JavaScript/TypeScript

Support for Node.js projects using package.json.

Table of contents

  1. Supported Files
  2. Registry
    1. Private Registries
  3. Dependency Formats
    1. Dependencies
    2. Dev Dependencies
    3. Peer Dependencies
    4. Optional Dependencies
  4. Version Specification
  5. Special Cases
    1. Scoped Packages
    2. Git Dependencies
    3. Local Dependencies
    4. npm Aliases
    5. Deprecated Packages
  6. Dist Tags
  7. Vulnerability Database
  8. Example package.json
  9. Troubleshooting
    1. Scoped Package Not Found
    2. Stale Versions
    3. Rate Limiting

Supported Files

File Description
package.json npm/yarn/pnpm manifest

Registry

npm - The Node.js package registry

  • Base URL: https://registry.npmjs.org
  • Rate limit: ~1 request per second recommended
  • Documentation: npmjs.com

Private Registries

npm supports custom registries. See Private Registries for setup.

Dependency Formats

Dependi parses all npm dependency sections:

Dependencies 

{
  "dependencies": {
    "express": "^4.18.0",
    "lodash": "4.17.21"
  }
}

Dev Dependencies 

{
  "devDependencies": {
    "typescript": "^5.0.0",
    "jest": "^29.0.0"
  }
}

Peer Dependencies 

{
  "peerDependencies": {
    "react": "^18.0.0"
  }
}

Optional Dependencies 

{
  "optionalDependencies": {
    "fsevents": "^2.3.0"
  }
}

Version Specification

npm uses semantic versioning:

Syntax Meaning
"1.0.0" Exactly 1.0.0
"^1.0.0" >=1.0.0, <2.0.0
"~1.0.0" >=1.0.0, <1.1.0
"*" Any version
">=1.0.0" 1.0.0 or higher
"1.0.0 - 2.0.0" Range
"latest" Latest tag

Special Cases

Scoped Packages 

{
  "dependencies": {
    "@types/node": "^20.0.0",
    "@company/internal": "^1.0.0"
  }
}

Scoped packages (@scope/name) are fully supported. For private scopes, configure Private Registries.

Git Dependencies 

{
  "dependencies": {
    "my-lib": "git+https://github.com/user/repo.git"
  }
}

Git dependencies show → Git hint.

Local Dependencies 

{
  "dependencies": {
    "my-local": "file:../my-local"
  }
}

Local dependencies show → Local hint.

npm Aliases 

{
  "dependencies": {
    "lodash-es": "npm:lodash@^4.17.0"
  }
}

Aliases are resolved to the actual package.

Deprecated Packages

Deprecated packages show ⚠ Deprecated hint with the deprecation message on hover.

Dist Tags

npm packages can have distribution tags:

  • latest - Default stable version
  • next - Pre-release version
  • beta, alpha - Testing versions

Dependi checks against latest by default.

Vulnerability Database

npm vulnerabilities are sourced via the OSV.dev API, which aggregates:

Example package.json 

{
  "name": "my-project",
  "version": "1.0.0",
  "dependencies": {
    "express": "^4.18.0",         // ✓
    "lodash": "4.17.15",          // -> 4.17.21
    "@types/node": "^20.0.0"      // ✓
  },
  "devDependencies": {
    "typescript": "^5.0.0",       // -> 5.3.0
    "jest": "^29.0.0"             // ✓
  }
}

Troubleshooting

Scoped Package Not Found

For private scoped packages:

  1. Configure the scope in Private Registries
  2. Ensure authentication token is set
  3. Verify the scope name doesn’t include @ in config

Stale Versions

npm has heavy CDN caching. If a just-published version isn’t showing:

  1. Wait a few minutes for CDN propagation
  2. Clear Dependi cache and restart Zed

Rate Limiting

npm may block aggressive requests. Dependi’s caching minimizes API calls, but large monorepos may experience slower initial loads.