1<!DOCTYPE html><html><head> 2<meta charset="utf-8"> 3<title>Dependency Selector Syntax & Querying</title> 4<style> 5body { 6 background-color: #ffffff; 7 color: #24292e; 8 9 margin: 0; 10 11 line-height: 1.5; 12 13 font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; 14} 15#rainbar { 16 height: 10px; 17 background-image: linear-gradient(139deg, #fb8817, #ff4b01, #c12127, #e02aff); 18} 19 20a { 21 text-decoration: none; 22 color: #0366d6; 23} 24a:hover { 25 text-decoration: underline; 26} 27 28pre { 29 margin: 1em 0px; 30 padding: 1em; 31 border: solid 1px #e1e4e8; 32 border-radius: 6px; 33 34 display: block; 35 overflow: auto; 36 37 white-space: pre; 38 39 background-color: #f6f8fa; 40 color: #393a34; 41} 42code { 43 font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; 44 font-size: 85%; 45 padding: 0.2em 0.4em; 46 background-color: #f6f8fa; 47 color: #393a34; 48} 49pre > code { 50 padding: 0; 51 background-color: inherit; 52 color: inherit; 53} 54h1, h2, h3 { 55 font-weight: 600; 56} 57 58#logobar { 59 background-color: #333333; 60 margin: 0 auto; 61 padding: 1em 4em; 62} 63#logobar .logo { 64 float: left; 65} 66#logobar .title { 67 font-weight: 600; 68 color: #dddddd; 69 float: left; 70 margin: 5px 0 0 1em; 71} 72#logobar:after { 73 content: ""; 74 display: block; 75 clear: both; 76} 77 78#content { 79 margin: 0 auto; 80 padding: 0 4em; 81} 82 83#table_of_contents > h2 { 84 font-size: 1.17em; 85} 86#table_of_contents ul:first-child { 87 border: solid 1px #e1e4e8; 88 border-radius: 6px; 89 padding: 1em; 90 background-color: #f6f8fa; 91 color: #393a34; 92} 93#table_of_contents ul { 94 list-style-type: none; 95 padding-left: 1.5em; 96} 97#table_of_contents li { 98 font-size: 0.9em; 99} 100#table_of_contents li a { 101 color: #000000; 102} 103 104header.title { 105 border-bottom: solid 1px #e1e4e8; 106} 107header.title > h1 { 108 margin-bottom: 0.25em; 109} 110header.title > .description { 111 display: block; 112 margin-bottom: 0.5em; 113 line-height: 1; 114} 115 116footer#edit { 117 border-top: solid 1px #e1e4e8; 118 margin: 3em 0 4em 0; 119 padding-top: 2em; 120} 121</style> 122</head> 123<body> 124<div id="banner"> 125<div id="rainbar"></div> 126<div id="logobar"> 127<svg class="logo" role="img" height="32" width="32" viewBox="0 0 700 700"> 128<polygon fill="#cb0000" points="0,700 700,700 700,0 0,0"></polygon> 129<polygon fill="#ffffff" points="150,550 350,550 350,250 450,250 450,550 550,550 550,150 150,150"></polygon> 130</svg> 131<div class="title"> 132npm command-line interface 133</div> 134</div> 135</div> 136 137<section id="content"> 138<header class="title"> 139<h1 id="dependency-selector-syntax--querying">Dependency Selector Syntax & Querying</h1> 140<span class="description">Dependency Selector Syntax & Querying</span> 141</header> 142 143<section id="table_of_contents"> 144<h2 id="table-of-contents">Table of contents</h2> 145<div id="_table_of_contents"><ul><li><a href="#see-also">See Also</a></li></ul></div> 146</section> 147 148<div id="_content"><h3 id="description">Description</h3> 149<p>The <a href="../commands/npm-query.html"><code>npm query</code></a> command exposes a new dependency selector syntax (informed by & respecting many aspects of the <a href="https://dev.w3.org/csswg/selectors4/#relational">CSS Selectors 4 Spec</a>) which:</p> 150<ul> 151<li>Standardizes the shape of, & querying of, dependency graphs with a robust object model, metadata & selector syntax</li> 152<li>Leverages existing, known language syntax & operators from CSS to make disparate package information broadly accessible</li> 153<li>Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata</li> 154<li>Consolidates redundant logic of similar query commands in <code>npm</code> (ex. <code>npm fund</code>, <code>npm ls</code>, <code>npm outdated</code>, <code>npm audit</code> ...)