slushjs / gulp-install Goto Github PK
View Code? Open in Web Editor NEWAutomatically install npm and bower packages if package.json or bower.json is found in the gulp file stream respectively
License: MIT License
Automatically install npm and bower packages if package.json or bower.json is found in the gulp file stream respectively
License: MIT License
Npm 5.7 gives us npm ci
which can be a much faster alternative to npm install
. It would be great if gulp-install
supported this or else allowed overriding the base command arg for npm
. Thanks.
I saw in the readme that you can pipe a dest in the "slushfile.js". Is that also possible in a gulpfile.js? In my project we need to build the modules outside of the build folder to avoid rebuilding the modules every build.
When running gulp-install via npm script it changes the path to include the location of node's install, which is c:\program files, the which command will find the full path in program files, but spawn has trouble with the space. If instead of the full path if just npm.cmd is used then it does work.
I am working on a Serverless project that has lots of separately deployable components. Each of these components has their own package.json file. I created a gulp task that uses gulp-install to install dependencies for all of the modules in one go. However this only worked until we reached the magic limit of 17 package.json files. When this happens gulp-install will stop installing packages but will not produce any error message to indicate that something went wrong.
Hi,
It would be great if we could pass this in - I work in an corporate environment behind a firewall so we can't access the real npm repo and instead have an internal proxy,
I can pass the repo to npm on the command line....it would be very useful to be able to specify this for gulp-install too.
Check out https://github.com/Definitelytyped/tsd and you will see it says:
"DEPRECATED: TSD is deprecated, please use Typings and see this issue for more information."
Can you please add typings install
to install modules from typings.json
to be installed?
https://github.com/typings/typings
First of all, very useful package; Good work 👍
The issue:
When the program list "dependent modules", it treats commented require-s statements, and JSON loading processes ("require('./list.json')") as dependent packages - this shouldn't happen.
I'm getting problems using yarn with private package manager
My code:
install() {
let gulp = this.gulp;
gulp.task('install', function () {
return gulp
.src(['./package.json', './yarn.lock', './.npmrc'])
.pipe(gulp.dest('./build/'))
.pipe(install({
commands: {
'package.json': 'yarn'
},
yarn: ['--verbose', '--production']
}));
});
return this;
}
.npmrc file:
registry=http://{internalServer}
//{internalServer}/:_authToken={Token}
//{internalServer}/:always-auth=true
When the pipeline in GitlabCI runs, I got this error:
error An unexpected error occurred: "http://{internalServer}/buffer/-/buffer-4.9.1.tgz: Request failed \"403 Forbidden\"".
Then running yarn with verbose mode, I can see that it recognize the .npm file
verbose 0.577 Found configuration file "/{path-to-my-module}/build/.npmrc"
verbose 0.578 Found configuration file "/{path-to-my-module}/.npmrc".
Any help is appreciated
When you want to have a clean package, you must put dev tool list and version in devDependencies in your package.json, for example :
"devDependencies": {
"gulp": "^3.8.8",
"bower": "^1.8.0"
}
However, node-which which is used to check if the binary is present doesn't check in this folder since ./node_modules/.bin/ is unlikely to be in your path.
A workaround is to run with a prefixed export like this :
PATH=$PATH:./node_modules/.bin/ ./node_modules/.bin/gulp
But I think it would be a better solution to check in .node_modules/.bin/
My botfiles DO however, contain the package.json file:
{
"name": "botfiles",
"version": "1.0.1",
"description": "config and data files for lambda bot"
}
the title says it all
#40
The gulp team recommends upgrading migrating away from gulp-util using the guidelines in the article below:
please support jspm install through command jspm install
When I do --skip-install
, I don't see the logging I should see when looking at the code https://github.com/klei/gulp-install/blob/master/index.js#L35.
Using the sample slushfile here, the .on('end', function () {...})
never gets called. When I take out the install plugin it works.
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
debug <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
dot-prop <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-changelog-jshint <=2.0.7
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-jshint
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/conventional-recommended-bump/node_modules/trim-newlines
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/trim-newlines
node_modules/xo/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/conventional-recommended-bump/node_modules/meow
node_modules/get-pkg-repo/node_modules/meow
node_modules/meow
node_modules/xo/node_modules/meow
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-commits-parser 2.1.5 - 3.0.8
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
git-raw-commits 1.3.4 - 2.0.3
Depends on vulnerable versions of meow
node_modules/git-raw-commits
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags
xo 0.10.0 - 0.32.0
Depends on vulnerable versions of meow
node_modules/xo
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
24 vulnerabilities (7 low, 15 high, 2 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.
This is with:
Gulp 3.9.1
Node 4.7.3
Gulp-install 0.6.0
Windows 10
We have a directory structure like this:
+ui
+src
+elements
+bower_components
+ai-common-elements
+ai-auth
+ai-menu
.bowerrc
bower.json
+ai-shell
.bowerrc
bower.json
Where each entry prefixed with +
is a folder. Every .bowerrc file specifies the install directory for bower to be the ui/src/elements/bower_components
folder, so we can maintain consistent relative paths between all folders.
