node_modules\npm\lib\utils\error-handler.js:216:3)
at D:\Program Files D\nodejs\node_modules\npm\bin\npm-cli.js:77:20
at cb (D:\Program Files D\nodejs\node_modules\npm\lib\npm.js:225:22)
at D:\Program Files D\nodejs\node_modules\npm\lib\npm.js:263:24
at D:\Program Files D\nodejs\node_modules\npm\lib\config\core.js:83:7
at Array.forEach (<anonymous>)
at D:\Program Files D\nodejs\node_modules\npm\lib\config\core.js:82:13
at f (D:\Program Files D\nodejs\node_modules\npm\node_modules\once\once.js:25:25)
at afterExtras (D:\Program Files D\nodejs\node_modules\npm\lib\config\core.js:173:20)
D:\Program Files D\nodejs\node_modules\npm\lib\utils\error-handler.js:98
var doExit = npm.config.loaded ? npm.config.get('_exit') : true
^

TypeError: Cannot read property 'loaded' of undefined
at exit (D:\Program Files D\nodejs\node_modules\npm\lib\utils\error-handler.js:98:27)
at process.errorHandler (D:\Program Files D\nodejs\node_modules\npm\lib\utils\error-handler.js:216:3)
at process.emit (events.js:198:13)
at process._fatalException (internal/bootstrap/node.js:496:27)
Install for create-react-app@latest failed with code 7

.npmrc contains wrong path
in my case : it is prefix=C:\Users\Rohit
I tried to change it to correct path.
but its not working.

[BUG] npx is using Yarn's cache to resolve dependencies

Hey there! 👋

What / Why

It seems that npx is sometime using Yarn's cache to resolve dependencies (maybe to make it faster?).

This is not the intended behavior since Yarn's cache could be outdated and it create many bugs during installation.

Here's an issue of our CLI failing due to this.

I've myself ran into this issue once.

# Using npx --ignore-existing create-adonis-ts-app blog

fatal     TypeError: Cannot read property 'MustacheFile' of undefined
    at instructions (/Users/romainlanz/workspace/screencasts/blog/node_modules/@adonisjs/core/build/instructions.js:19:33)
    at Object.executeInstructions (/Users/romainlanz/.config/yarn/global/node_modules/@adonisjs/sink/src/executeInstructions.js:47:15)
    at async task (/Users/romainlanz/.config/yarn/global/node_modules/create-adonis-ts-app/build/tasks/executeInstructions.js:27:13)
    at async Object.runTasks (/Users/romainlanz/.config/yarn/global/node_modules/create-adonis-ts-app/build/index.js:138:13)

I've ended up uninstalling yarn to make it works.

Current Behavior

It uses Yarn's cache instead of re-fetching a dependency, even with --ignore-existing flag.

Steps to Reproduce

There's no real step to reproduce, since you need to have used Yarn once and have an update that break the cache.

Expected Behavior

npx should download all new dependency instead of relying on Yarn's cache.

[QUESTION] Is there support for following module resolution paths?

What / Why

I'm currently running into an issue, with a monorepo, in that I want npx to pick up the executable in the parent directory, instead of just looking at the current directory. I'm not sure if I'm missing something, but running npx eslint in the sub package folder of the monorepo cannot find eslint in the parent node_modules directory.

The node Module documentation, https://nodejs.org/api/modules.html, specifies the load order for modules, including parents. Executing require.resolve.paths('') should return the list of all available paths that are searched on a require.

Where

This should be how require operates currently today.

[QUESTION] How do I get access to the directory of the module containing it, if any?

What / Why

I have an entry in my package.json:

  "bin": {
    "js-kit": "./bin/kit.js"
  },

Say I am in ~package/some/subdir and run:

npx js-kit

The executable will be called. However, kit.js (the actual program) only has access to CWD (being ~package/some/subdir) rather than ~package (which is what I am interested in).

Is there any way to know on behalf of what package the script was run?
I DO realise that if the script is run directly (node_modules/.bin/js-kit) or if js-kit is installed globally, there won't be a "module directory". But IF it's run from a local module (not globally), via npx, do I have access to the hosting module's full path?

[BUG] npx stops traversing looking for match if directory has package.json file

What / Why

copied from zkat/npx#222

We hoist all our common deps to the top-level parent, as well as common utilities (jest, eslint, pm2, etc.)

However, many of the child folders have their own package.json for one reason or another. (version strings, main: declaration, etc.)

npx won't traverse past the current directory, but only if it has a package.json. (This was reported and then closed in #210)

/package.json
/node_modules
/node_modules/.bin/foo
/packages
/packages/bar
/packages/bar/package.json

I should be able to, in packages/bar, call npx foo and have it resolve. This is expected behavior. But it won't.