</li> 155</ul> 156<h3 id="dependency-selector-syntax">Dependency Selector Syntax</h3> 157<h4 id="overview">Overview:</h4> 158<ul> 159<li>there is no "type" or "tag" selectors (ex. <code>div, h1, a</code>) as a dependency/target is the only type of <code>Node</code> that can be queried</li> 160<li>the term "dependencies" is in reference to any <code>Node</code> found in a <code>tree</code> returned by <code>Arborist</code></li> 161</ul> 162<h4 id="combinators">Combinators</h4> 163<ul> 164<li><code>></code> direct descendant/child</li> 165<li><code> </code> any descendant/child</li> 166<li><code>~</code> sibling</li> 167</ul> 168<h4 id="selectors">Selectors</h4> 169<ul> 170<li><code>*</code> universal selector</li> 171<li><code>#<name></code> dependency selector (equivalent to <code>[name="..."]</code>)</li> 172<li><code>#<name>@<version></code> (equivalent to <code>[name=<name>]:semver(<version>)</code>)</li> 173<li><code>,</code> selector list delimiter</li> 174<li><code>.</code> dependency type selector</li> 175<li><code>:</code> pseudo selector</li> 176</ul> 177<h4 id="dependency-type-selectors">Dependency Type Selectors</h4> 178<ul> 179<li><code>.prod</code> dependency found in the <code>dependencies</code> section of <code>package.json</code>, or is a child of said dependency</li> 180<li><code>.dev</code> dependency found in the <code>devDependencies</code> section of <code>package.json</code>, or is a child of said dependency</li> 181<li><code>.optional</code> dependency found in the <code>optionalDependencies</code> section of <code>package.json</code>, or has <code>"optional": true</code> set in its entry in the <code>peerDependenciesMeta</code> section of <code>package.json</code>, or a child of said dependency</li> 182<li><code>.peer</code> dependency found in the <code>peerDependencies</code> section of <code>package.json</code></li> 183<li><code>.workspace</code> dependency found in the <a href="https://docs.npmjs.com/cli/v8/using-npm/workspaces"><code>workspaces</code></a> section of <code>package.json</code></li> 184<li><code>.bundled</code> dependency found in the <code>bundleDependencies</code> section of <code>package.json</code>, or is a child of said dependency</li> 185</ul> 186<h4 id="pseudo-selectors">Pseudo Selectors</h4> 187<ul> 188<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:not"><code>:not(<selector>)</code></a></li> 189<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:has"><code>:has(<selector>)</code></a></li> 190<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:is"><code>:is(<selector list>)</code></a></li> 191<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:root"><code>:root</code></a> matches the root node/dependency</li> 192<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:scope"><code>:scope</code></a> matches node/dependency it was queried against</li> 193<li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/:empty"><code>:empty</code></a> when a dependency has no dependencies</li> 194<li><a href="https://docs.npmjs.com/cli/v8/configuring-npm/package-json#private"><code>:private</code></a> when a dependency is private</li> 195<li><code>:link</code> when a dependency is linked (for instance, workspaces or packages manually <a href="https://docs.npmjs.com/cli/v8/commands/npm-link"><code>linked</code></a></li> 196<li><code>:deduped</code> when a dependency has been deduped (note that this does <em>not</em> always mean the dependency has been hoisted to the root of node_modules)</li> 197<li><code>:overridden</code> when a dependency has been overridden</li> 198<li><code>:extraneous</code> when a dependency exists but is not defined as a dependency of any node</li> 199<li><code>:invalid</code> when a dependency version is out of its ancestors specified range</li> 200<li><code>:missing</code> when a dependency is not found on disk</li> 201<li><code>:semver(<spec>, [selector], [function])</code> match a valid <a href="https://github.com/npm/node-semver"><code>node-semver</code></a> version or range to a selector</li> 202<li><code>:path(<path>)</code> <a href="https://www.npmjs.com/package/glob">glob</a> matching based on dependencies path relative to the project</li> 203<li><code>:type(<type>)</code> <a href="https://github.com/npm/npm-package-arg#result-object">based on currently recognized types</a></li> 204<li><code>:outdated(<type>)</code> when a dependency is outdated</li> 205<li><code>:vuln(<selector>)</code> when a dependency has a known vulnerability</li> 206</ul> 207<h5 id="semverspec-selector-function"><code>:semver(<spec>, [selector], [function])</code></h5> 208<p>The <code>:semver()</code> pseudo selector allows comparing fields from each node's <code>package.json</code> using <a href="https://github.com/npm/node-semver#readme">semver</a> methods. It accepts up to 3 parameters, all but the first of which are optional.