check-for-pinned-deps

check-for-pinned-deps is a convenient Node.js CLI script designed to check for unpinned dependencies within your package.json.

It supports checking dependencies from the following fields:

• dependencies
• devDependencies
• optionalDependencies
• peerDependencies
• overrides

🕰️ How it works

1. Loops above-mentioned dependency fields in package.json in current working directory
2. Checks the dependency version
   • for valid semver pattern like 1.2.3 or 4.5.6.alpha
   • URLs (or GitHub repositories) need to contain a commitish string or semver string
   • file: version values are marked as pinned
3. Exits with
   • 0 in case all dependencies are pinned
   • 1 if the dependencies were found that are not pinned and prints their names

🎯 Motivation

Pinning dependencies has several advantages in terms of reproducibility and security.

Renovate has a good blog post about this topic: Should you Pin your JavaScript Dependencies?

🚀 Usage

To use check-for-pinned-deps, you can easily invoke it with npx as follows:

npx check-for-pinned-deps

🧰 Requirements

• node.js 18 or higher

💡 Alternatives

• pin-dependencies-checker