The problem is that using the **
wildcard in src globs doesn't work:
// immediately finishes, does nothing
return gulp.src('./ui/src/elements/**')
.pipe(install());
// also immediately finishes, doing nothing
return gulp.src('./ui/src/elements/**/bower.json')
.pipe(install());
// this works, but I'd rather not have to continually update this glob array every time we create
// a new element
return gulp.src([
'./ui/src/elements/ai-common-elements/bower.json',
'./ui/src/elements/ai-shell/bower.json'
])
.pipe(install());
Hello,
I've just install this lib to be able to install deps programatically, so i've a package.json file that will be used to install my deps, but i have always an error (even if i uninstall then re-install everything) :
[18:00:58] 'cordova:create' errored after 3.4 ms
[18:00:58] Error: Cannot find module './lib/_stream_transform.js'
at Function.Module._resolveFilename (module.js:336:15)
at Function.Module._load (module.js:278:25)
at Module.require (module.js:365:17)
at require (module.js:384:17)
at Object.<anonymous> (/Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/node_modules/readable-stream/transform.js:1:80)
at Module._compile (module.js:460:26)
at Object.Module._extensions..js (module.js:478:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Module.require (module.js:365:17)
at require (module.js:384:17)
at Object.<anonymous> (/Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/through2.js:1:79)
at Module._compile (module.js:460:26)
at Object.Module._extensions..js (module.js:478:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
I've taken a look inside the /Users/iJhon/Sites/iland/ecs-portal/node_modules/gulp-cordova-create/node_modules/through2/node_modules/readable-stream/lib
and it seems that there is some of the files missing. I've tried with other lib, and again, some files are missing... Most of the times its the deps of the plugin that is missing.
But if i install the gulp-cordova-create
lib manually with npm, it works well. Only if i install it with this lib it doesn't install all the files/deep deps (weird...).
Any ideas ?
Thanks.
Why gulp-install
do not break on error, when bower
/npm
fails - https://github.com/slushjs/gulp-install/blob/master/index.js#L46 ?
If dependencies are not installed, what is the point to continue build?
Hi,
gulp-util
is deprecated. It should be replaced by dependencies on the individual components used by gulp-install
. The README lists alternatives for the different components.
See gulpjs/gulp#2065
Would be nice if we could provide a callback to run once modules have been installed. I understand it might be difficult because you are spawning a new process for this. But it would be a great addition if possible
Currently it's not possible to have a single-file configuration for frontend projects. If you use gulp and need package management, you have at least two configuration files.
What about passing a Javascript object to gulp-install instead of referencing an external file?
It could look like this:
{
"package.json": {
"name": "my-project",
"version": "1.0.0",
"author": "Your Name <[email protected]>",
"license": "MIT"
},
"requirements.txt": [
"some-framework==0.9.4",
"another-library>=0.2"
]
}
Any idea for support yarn?
I see with the help of "gulp-install" library we can install all libraries which are mentioned in package.json. Something like this.
var install = require("gulp-install");
gulp.src(['./package.json']) .pipe(install());
But I couldn't find a way to install a specific library. Please let us know if there is anyway for this to achieve.
Currently gulp-install only supports a few arguments like --production and --ignore-scripts.
It would be helpful to have a generic option like "args" to pass in other arguments that are supported by npm install.
I've using this package to do npm install
, and I would like to run it without displaying the summary at the end of the run. I've tried to add --silent
and --quiet
to the args
option, but the summary of the installed packages are always written to the output.
Thanks for creating and maintaining this package!
I'm trying to call install like this:
.pipe(install({production: true, args: ['--registry', 'https://npm-proxy.fury.io/foobar/'}));
doesn't work because gulp-install turn 'https://npm-proxy.fury.io/foobar/' into '--https://npm-proxy.fury.io/foobar/'.
Can this auto-prepend of '--' to args be removed?
On our CI server, our app is built and run (naturally enough) with the NODE_ENV of 'test'. This causes the gulp-install plugin to stop functioning because it thinks it's running its own tests. 'test' and 'testing' are probably pretty common NODE_ENV values for CI server environments, so it might be a good idea to use something more specific as a flag. Maybe GULP_INSTALL_TEST?
Thanks for the plugin. Worked great while it was running on a single package.json. With more than one package.json it runs npm install
on the first folder the number of times a package.json file is found... and the other directories containing a package.json don't get their dependencies installed.
https://docs.npmjs.com/misc/config#loglevel
Some modules output way too much information. If I could set the loglevel to "silent" would be amazing :)
Hi!
Great plugin! Big thanks for developing it!
What I want to ask - is there any plan to release a stable version?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.