</p> 209<ul> 210<li><code>spec</code> a semver version or range</li> 211<li><code>selector</code> an attribute selector for each node (default <code>[version]</code>)</li> 212<li><code>function</code> a semver method to apply, one of: <code>satisfies</code>, <code>intersects</code>, <code>subset</code>, <code>gt</code>, <code>gte</code>, <code>gtr</code>, <code>lt</code>, <code>lte</code>, <code>ltr</code>, <code>eq</code>, <code>neq</code> or the special function <code>infer</code> (default <code>infer</code>)</li> 213</ul> 214<p>When the special <code>infer</code> function is used the <code>spec</code> and the actual value from the node are compared. If both are versions, according to <code>semver.valid()</code>, <code>eq</code> is used. If both values are ranges, according to <code>!semver.valid()</code>, <code>intersects</code> is used. If the values are mixed types <code>satisfies</code> is used.</p> 215<p>Some examples:</p> 216<ul> 217<li><code>:semver(^1.0.0)</code> returns every node that has a <code>version</code> satisfied by the provided range <code>^1.0.0</code></li> 218<li><code>:semver(16.0.0, :attr(engines, [node]))</code> returns every node which has an <code>engines.node</code> property satisfying the version <code>16.0.0</code></li> 219<li><code>:semver(1.0.0, [version], lt)</code> every node with a <code>version</code> less than <code>1.0.0</code></li> 220</ul> 221<h5 id="outdatedtype"><code>:outdated(<type>)</code></h5> 222<p>The <code>:outdated</code> pseudo selector retrieves data from the registry and returns information about which of your dependencies are outdated. The type parameter may be one of the following:</p> 223<ul> 224<li><code>any</code> (default) a version exists that is greater than the current one</li> 225<li><code>in-range</code> a version exists that is greater than the current one, and satisfies at least one if its parent's dependencies</li> 226<li><code>out-of-range</code> a version exists that is greater than the current one, does not satisfy at least one of its parent's dependencies</li> 227<li><code>major</code> a version exists that is a semver major greater than the current one</li> 228<li><code>minor</code> a version exists that is a semver minor greater than the current one</li> 229<li><code>patch</code> a version exists that is a semver patch greater than the current one</li> 230</ul> 231<p>In addition to the filtering performed by the pseudo selector, some extra data is added to the resulting objects. The following data can be found under the <code>queryContext</code> property of each node.</p> 232<ul> 233<li><code>versions</code> an array of every available version of the given node</li> 234<li><code>outdated.inRange</code> an array of objects, each with a <code>from</code> and <code>versions</code>, where <code>from</code> is the on-disk location of the node that depends on the current node and <code>versions</code> is an array of all available versions that satisfies that dependency. This is only populated if <code>:outdated(in-range)</code> is used.</li> 235<li><code>outdated.outOfRange</code> an array of objects, identical in shape to <code>inRange</code>, but where the <code>versions</code> array is every available version that does not satisfy the dependency. This is only populated if <code>:outdated(out-of-range)</code> is used.</li> 236</ul> 237<p>Some examples:</p> 238<ul> 239<li><code>:root > :outdated(major)</code> returns every direct dependency that has a new semver major release</li> 240<li><code>.prod:outdated(in-range)</code> returns production dependencies that have a new release that satisfies at least one of its parent's dependencies</li> 241</ul> 242<h5 id="vuln"><code>:vuln</code></h5> 243<p>The <code>:vuln</code> pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability. Only dependencies whose current version matches a vulnerability will be returned. For example if you have <code>semver@7.6.0</code> in your tree, a vulnerability for <code>semver</code> which affects versions <code><=6.3.1</code> will not match.