If packages/bar does NOT have a package.json, npx foo will resolve to the correct in 2 parents up.

Is there a way to tell npx to keep going up the directory hierarchy looking for matches?

[BUG] npx error caused by a single quote in username

I'm trying to install react native, whenever I execute npx react-native init AwesomeProject
I get

`npm ERR! code ENOLOCAL
npm ERR! Could not install from "HP\AppData\Roaming\npm-cache_npx\2732" as it does not contain a package.json file.

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\Fouad's HP\AppData\Roaming\npm-cache_logs\2020-01-13T01_20_40_146Z-debug.log
Install for react-native@latest failed with code 1`

As you can see, my windows username is "Fouad's HP", and the error shows that it npm could not install from HP\AppData... instead of Fouad'sHP\AppData...

[BUG] NODE_PATH environment variable is ignored

What / Why

Error message: "not found: gulp"

When

  1. setx NODE_PATH "my node_modules path"
  2. npx --no-install gulp myTask

Where

Windows, Node 12.16.1

Expected Behavior

gulp from NODE_PATH used

Size of _npx directory?

What / Why

Why the size of _npx directory is so huge?
npx size

Inside of _npx directory, there are these directories:
inside of npx

All of these directories contain a bin and lib directories.

My Questions:

  1. Why the size of _npx is so huge?
  2. What are these directories? What purpose do they serve?

[QUESTION] Vulnerabilities in npx 10.2.0

What / Why

I've added npx 10.2.0 today to my project (on an arch linux machine).
After that i did execute npm audit to check for vulnerabilities and got the following output.

found 51 vulnerabilities (10 low, 25 moderate, 16 high) in 5326 scanned packages
  51 vulnerabilities require manual review. See the full report for details.

or a bit more detailed:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > tough-cookie                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/525                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > tough-cookie     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/525                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > tough-cookie                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/525                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > http-proxy-agent >  │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/534                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > https-proxy-agent > │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/534                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > cacache > ssri                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > cacache > ssri                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > cacache > ssri      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > ssri                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > ssri                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > ssri                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > ssri                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > hawk > boom > hoek          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > hawk > boom >    │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > hawk > boom > hoek                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > hawk > cryptiles > boom >   │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > hawk > cryptiles │
│               │ > boom > hoek                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > hawk > cryptiles > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > hawk > hoek                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > hawk > hoek      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > hawk > hoek                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > hawk > sntp > hoek          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > hawk > sntp >    │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > hawk > sntp > hoek                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/566                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > https-proxy-agent   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/593                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > https-proxy-agent   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ sshpk                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.13.2 < 1.14.0 || >=1.14.1                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > http-signature > sshpk      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/606                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ sshpk                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.13.2 < 1.14.0 || >=1.14.1                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > http-signature > │
│               │ sshpk                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/606                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ sshpk                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.13.2 < 1.14.0 || >=1.14.1                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > http-signature > sshpk                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/606                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy-agent                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > pacote > make-fetch-happen > http-proxy-agent    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/607                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > libnpx > update-notifier > latest-version >            │
│               │ package-json > registry-auth-token > rc > deep-extend        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/612                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > libnpx > update-notifier > latest-version >            │
│               │ package-json > registry-url > rc > deep-extend               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/612                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > update-notifier > latest-version > package-json  │
│               │ > registry-auth-token > rc > deep-extend                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/612                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > update-notifier > latest-version > package-json  │
│               │ > registry-url > rc > deep-extend                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/612                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stringstream                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > stringstream                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/664                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stringstream                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > stringstream     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/664                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stringstream                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > stringstream                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/664                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.2 <3.0.0 || >=4.4.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > tar                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.2 <3.0.0 || >=4.4.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > tar                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > fstream                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/886                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > fstream-npm > fstream-ignore > fstream           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/886                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > fstream                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/886                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > tar > fstream                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/886                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > tar > fstream                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/886                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ extend                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.2 <3.0.0 || >=3.0.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > node-gyp > request > extend                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/996                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ extend                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.2 <3.0.0 || >=3.0.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > npm-registry-client > request > extend           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/996                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ extend                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.2 <3.0.0 || >=3.0.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm > request > extend                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/996                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mem                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > libnpx > yargs > os-locale > mem                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1084                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.13.3                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1434                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Symlink reference outside of node_modules                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.13.3                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1436                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Global node_modules Binary Overwrite                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.13.4                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npx > npm                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1437                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 51 vulnerabilities (10 low, 25 moderate, 16 high) in 5326 scanned packages
  51 vulnerabilities require manual review. See the full report for details.

Are there any plans to work on that?

