checks which modules you have used in your code and then makes sure they are listed as dependencies in your package.json, or vice-versa
dependency-check 5.x
supports Node.js 12 and later
dependency-check 4.x
supports Node.js 10 and later
dependency-check 3.x
supports Node.js 6 and later
dependency-check 2.x
supports Node.js 0.10 and later (Dev note: published using the legacy
tag)
For more info on maintenance status, see SECURITY.md.
dependency-check
parses your module code starting from the default entry files (e.g. index.js
or main
and any bin
commands defined in package.json or if specific files has been defined, then those) and traverses through all relatively required JS files, ultimately producing a list of non-relative modules
require('./a-relative-file.js')
, if one of these are encountered the required file will be recursively parsed by the dependency-check
algorithmrequire('a-module')
, if one of these are encountered it will get added to the list of dependencies, but sub-dependencies of the module will not get recursively parsedthe goal of this module is to simply check that all non-relative modules that get require()
'd are in package.json, which prevents people from getting 'module not found' errors when they install your module that has missing deps which was accidentally published to NPM (happened to me all the time, hence the impetus to write this module).
$ npm install dependency-check -g
$ dependency-check <path to module file(s), package.json or module folder>
# e.g.
$ dependency-check ./package.json --verbose
Success! All dependencies used in the code are listed in package.json
Success! All dependencies in package.json are used in the code
$ dependency-check ./package.json --missing --verbose
Success! All dependencies used in the code are listed in package.json
$ dependency-check ./package.json --unused --verbose
Success! All dependencies in package.json are used in the code
# or with file input instead:
$ dependency-check ./index.js
# even with globs and multiple inputs:
$ dependency-check ./test/**/*.js ./lib/*.js
dependency-check
exits with code 1 if there are discrepancies, in addition to printing them out
To always exit with code 0 pass --ignore
running dependency-check ./package.json --missing
will only do the check to make sure that all modules in your code are listed in your package.json
running dependency-check ./package.json --unused
will only do the inverse of the missing check and will tell you which modules in your package.json dependencies were not used in your code
running dependency-check ./package.json --unused --no-dev
will not tell you if any devDependencies in your package.json were missing or unused
running dependency-check ./package.json --unused --no-peer
will not tell you if any peerDependencies in your package.json were missing or unused
ignores a module. This works for both --unused
and --missing
. You can specify as many separate --ignore-module
arguments as you want. For example running dependency-check ./package.json --unused --ignore-module foo
will not tell you if the foo
module was not used in your code. Supports globbing patterns through the use of micromatch, so eg. --ignore-module "@types/*" is possible
running eg. dependency-check package.json tests.js --no-default-entries
won't add any default entries despite the main path given being one to a package.json or module folder. So only the tests.js
file will be checked
running dependency-check ./package.json -e js,jsx:precinct
will resolve require paths to .js
and .jsx
paths, and parse using precinct
.
running dependency-check ./package.json --detective precinct
will require()
the local precinct
as the default parser. This can be set per-extension using using -e
. Defaults to parsing with detective
.
formats the output as a json object
running with --verbose
will enable a log message on success, otherwise dependency-check only logs on failure.
