slushjs / gulp-install Goto Github PK

See slush-angular issue #14.

Npm 5.7 gives us npm ci which can be a much faster alternative to npm install. It would be great if gulp-install supported this or else allowed overriding the base command arg for npm. Thanks.

I saw in the readme that you can pipe a dest in the "slushfile.js". Is that also possible in a gulpfile.js? In my project we need to build the modules outside of the build folder to avoid rebuilding the modules every build.

code snippet

When running gulp-install via npm script it changes the path to include the location of node's install, which is c:\program files, the which command will find the full path in program files, but spawn has trouble with the space. If instead of the full path if just npm.cmd is used then it does work.

I am working on a Serverless project that has lots of separately deployable components. Each of these components has their own package.json file. I created a gulp task that uses gulp-install to install dependencies for all of the modules in one go. However this only worked until we reached the magic limit of 17 package.json files. When this happens gulp-install will stop installing packages but will not produce any error message to indicate that something went wrong.

Hi,

It would be great if we could pass this in - I work in an corporate environment behind a firewall so we can't access the real npm repo and instead have an internal proxy,

I can pass the repo to npm on the command line....it would be very useful to be able to specify this for gulp-install too.

Check out https://github.com/Definitelytyped/tsd and you will see it says:

"DEPRECATED: TSD is deprecated, please use Typings and see this issue for more information."

Can you please add typings install to install modules from typings.json to be installed?
https://github.com/typings/typings

First of all, very useful package; Good work 👍

The issue:
When the program list "dependent modules", it treats commented require-s statements, and JSON loading processes ("require('./list.json')") as dependent packages - this shouldn't happen.

I'm getting problems using yarn with private package manager

My code:

install() {
    let gulp = this.gulp;
    gulp.task('install', function () {
        return gulp
            .src(['./package.json', './yarn.lock', './.npmrc'])
            .pipe(gulp.dest('./build/'))
            .pipe(install({
              commands: {
                'package.json': 'yarn'
              },
              yarn: ['--verbose', '--production']
            }));
    });
    return this;
}

.npmrc file:

registry=http://{internalServer}
//{internalServer}/:_authToken={Token}
//{internalServer}/:always-auth=true

When the pipeline in GitlabCI runs, I got this error:

error An unexpected error occurred: "http://{internalServer}/buffer/-/buffer-4.9.1.tgz: Request failed \"403 Forbidden\"".

Then running yarn with verbose mode, I can see that it recognize the .npm file

verbose 0.577 Found configuration file "/{path-to-my-module}/build/.npmrc"
verbose 0.578 Found configuration file "/{path-to-my-module}/.npmrc".

Any help is appreciated

When you want to have a clean package, you must put dev tool list and version in devDependencies in your package.json, for example :

  "devDependencies": {
    "gulp": "^3.8.8",
    "bower": "^1.8.0"
  }

However, node-which which is used to check if the binary is present doesn't check in this folder since ./node_modules/.bin/ is unlikely to be in your path.

A workaround is to run with a prefixed export like this :

PATH=$PATH:./node_modules/.bin/ ./node_modules/.bin/gulp

But I think it would be a better solution to check in .node_modules/.bin/

My botfiles DO however, contain the package.json file:

{
"name": "botfiles",
"version": "1.0.1",
"description": "config and data files for lambda bot"
}

the title says it all
#40

The gulp team recommends upgrading migrating away from gulp-util using the guidelines in the article below:

https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5

please support jspm install through command jspm install

When I do --skip-install, I don't see the logging I should see when looking at the code https://github.com/klei/gulp-install/blob/master/index.js#L35.

Using the sample slushfile here, the .on('end', function () {...}) never gets called. When I take out the install plugin it works.

Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:

npm audit report

debug <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

dot-prop <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-changelog-jshint <=2.0.7
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-jshint
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core

growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version

minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/conventional-recommended-bump/node_modules/trim-newlines
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/trim-newlines
node_modules/xo/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/conventional-recommended-bump/node_modules/meow
node_modules/get-pkg-repo/node_modules/meow
node_modules/meow
node_modules/xo/node_modules/meow
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-commits-parser 2.1.5 - 3.0.8
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
git-raw-commits 1.3.4 - 2.0.3
Depends on vulnerable versions of meow
node_modules/git-raw-commits
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags
xo 0.10.0 - 0.32.0
Depends on vulnerable versions of meow
node_modules/xo

yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version

24 vulnerabilities (7 low, 15 high, 2 critical)

To address all issues (including breaking changes), run:
npm audit fix --force

Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:

1. Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].

Steps to reproduce:

• Go to the root folder of the project where the package.json file located
• Execute “npm audit”
• Look at the list of vulnerabilities reported

Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.

References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.