[FEATURE] shell tab-completion

What / Why

zkat/npx#5

completion support, at least for existing binaries in the $PATH

When

I want to do npx stan<TAB> -> npx standard, if standard is in the ./node_modules/.bin/ but not in the $PATH.

Where

For existing binaries in the $PATH

[QUESTION] (How) Is this maintained?

What / Why

  • the last commit to the default branch was from end of August 2019
  • there are 6 open PRs for updating dependencies (also related to security issues, see #29) and all but one of them have been created beginning of November 2019
  • the last release on npm was in April 2018

Can something be done to support keeping this package up to date?
E.g. by adding some contributors?

Who

  • @npm/npx (not sure there is such a team)
  • @zkat (hoping she has some information to share)

References

PS: I'm willing to contribute.
PPS: I'm also very interested in some of the features people asked for, but I think keeping this package up to date is more important.

[FEATURE] introduce new command to alias npx --no-install to avoid possible security issue

What / Why

npx is widely used to bootstrap various projects using the latest available packages in the npm registry without having to install them locally and keeping up to date whenever one wants to use them. I think that this is the one feature the public is aware of the most, at least in my circles.

It was only after I got frustrated with a package which used a different name for its executable, failing to run it big time, when I discovered that npx is meant to run packages first, then install them from npm as a fallback. Turns out there were much more people surprised as me (from the library's issues).

Moreover, the name this package used for its executable refers to a completely different package in the npm which also imposes a possible security threat.
I have already warned the library authors to use --no-install with all their npx commands in the docs, but that will just bother the end user.

To avoid confusion and security leaks, I suggest that npx --no-install or npx --ignore-existing be separated to different commands altogether.

related #9


One idea that crossed my mind (to avoid completely different executable names) is to use npx <package> to run local packages and npx i <package> to run them with installation, which is a pattern already known from npm.

GHSL-2020-121

Hello,

I am a member of the GitHub Security Lab (https://securitylab.github.com).

I've attempted to reach a maintainer for this project to report a potential security issue but have been unable to verify the report was received. Please could a project maintainer could contact us at [email protected], using reference GHSL-2020-121?

Thank you,
Kevin Backhouse
GitHub Security Lab

[FEATURE] Monorepo support (standard node bin resolution)

What / Why

Monorepos hoist certain dependencies to the root of the monorepo. eslint for example may have a single version to avoid installing duplicates or needing to upgrade the version in many places. You are working on changes to a single package and you want to run the monorepo's eslint on the individual package.

When

When you run npx eslint

Where

This only applies to packages that should be found locally
In this example the user runs the command from
my-repo/packages/my-package
and expects to execute
my-repo/node_modules/.bin/eslint

How

now brown cow

Current Behavior

npx considers my-repo/packages/my-package/node_modules/.bin and, failing to find eslint, falls back either to a global bin or to fetching the package.

Expected Behavior

npx considers my-repo/packages/my-package/node_modules/.bin and, failing to find eslint, falls back to my-repo/packages/node_modules/.bin (which doesn't exist), then my-repo/node_modules/.bin (which does), finds the eslint binary and runs it. This is simply the standard node mechanism for resolving packages or binaries.

Who

I don't know that!

References

  • n/a

NPX doesn't seem to run @babel packages properly

Why doesn't this work?
npx -p @babel/core -p @babel/cli -p @babel/preset-env babel --presets=@babel/preset-env src -d deploy

This does work, but I didn't think preinstalling was necessary with NPX:
npm i @babel/core @babel/cli @babel/preset-env && npx babel --presets=@babel/preset-env src -d deploy

For my current project it's being included in a Heroku application build script, where the reported error is:

remote: npx: installed 302 in 16.391s
remote: { Error: Cannot find module '@babel/preset-env' from '/tmp/build_d9c5cb59d8e4131a23bd0ce2437051f9'
remote: at Function.module.exports [as sync] (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/node_modules/resolve/lib/sync.js:74:15)
remote: at resolveStandardizedName (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/files/plugins.js:101:31)
remote: at resolvePreset (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/files/plugins.js:58:10)
remote: at loadPreset (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/files/plugins.js:77:20)
remote: at createDescriptor (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/config-descriptors.js:154:9)
remote: at items.map (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/config-descriptors.js:109:50)
remote: at Array.map ()
remote: at createDescriptors (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/config-descriptors.js:109:29)
remote: at createPresetDescriptors (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/config-descriptors.js:101:10)
remote: at passPerPreset (/tmp/npmcache.qz5Sl/_npx/595/lib/node_modules/@babel/core/lib/config/config-descriptors.js:58:96) code: 'MODULE_NOT_FOUND' }
remote: npm ERR! code ELIFECYCLE
remote: npm ERR! errno 1

[BUG] Script execution fails for scoped packages that contain dependencies

What / Why

If a package is published to a registry other than npmjs.com (i.e. a GitLab registry), executing scripts from the package will fail if the package contains any dependencies.