shows above options and all other available options
add this to your .bash_profile
/.bashrc
# originally from https://gist.github.com/mafintosh/405048d304fbabb830b2
npm () {
([ "$1" != "publish" ] || dependency-check .) && command npm "$@"
}
now when you do npm publish
and you have missing dependencies it won't publish, e.g.:
$ npm publish
Fail! Dependencies not listed in package.json: siblings
$ npm install --save siblings
$ npm publish # works this time
require()
statements, which means it only does static requires. this means you should convert things like var foo = "bar"; require(foo)
to be static, e.g. require("bar")
5.6.2 元素的dependency-check属性 Autowiring策略并不是***的,因为受管Bean所需要的协作者可能没有如期找到。为了确认协作者是否找到,即完成依赖性检查,我们可以启用暴露的dependency-check属性。表5-2详细给出了dependency-check属性的具体含义。 表5-2 dependency-check属性 dependency-check属性值
工具下载地址: https://github.com/jeremylong/DependencyCheck 点击Releases…下载 https://owasp.org/www-project-dependency-check/ 点击Command Line下载 检测方式: 默认方式 下载解压后进入bin文件夹,在windows系统下执行命令: dependency-check.bat --di
Jenkins DependencyCheck插件扫描Node.js程序 问题1 Unable to read yarn audit output. [DependencyCheck] [ERROR] NodeAuditAnalyzer failed on xxx/package-lock.json - yarn.lock was found; if package-lock.json was g
依赖检查要和自动装配结合使用,没有自动装配也就没有检查的必要了。 <bean id ="HelloWorld" class="com.jnotnull.HelloWorld" autowire="autodectect" dependency-check="none"> dependency-check有四个值:none,simple,object,all。默认不检查 1 none
需要使用哪些标签就要添加哪些jar包(动态web工程需要下载jar包,maven工程添加依赖(依赖都在MVN)) 例如: 1、junit 该依赖是针对于单元测试 junit junit 4.11 test 2、针对于servlet的依赖 javax.servlet javax.servlet-api 4.0.1 provided 3、针对标签库的依赖(JSTL java stantard tag
今天在配置bean的时候,Myeclipse中'dependency-check' 处出现红叉, 基本内容是: 'dependency-check' is not allowed to appear in element 'bean' 百度不到,于是自己想了下,我用的是 xsi:schemaLocation="http://www.springframework.org/schem
首先,这三个maven的pom文件标签都是用来进行包管理的 势力范围由dependencyManagement>dependencies>dependency依次减弱,并且每个标签都是上一个标签的下级。 dependencyManagement:管理依赖版本号 通常会在一个组织或者项目的最顶层的父pom中看到dependencyManagement 使用pom.xml中的dependencyMan
#pragma once // Apr 21th, 2009 - liusiyang // #ifdef _ANTIDEBUG // .. #define JUNK_CODE_ONE \ __asm {push eax} \ __asm {xor eax, eax} \ __asm {setpo al} \ __asm
在利用pom管理引用包时,如果是单项目的话就直接在dependencies引用了,若有一个大工程项目里面包含多个子模块,则为了所有项目模块包的版本统一和好管理,则需要用到dependencyManagement,但两者使用场景有所区别。 1.dependencies:自动引入声明在dependencies里的所有依赖,并默认被所有的子项目继承。如果项目中不写依赖项,则会从父项目 继承(属性全部继承
安装 Maven Repository Elasticsearch Java API包已经上传到 Maven Central 在pom.xml文件中增加: transport 版本号最好就是与Elasticsearch版本号一致。 <dependency> <groupId>org.elasticsearch.client</groupId> <artifactId>transpo
Dependency-Check 是一个软件组成分析(SCA)工具,它试图检测项目的依赖关系中包含的公开披露的漏洞。它通过确定一个给定的依赖关系是否有一个通用平台枚举(CPE)标识符来实现这一目标。如果发现,它将生成一份报告,链接到相关的CVE条目。 Dependency-check 有一个命令行界面,一个Maven插件,一个Ant任务,以及一个Jenkins插件。核心引擎包含一系列分析器,用于检
每个基于Java的应用程序都有一些对象可以协同工作,以呈现最终用户所看到的工作应用程序。 在编写复杂的Java应用程序时,应用程序类应尽可能独立于其他Java类,以增加重用这些类的可能性,并在单元测试时独立于其他类测试它们。 依赖注入(或称为布线)有助于将这些类粘合在一起,同时保持它们独立。 假设您有一个具有文本编辑器组件的应用程序,并且您想要提供拼写检查。 您的标准代码看起来像这样 - publ
Dependency Mediator,与Karaf 和其他轻量级模块化技术(类似 osgi,类名不需要是唯一的,但是类名组合和他们定义的 ClassLoader 必须是唯一的)不同,Dependency Mediator 尝试在编译期诊断组件依赖冲突问题,而不是使用自定义的 ClassLoader 来保持不同版本组件的一致性,因此可以有效避免一些臭名昭著的运行期兼容性错误,例如 NoSuchM
Dependency Walker 是 Microsoft Visual C++ 中提供的非常有用的 PE 模块依赖性分析工具。 主要功能如下: 查看 PE 模块的导入模块。 查看 PE 模块的导入和导出函数。 动态剖析 PE 模块的模块依赖性。 解析 C++ 函数名称。
Dependency Combobulator 是一个开源的、模块化的、可扩展的框架,用于检测和防止依赖混淆的泄漏和潜在的攻击。这有利于采用整体方法来确保安全的应用程序发布,可以针对不同的来源(如 GitHub 包、JFrog Artifactory)和不同的包管理方案(如 ndm、maven)进行评估。 目标受众 该框架可供安全审计员、渗透测试员使用,甚至可以自动融入企业的应用安全程序和发布周期