This is with:
Gulp 3.9.1
Node 4.7.3
Gulp-install 0.6.0
Windows 10

We have a directory structure like this:

+ui
    +src
        +elements
            +bower_components
            +ai-common-elements
                +ai-auth
                +ai-menu
                .bowerrc
                bower.json
            +ai-shell
                .bowerrc
                bower.json

Where each entry prefixed with + is a folder. Every .bowerrc file specifies the install directory for bower to be the ui/src/elements/bower_components folder, so we can maintain consistent relative paths between all folders.

The problem is that using the ** wildcard in src globs doesn't work:

// immediately finishes, does nothing
return gulp.src('./ui/src/elements/**')
    .pipe(install());

// also immediately finishes, doing nothing
return gulp.src('./ui/src/elements/**/bower.json')
    .pipe(install());

// this works, but I'd rather not have to continually update this glob array every time we create
// a new element
return gulp.src([
        './ui/src/elements/ai-common-elements/bower.json',
        './ui/src/elements/ai-shell/bower.json'
    ])
    .pipe(install());

Hello,

I've just install this lib to be able to install deps programatically, so i've a package.json file that will be used to install my deps, but i have always an error (even if i uninstall then re-install everything) :

[18:00:58] 'cordova:create' errored after 3.4 ms
[18:00:58] Error: Cannot find module './lib/_stream_transform.js'
    at Function.Module._resolveFilename (module.js:336:15)
    at Function.Module._load (module.js:278:25)
    at Module.require (module.js:365:17)
    at require (module.js:384:17)
    at Object.<anonymous> (/Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/node_modules/readable-stream/transform.js:1:80)
    at Module._compile (module.js:460:26)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Module.require (module.js:365:17)
    at require (module.js:384:17)
    at Object.<anonymous> (/Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/through2.js:1:79)
    at Module._compile (module.js:460:26)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)

I've taken a look inside the /Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/node_modules/readable-stream/lib and it seems that there is some of the files missing. I've tried with other lib, and again, some files are missing... Most of the times its the deps of the plugin that is missing.

But if i install the gulp-cordova-create lib manually with npm, it works well. Only if i install it with this lib it doesn't install all the files/deep deps (weird...).

Any ideas ?

Thanks.

Why gulp-install do not break on error, when bower/npm fails - https://github.com/slushjs/gulp-install/blob/master/index.js#L46 ?

If dependencies are not installed, what is the point to continue build?

Hi,
gulp-util is deprecated. It should be replaced by dependencies on the individual components used by gulp-install. The README lists alternatives for the different components.

See gulpjs/gulp#2065

Would be nice if we could provide a callback to run once modules have been installed. I understand it might be difficult because you are spawning a new process for this. But it would be a great addition if possible

Currently it's not possible to have a single-file configuration for frontend projects. If you use gulp and need package management, you have at least two configuration files.

What about passing a Javascript object to gulp-install instead of referencing an external file?

It could look like this:

{
  "package.json": {
    "name": "my-project",
    "version": "1.0.0",
    "author": "Your Name <[email protected]>",
    "license": "MIT"
  },
  "requirements.txt": [
    "some-framework==0.9.4",
    "another-library>=0.2"
  ]
}

Any idea for support yarn?

I see with the help of "gulp-install" library we can install all libraries which are mentioned in package.json. Something like this.

var install = require("gulp-install");
gulp.src(['./package.json']) .pipe(install());

But I couldn't find a way to install a specific library. Please let us know if there is anyway for this to achieve.

Currently gulp-install only supports a few arguments like --production and --ignore-scripts.

It would be helpful to have a generic option like "args" to pass in other arguments that are supported by npm install.

I've using this package to do npm install, and I would like to run it without displaying the summary at the end of the run. I've tried to add --silent and --quiet to the args option, but the summary of the installed packages are always written to the output.

Thanks for creating and maintaining this package!

I'm trying to call install like this:
.pipe(install({production: true, args: ['--registry', 'https://npm-proxy.fury.io/foobar/'}));
doesn't work because gulp-install turn 'https://npm-proxy.fury.io/foobar/' into '--https://npm-proxy.fury.io/foobar/'.

Can this auto-prepend of '--' to args be removed?

On our CI server, our app is built and run (naturally enough) with the NODE_ENV of 'test'. This causes the gulp-install plugin to stop functioning because it thinks it's running its own tests. 'test' and 'testing' are probably pretty common NODE_ENV values for CI server environments, so it might be a good idea to use something more specific as a flag. Maybe GULP_INSTALL_TEST?

Thanks for the plugin. Worked great while it was running on a single package.json. With more than one package.json it runs npm install on the first folder the number of times a package.json file is found... and the other directories containing a package.json don't get their dependencies installed.

https://docs.npmjs.com/misc/config#loglevel

Some modules output way too much information. If I could set the loglevel to "silent" would be amazing :)

Hi!
Great plugin! Big thanks for developing it!

What I want to ask - is there any plan to release a stable version?