If the package contains no dependencies, the script will execute successfully.

When

  • The package is published to a custom registry using a scoped name (i.e. @my-registry/my-package)
  • The package contains dependencies

Where

How

Current Behavior

~/source/npx-test $ npx @testing-npm-registry/npx-test@2
npx: installed 1 in 1.116s
Cannot find module 'moment'
Require stack:
- /Users/nathanfriend/.npm/_npx/89425/lib/node_modules/@testing-npm-registry/npx-test/cli.js

Steps to Reproduce

Complete steps to reproduce, including an example project, can be found at https://gitlab.com/testing-npm-registry/npx-test.

Expected Behavior

~/source/npx-test $ npx @testing-npm-registry/npx-test@2
npx: installed 2 in 1.838s
Hello World!
Today is October 30, 2019

Who

  • n/a

References

  • n/a

[BUG] Npx doesn't execute my scoped package and opens its bin file in my editor

What / Why

I freshly published a binary tool to help me with my projects (https://www.npmjs.com/package/@telokys/easy-typescript).
The code source can be found there if need be.
I expected to be able to run npx @telokys/easy-typescript in order to easily run my bin without even installing it.
Instead of running my script, npx opens the build/src/bin.js file inside my VSCode without executing it.
It stills prints npx: installed 12 in 4.738s but doesn't execute anything.
I tried using npx -p @telokys/easy-typescript easy-typescript but the exact same behavior occurred.

npx works fine for anything else and I just updated it (using npm i -g npm@latest) to version 6.14.2.

As a side note, I also get an annoying error about rimraf:

npx: installed 12 in 4.738s

 C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:313
        throw er
        ^

Error: ENOTEMPTY: directory not empty, rmdir 'C:\Users\Telokis\AppData\Roaming\npm-cache\_npx\1176\node_modules\@telokys\easy-typescript\build'
    at Object.rmdirSync (fs.js:769:3)
    at rmkidsSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:356:25)
    at rmdirSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:334:7)
    at rimrafSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:304:9)
    at C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:342:5
    at Array.forEach (<anonymous>)
    at rmkidsSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:341:26)
    at rmdirSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:334:7)
    at rimrafSync (C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:304:9)
    at C:\Users\Telokis\AppData\Roaming\npm\node_modules\npm\node_modules\rimraf\rimraf.js:342:5 {
  errno: -4051,
  syscall: 'rmdir',
  code: 'ENOTEMPTY',
  path: 'C:\\Users\\Telokis\\AppData\\Roaming\\npm-cache\\_npx\\1176\\node_modules\\@telokys\\easy-typescript\\build'
}

[FEATURE] Be able to execute a nested package

What / Why

Major use case: Execute a package that is installed as a dependency of a dependency, inside its own node_modules folder.

There are some cases - e.g., local packages - in which NPM installs packages as nested dependencies. NPX is not yet able to execute them.

Example: When I install foo, it installs rimraf as a dependency (inside its own node_modules folder). Whether I run npx --no-install rimraf, then rimraf is not found. I would like to run it without having to install it explicitly.

node_modules/
┣ foo/          
┃ ┣ node_modules/
┃ ┃ ┗ rimraf/
┃ ┃   ┗ ...
┃ ┗ ...
┗ bar/

So, currently I can use npx --no-install to execute foo or bar but I cannot execute rimraf.

$ npx --no-install rimraf
  not found: rimraf

PROPOSAL

A flag such as --recursive to search for a nested package, since the search could take some time.

Example:

$ npx --no-install --recursive rimraf

When

  • n/a

Where

  • n/a

How

Current Behavior

  • NPX cannot run an application installed as a nested package.

Expected Behavior

$ npx --no-install --recursive my-nested-pkg

Who

  • n/a

References

  • n/a

[FEATURE] $PATH with ~ is not supported

What / Why

If path in $PATH variable started with "~" npx don;t resolve "~" to user home dir and, as result, unable to find script, installed globally.

