Making package.json and installing some package

 This writing explains about package.json, how to make package.json and installing some package to it. It will explain vulnerability when installing some package.



1. What is package.json?

  • If you add packages needed for services or applications one by one, you will soon have hundreds of packages. And each package you use has its own version, so you need to record it somewhere. Even for the same package, functions may differ depending on the version, so if you do not install the same version of the package when installing the project, problems may occur. The file that manages the version of the installed package is package.json.
  • Therefore, before starting a node project, you must always start by creating a package.json file inside the folder.


2. Making package.json

  • Make the package.json by entering this command in the console: npm init
$ npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (npmtest) npmtest
version: (1.0.0) 0.0.1
description: This is npm test.
entry point: (index.js) 
test command: 
git repository: 
keywords: 
author: Anchubby
license: (ISC) 
About to write to /Users/taehyeonkim/Desktop/npmtest/package.json:

{
  "name": "npmtest",
  "version": "0.0.1",
  "description": "This is npm test.",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "Anchubby",
  "license": "ISC"
}


Is this OK? (yes)
  • name: it is name of package.
  • version: it is version of package.
  • entry point: the entry point of the JavaScript executable. Usually specifies the file that does module.exports last.
  • test command: this refers to the command to be entered when testing the code.
  • git repository: it indicates the address where code is saved.
  • keywords: it helps other people to find the package easily with this keyword.
  • license: put the license of this package
    • ISC, MIT, BSD license: free to use as long as you indicates the package and license used.
    • Apache license: free but it may include some limitation by patent.
    • GPL license: you should be very careful when use this one, your package and source code should be disclosed to GPL also.

  • After you run npm init command following package.json file is created.
{
  "name": "npmtest",
  "version": "0.0.1",
  "description": "This is npm test.",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "Anchubby",
  "license": "ISC"
}
  • The scripts section stores npm commands. If you enter npm run [script command] in the console, the script will be executed. For example, if you execute npm run test, echo \"Error: no test specified\" && exit 1 will be executed. echo \"Error: no test specified\" means to output the string to the console, and exit 1 means to exit with an error.
$ npm run test
> npmtest@0.0.1 test
> echo "Error: no test specified" && exit 1

Error: no test specified
  • In addition to the test script, you can register and use multiple commands in the scripts property. Usually, people save node [file name] in the start command and run it with npm start.


3. Installing some package

  • To install some package, in the same directory where package.json located, enter the command: npm install [package name]
  • It can be shorten as: npm i [package name]
  • Sometimes you see other blog that add "--save" option when installing some packages. It was used in the past to add a package name in dependencies but from npm@5 (since 2017) it was set as default so you don't need to add "--save" option.
$ npm install express
added 69 packages, and audited 70 packages in 2s

14 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
  • Sometimes you can encounter WARN but you don't need to worry about that. ERROR is the one you need to worry but the WARN is simple warning.
  • Installed package is recorded in package.json.
{
  "name": "npmtest",

  ...

  "license": "ISC",
  "dependencies": {
    "express": "^4.21.2"
  }
}


4. Vulnerability

  • When you install some packages you see found 0 vulnerabilities or [number] [severity] severity vulnerability. npm automatically checks packages for possible vulnerabilities when installing them.
  • If a vulnerability is found, it is displayed as follows:
$ npm i faker

added 1 package, and audited 71 packages in 953ms

14 packages are looking for funding
  run `npm fund` for details

1 high severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
  • For your information faker package was corrupted by its author and if you install it, it will ruin your application. So the console shows "1 high severity vulnerability". It is well known corrupted package so you can search about it more in several articles. Currently alternative is: npm i --save-dev @faker-js/faker
  • npm audit is a command that can check for known vulnerabilities in a package. If you enter npm audit fix, npm will automatically fix vulnerabilities that it can fix. It is recommended to fix it periodically.
  • Delete the faker package and check if it becomes safe as following.
$ npm rm faker

removed 1 package, and audited 70 packages in 1s

14 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm audit

found 0 vulnerabilities



Next step

  • The next one is about how to manage the package with package.json.

Comments

Post a Comment

Mostly viewed post

Web-app dev4, Google AdMob (Banner and Interstitial ads)

Image
This writing is about how to apply Google AdMob into mobile application.  I included Banner and Interstitial ads in my React Native Web-view application. *  This is continued writing from previous one.  1. Register your application in AdMob First you should have AdMob account. Create one in:  https://admob.google.com/home/ Set up new app in your AdMob account. AdMob account need some verification from Google and this will be done normally within few days. 2. React Native Banner ads For official document refer to:  https://github.com/invertase/react-native-google-mobile-ads First run the command: npm i react-native-google-mobile-ads Check your app ID in AdMob. Go to your app - app setting, then you can see app ID as below. Put your app ID in app.json as below. The app ID should be out of "expo": {}. , "react-native-google-mobile-ads" : { "android_app_id" : "ca-app-pub-111111111~1111111111111" } In App.js, import components to...
Read more »

About this blog

Hello, This blog is mainly about mobile application development, React Native, JavaScript, TypeScript, how to submit the app to play store or app store etc. My major was not in IT field,  I don't have any basic knowledge of coding so this blog will cover from very basic knowledge of web development to mobile application development currently I'm doing with React Native. Hope some information in this blog to be helpful for your understanding. FYI.. I`m just studying and developing the mobile application as a hobby, not an expert level. Majored and working in mechanical engineering industry, but not in IT field, or computer engineering etc, so I`m very beginner at this coding, programming etc. Some post and writing may be inaccurate, although I thoroughly searched and studied in Codecademy, major Youtuber etc. Please be my guest, kindly leave some comments if something is wrong.
Read more »