Why a JS package has been installed

03 Jun 2020

My projects on GitHub often receive some security alerts about JS package. Most time the issue package is not explicit installed by me, but is installed as a dependent of another package, or the package it dependent on is also a dependent of another package. It’s pain to figure out in the yarn.lock file by hand.

Recently, I found that yarn has already supply a method for us: yarn why <query>. For example:

yarn why minimist

info Has been hoisted to "minimist"
info Reasons this module exists
   - Hoisted from "@rails#webpacker#node-sass#meow#minimist"
   - Hoisted from "rails-erb-loader#loader-utils#json5#minimist"
   - Hoisted from "@rails#webpacker#@babel#core#json5#minimist"
   - Hoisted from "webpack-dev-server#chokidar#fsevents#node-pre-gyp#rc#minimist"
info Disk size without dependencies: "96KB"
info Disk size with unique dependencies: "96KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 0
=> Found "mkdirp#minimist@0.0.8"
info This module exists because "eslint#mkdirp" depends on it.
info Disk size without dependencies: "72KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 0

See above report. The minimist is a dependency of mkdirp.

It’s so easy to do this kind of research with yarn why.

Reference

Back to top