Ex:

export PATH=$PATH:~/.npm/bin
# npx unable to run scripts, located in ~/.npm/bin

When

  • n/a

Where

  • n/a

How

Current Behavior

  • n/a

Expected Behavior

  • n/a

Who

  • n/a

References

  • n/a

[BUG] existing shell command will mask scoped package with the same name

What / Why

executing command like npx @dr-js/node will run node directly
but with added tag or version like npx @dr-js/node@dev, the correct package will install and run

also can test with existing command like npx @qwerty/git will just run git

When

when using npx to run a scoped package and:

  • have a name same as existing shell command, like: npx @dr-js/node
  • do not specify extra version or tag like: npx @dr-js/node@dev

Where

  • n/a

How

Current Behavior

  • n/a
~# npx @dr-js/node
Welcome to Node.js v12.13.0.
Type ".help" for more information.
> 

Steps to Reproduce

  • n/a

Expected Behavior

  • n/a
~# npx @dr-js/node
npx: installed 2 in 3.437s
CLI Usage:
  --config --c -c [OPTIONAL] [ARGUMENT=1]
      from ENV: set to "env"
      from JS/JSON file: set to "path/to/config.js|json"
  --help --h -h [OPTIONAL] [ARGUMENT=0+]
      show full help
  --version --v -v [OPTIONAL] [ARGUMENT=0+]
  ...

Who

  • n/a

References

  • n/a

Consider disabling npx auto-install by default

Copied from npm/npm#19673

I'm opening this issue because:

  • npm is doing something I don't understand.

What's going wrong?

A feature of npx that I was not aware of until today is that it will auto-install and auto-execute any module not found in path. I discovered this by typing npx ts (ts module) instead of npx tsc (typescript). By the time I realized what happened, the module had already installed and executed on my machine.

The module could be malicious, or just plain annoying to undo (e.g. writing certain files around my system, modifying configs, deleting files in current folder, etc). It's hard to know what just got run on my machine without downloading & inspecting the JS in the tarballs.

How can the CLI team reproduce the problem?

Running npx [command] will auto-install and auto-run a module not installed. This is a handy feature but IMHO it should be opt-in to avoid catastrophic situations where somebody mis-types a module, or runs code from a gist.

I realize it's not really different from npm install [bad-code], but at least the latter is much more explicit and obvious what is happening. I was under the impression npx was used for running local node_modules bin scripts, but not much else. I also tend to type npx [cmd] more frequently than npm install, thus it seems more prone to typos/errors.

Thoughts? Or is it just me?

EDIT:

Here is a scenario where npx [cmd] is a bit more problematic than just npm i.

  • A popular package, cool-mvc, has a bin script called funkytown. The docs guide users to run npm install cool-mvc && npx funkytown to launch the script in their own project.
  • At some point, the user loses reference to the bin script, e.g. by deleting the local node_modules or cd'ing out of the project folder.
  • The user runs npx funkytown again, and the result is surprising. It installs and executes the bin script in the funkytown module, not the cool-mvc module. This new module may be malicious, or just an unlucky coincidence.

[BUG] NPX doesnt work if path has any spaces in it

What / Why

When running npx in a path that has spaces in it, npx fails

Current Behavior

  • fails with Error: EPERM: operation not permitted, mkdir 'C:\Users\Rauf'

Steps to Reproduce

  • have a path with a space in it (ex: C;\Users\Rauf Islam\code\portfolio)

Expected Behavior

  • npx should continue after the space to get the full path

[BUG] All commands throw error: cb.apply is not a function

What / Why

Using npx to run a command, for example npx webpack, throws: "cb.apply is not a function".
Here's the output log:

0 info it worked if it ends with ok
1 verbose cli [
1 verbose cli   '/home/tin/.nvm/versions/node/v14.5.0/bin/node',
1 verbose cli   '/home/tin/.nvm/versions/node/v14.5.0/lib/node_modules/npx/node_modules/npm/bin/npm-cli.js',
1 verbose cli   'install',
1 verbose cli   'webpack@latest',
1 verbose cli   '--global',
1 verbose cli   '--prefix',
1 verbose cli   '/home/tin/.npm/_npx/42772',
1 verbose cli   '--loglevel',
1 verbose cli   'error',
1 verbose cli   '--json'
1 verbose cli ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session 181369e9e33cec15
5 silly install loadCurrentTree
6 silly install readGlobalPackageData
7 http fetch GET 200 https://registry.npmjs.org/webpack 936ms
8 http fetch GET 200 https://registry.npmjs.org/webpack/-/webpack-4.43.0.tgz 278ms
9 silly pacote tag manifest for webpack@latest fetched in 1256ms
10 verbose stack TypeError: cb.apply is not a function
10 verbose stack     at /home/tin/.nvm/versions/node/v14.5.0/lib/node_modules/npx/node_modules/npm/node_modules/graceful-fs/polyfills.js:287:18
10 verbose stack     at FSReqCallback.oncomplete (fs.js:177:5)
11 verbose cwd /tmp
12 verbose Linux 5.4.0-40-generic
13 verbose argv "/home/tin/.nvm/versions/node/v14.5.0/bin/node" "/home/tin/.nvm/versions/node/v14.5.0/lib/node_modules/npx/node_modules/npm/bin/npm-cli.js" "install" "webpack@latest" "--global" "--prefix" "/home/tin/.npm/_npx/42772" "--loglevel" "error" "--json"
14 verbose node v14.5.0
15 verbose npm  v5.1.0
16 error cb.apply is not a function
17 verbose exit [ 1, true ]

When

Tried npx webpack and npx create-react-app.

How

Steps to Reproduce

Having node:v14.5.0, npm:6.14.6 and npx:10.2.2.
Try any command.

[FEATURE] Make it easier to install several dependencies at once

What / Why

Using npx to initiate project scaffolders is quite common and is actually the only reason I ever use npx. Such a scaffolder often needs more than one package installed though. I would appreciate if the syntax was a little bit leaner.

currently

npx -p yo -p generator-code -c "yo code"

desired

npx -c "yo code" -d yo generator-code

npx -c "<command-string>" -d <package>[ <package>]...

dependencies -d

  • -d <space-separated-packages-list> is a shorthand for [-p <package>]...
  • The -d option will interpret any <command> after -d as a package name until another <option> is encountered

ENOLOCAL when npm-cache path contains spaces on windows

If spaces are in the path to npm-cache on windows you always get the following error when executing npx:

C:\dev\adapter>npx @iobroker/create-adapter
npm ERR! code ENOLOCAL
npm ERR! Could not install from "Files\iobroker\SmartHome17\env\npm-cache\_npx\2772" as it does not contain a package.json file.

In this case the path to npm-cache was 'C:\Program Files\iobroker\SmartHome17\env\npm-cache'.

More logging:

1 verbose cli [ 'C:\\Program Files\\iobroker\\SmartHome17\\nodejs\\node.exe',
1 verbose cli   'C:\\Program Files\\iobroker\\SmartHome17\\nodejs\\node_modules\\npm\\bin\\npm-cli.js',
1 verbose cli   'install',
1 verbose cli   '@iobroker/create-adapter@latest',
1 verbose cli   '--global',
1 verbose cli   '--prefix',
1 verbose cli   'C:\\Program',
1 verbose cli   'Files\\iobroker\\SmartHome17\\env\\npm-cache\\_npx\\8336',
2 info using [email protected]
3 info using [email protected]
7 silly fetchPackageMetaData error for file:Files\iobroker\SmartHome17\env\npm-cache\_npx\8336 Could not install from "Files\iobroker\SmartHome17\env\npm-cache\_npx\8336" as it does not contain a package.json file.
12 verbose stack Error: ENOENT: no such file or directory, open 'C:\dev\adapter\Files\iobroker\SmartHome17\env\npm-cache\_npx\8336\package.json'
14 verbose Windows_NT 10.0.17134
15 verbose argv "C:\\Program Files\\iobroker\\SmartHome17\\nodejs\\node.exe" "C:\\Program Files\\iobroker\\SmartHome17\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "@iobroker/create-adapter@latest" "--global" "--prefix" "C:\\Program" "Files\\iobroker\\SmartHome17\\env\\npm-cache\\_npx\\8336" "--loglevel" "error" "--json"

NOTE: Because the child.spawn npm always runs in shell mode when on Windows (it's the default, to prevent weird behavior). That means that arguments to npm need to be escaped (but as strings, not as paths).
The regular unix invocation doesn't need escaping, because it doesn't run in shell mode.

Some releated npx issues:
zkat/npx#146 - workaround, not solved, closed
zkat/npx#100 - open, since July 2017
zkat/npx#223 - open, is npx project dead?

Solution:
zkat/npx#181 - open since May 2018

[QUESTION] <command not found: ajv>

What / Why

It worked fine in MacOS, but ran into problems in GitLab's Docker CI, which image the Linux system.

Where

Who

References

package.json script block in file

"scripts": {
  ...
  "test:schema": "./src/schemas/schema-test.sh"
}

.gitlab-ci.yml file contents

image: node:12
...
schema test:
  stage: test
  script:
    - yarn test:schema

variables:
  GIT_DEPTH: 10

schema-test.sh file contents

#!/usr/bin/env bash

# Test all file ends with schema.json via ajv

CURRENT_DIR=`dirname "$0"`

cd $CURRENT_DIR

for SCHEMA_FILE in *.schema.json
do
    SAMPLE_FILE=samples/${SCHEMA_FILE/schema/sample}
    echo Schema file: $SCHEMA_FILE
    if [ -f $SAMPLE_FILE ]
    then
        echo Found sample file: $SAMPLE_FILE
        npx ajv -s $SCHEMA_FILE -d $SAMPLE_FILE
    else
        echo "*NO* sample file found for $SCHEMA_FILE"
    fi
done

Gitlab CI error message

...
23 $ yarn test:schema
24 yarn run v1.21.1
25 $ ./src/schemas/schema-test.sh
26 Schema file: dev-assistant.schema.json
27 Found sample file: samples/dev-assistant.sample.json
28 npx: installed 6 in 1.124s
29 command not found: ajv
30 Schema file: form.schema.json
31 *NO* sample file found for form.schema.json
32 Schema file: news.schema.json
33 *NO* sample file found for news.schema.json
34 Schema file: repos.schema.json
35 Found sample file: samples/repos.sample.json
36 npx: installed 6 in 0.911s
37 command not found: ajv
38 Schema file: team-members.schema.json
39 Found sample file: samples/team-members.sample.json
40 npx: installed 6 in 0.902s
41 command not found: ajv
42 info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
43 error Command failed with exit code 1.
47 ERROR: Job failed: command terminated with exit code 1

[BUG] windows users getting git error for gists

What / Why

I've noticed some windows users are having trouble running some of my gists via npx. I use gists to help me organize setup for several workshops.

Here's a super simple example of a gist that does not work for some folks:

npx https://gist.github.com/kentcdodds/3928456ce125a6b158465bdc757fa97b
{
  "name": "test",
  "version": "1.0.0",
  "description": "a simple test",
  "bin": "./index.js"
}
#!/usr/bin/env node

console.log('hello world')

Here's the relevant bit from the error they receive:

Command failed: git submodule update -q --init --recursive
C:/Program Files/Git/mingw64/libexec/git-core\git-submodule: line 21: .: git-sh-setup: file not found

When

Whenever they run npx with a gist.

Where

Gists are hosted on public github. People experiencing this are all over the world.

How

Current Behavior

See above

Steps to Reproduce

See above

Expected Behavior

In the above case I expect "hello world" to be logged

Who

Here's one example: https://twitter.com/pkursawe/status/1242215327037108230

And another: kentcdodds/react-fundamentals#7

[BUG] Quotes not respected

What / Why

npx does not respect quotes around spaces in arguments list when running on an already-installed package.

When

When executing npx onto a pre-existing package.

Node version is 10.19.0

Npx version is 6.13.4

Where

CLI?

How

Current Behavior

Output of command below is:

[ 'C:\\Program Files\\nodejs\\node.exe',
  'C:\\Users\\buhala\\Desktop\\test123\\node_modules\\print-process-argv\\index.js',
  'hello',
  'world' ]

Steps to Reproduce

mkdir test123
cd test123
npm init -y
npm i --save print-process-argv
npx print-process-argv "hello world"

Expected Behavior

[ 'C:\\Program Files\\nodejs\\node.exe',
  'C:\\Users\\buhala\\Desktop\\test123\\node_modules\\print-process-argv\\index.js',
  'hello world' ]

This doesn't happen when the package is not installed. So far this bug is Windows-only.

[BUG] Window Username contain a space...

Current Behavior

  • I've got this error:
npm ERR! code ENOLOCAL
npm ERR! Could not install from "Invitée\AppData\Roaming\npm-cache\_npx\12672" as it does not contain a package.json file.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\Famille Invitée\AppData\Roaming\npm-cache\_logs\2020-08-13T16_44_08_162Z-debug.log
Install for [ 'lolcatjs@latest' ] failed with code 1

Steps to Reproduce

  • Use a windows name with spaces in it
  • Try echo hello | npx lolcatjs

Expected Behavior

  • Normaly I have to get a beautiful rainbow hello
  • The path is trimed at the space because normaly this path:
    "Invitée\AppData\Roaming\npm-cache\_npx\12672"
  • must be this path (or something like this...):
    "C:\Users\Famille Invitée\AppData\Roaming\npm-cache\_npx\12672"

My npx version (latest I think): 6.14.6
It must be a problem of parsing the path....

[BUG] Should execute a bin with matching name, when available, instead of first bin alphabetically

Suppose you have this in your package.json:

{
  "name": "@namespaced/my-awesome-package",
  "bin": {
    "add-numbers": "./bin/add-numbers.js"
    "my-awesome-package": "./bin/my-awesome-package.js"
  }
}

Calling npx @namespaced/my-awesome-package will execute add-numbers, although my-awesome-package is probably expected way more often than not.

Calling npx my-awesome-package -p @namespaced/my-awesome-package is a kludge, but also slow, because -p results in the package installation even if it is available.

local $PWD .npmrc not used when loading npm config

problem

  • npx <pkg> 404s, as my own registry is not being picked up from my local .npmrc

discussion

repro

  • create a .npmrc in a folder, /tmp/bananas/.npmrc with registry=https://bananas.org
  • cd /tmp/bananas
  • run npx some-fake-thing-xyz
  • study the log file omitted. observe that the normal npm registry is referenced

[FEATURE] Use version of package defined in package.json/lock file

Copying this issue from the original repo: zkat/npx#199 (comment)

This seems like a very helpful feature that is well within the scope of this package, and is the only thing preventing my team from using npx. (I work for a healthcare IT company, and it's required that we control the exact version of our dependencies that get run at any given time.)

Even more, it could conceivably be associated with some kind of "strict" mode, such that npx will only download a package if it is listed in the package/lock file. This would also solve the issue: #9 (comment).

[FEATURE] Offline cache

What / Why

Running npx is easier than npm install --global but when I'm offline it doesn't work. I'd love to have a cache!

When

Always.

Where

  • n/a

How

Just use a cache if it's available.

Current Behavior

npx only works when you're online

Expected Behavior

npx should work when I'm offline as long as I've run the command once while being online (because cache)

Who

  • n/a

References

  • n/a

[FEATURE] Support running npx in a specified directory (like npm --prefix)

What / Why

Being able to run npx from a parent folder would be more practical for a project with multiple sub projects.

How

Current Behavior

Currently it can be done in npm with npm --prefix path/to/dir run install.

Expected Behavior

It could run the same as npm does, ie npx --prefix path/to/sub yarn install.

References

It was a requested feature before under zkat.
zkat/npx#226

npx -n on Windows broken since cmd-shim 3.x

Since npm updated cmd-shim to v3.x (npm v6.11.0) it is no longer possible to pass node args to an pre-installed package via --node-arg/-n with Windows cmd.

This is due to the regex in findNodeScript() no longer matching the updated shims over here:

npx/index.js

Line 357 in 43d68c8

const cmd = /"%~dp0\\node\.exe"\s+"%~dp0\\(.*)"\s+%\*/

Reproduction steps

A simple example:

npm i uuid
npx -n -c uuid

This fails with:

ERROR: --node-arg/-n can only be used on packages with node scripts.

`npx -p .. -c ''` fails without package.json present in working directory

What / Why

npx create-react-app test works as expected but npx -p create-react-app -c "create-react-app test" will fail with the following error:

→ npx -p create-react-app -c "create-react-app test"
Command failed: /Users/codonnell/.nvm/versions/node/v12.16.1/bin/node /Users/codonnell/.nvm/versions/node/v12.16.1/lib/node_modules/npx/node_modules/npm/bin/npm-cli.js run env --parseable
npm ERR! path /Users/codonnell/Sites/package.json
npm ERR! code ENOENT
npm ERR! errno -2
npm ERR! syscall open
npm ERR! enoent ENOENT: no such file or directory, open '/Users/codonnell/Sites/package.json'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/codonnell/.npm/_logs/2020-04-12T16_16_14_116Z-debug.log

This is a contrived example to display the issue. The real issue arose for me when attempting to run a yeoman generator, which requires 2 dependencies, hence the need to run with -p.

npx -p yo -p generator-codfish -c 'yo codfish'

Details

codonnell in ~/Sites
→ pwd
/Users/codonnell/Sites
  • using nvm to install node (and in turn npm/npx)
→ nvm --version
0.35.0

→ node -v
v12.16.1

→ npm -v
6.13.4

→ npx -v
10.2.2

When

  • Every time, consistently

Where

  • local machine

How

Current Behavior

  • Fails immediately with above error

When I run the same command in directory with a package.json it works as expected. It does NOT mutate the package.json and doesn't install any modules in that directory, which is to be expected. However it's still failing unless you actually have a package.json file in the cwd

Steps to Reproduce

  • Run npx with -p & -c options to run a cli instead of just running directly
  • Run this inside of a directory without a package.json

Expected Behavior

  • Expect it to be able to just install dependencies the way npx normally would. Then run the command
  • Should not fail because it doesn't find a package.json in the working directory

Who

  • n/a

References

  • n/a

How to check if command failed?

When running npx, how can I tell if the command failed?

My specific use case is:

npx webdriver-manager update

This command fails frequently, but try enough times and it will eventually succeed. However npx seems to succeed regardless of whether the command succeeded or not, so how can I tell if webdriver-manager update was successful or not?

The end goal is to put this in a Jenkinsfile wrapped in a retry step, but that doesn't work if npx always "succeeds", so I have to indicate if the command failed in some other way.

I asked my question on StackOverflow, but I wasn't getting a response.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.