</p> 244<p>You can also filter results by certain attributes in advisories. Currently that includes <code>severity</code> and <code>cwe</code>. Note that severity filtering is done per severity, it does not include severities "higher" or "lower" than the one specified.</p> 245<p>In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the <code>queryContext</code> attribute of each node under the <code>advisories</code> attribute.</p> 246<p>Some examples:</p> 247<ul> 248<li><code>:root > .prod:vuln</code> returns direct production dependencies with any known vulnerability</li> 249<li><code>:vuln([severity=high])</code> returns only dependencies with a vulnerability with a <code>high</code> severity.</li> 250<li><code>:vuln([severity=high],[severity=moderate])</code> returns only dependencies with a vulnerability with a <code>high</code> or <code>moderate</code> severity.</li> 251<li><code>:vuln([cwe=1333])</code> returns only dependencies with a vulnerability that includes CWE-1333 (ReDoS)</li> 252</ul> 253<h4 id="attribute-selectors"><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors">Attribute Selectors</a></h4> 254<p>The attribute selector evaluates the key/value pairs in <code>package.json</code> if they are <code>String</code>s.</p> 255<ul> 256<li><code>[]</code> attribute selector (ie. existence of attribute)</li> 257<li><code>[attribute=value]</code> attribute value is equivalent...</li> 258<li><code>[attribute~=value]</code> attribute value contains word...</li> 259<li><code>[attribute*=value]</code> attribute value contains string...</li> 260<li><code>[attribute|=value]</code> attribute value is equal to or starts with...</li> 261<li><code>[attribute^=value]</code> attribute value starts with...</li> 262<li><code>[attribute$=value]</code> attribute value ends with...</li> 263</ul> 264<h4 id="array--object-attribute-selectors"><code>Array</code> & <code>Object</code> Attribute Selectors</h4> 265<p>The generic <code>:attr()</code> pseudo selector standardizes a pattern which can be used for attribute selection of <code>Object</code>s, <code>Array</code>s or <code>Arrays</code> of <code>Object</code>s accessible via <code>Arborist</code>'s <code>Node.package</code> metadata. This allows for iterative attribute selection beyond top-level <code>String</code> evaluation. The last argument passed to <code>:attr()</code> must be an <code>attribute</code> selector or a nested <code>:attr()</code>. See examples below:</p> 266<h4 id="objects"><code>Objects</code></h4> 267<pre><code class="language-css">/* return dependencies that have a `scripts.test` containing `"tap"` */ 268*:attr(scripts, [test~=tap]) 269</code></pre> 270<h4 id="nested-objects">Nested <code>Objects</code></h4> 271<p>Nested objects are expressed as sequential arguments to <code>:attr()</code>.</p> 272<pre><code class="language-css">/* return dependencies that have a testling config for opera browsers */ 273*:attr(testling, browsers, [~=opera]) 274</code></pre> 275<h4 id="arrays"><code>Arrays</code></h4> 276<p><code>Array</code>s specifically uses a special/reserved <code>.</code> character in place of a typical attribute name. <code>Arrays</code> also support exact <code>value</code> matching when a <code>String</code> is passed to the selector.</p> 277<h5 id="example-of-an-array-attribute-selection">Example of an <code>Array</code> Attribute Selection:</h5> 278<pre><code class="language-css">/* removes the distinction between properties & arrays */ 279/* ie. we'd have to check the property & iterate to match selection */ 280*:attr([keywords^=react]) 281*:attr(contributors, :attr([name~=Jordan])) 282</code></pre> 283<h5 id="example-of-an-array-matching-directly-to-a-value">Example of an <code>Array</code> matching directly to a value:</h5> 284<pre><code class="language-css">/* return dependencies that have the exact keyword "react" */ 285/* this is equivalent to `*:keywords([value="react"])` */ 286*:attr([keywords=react]) 287</code></pre> 288<h5 id="example-of-an-array-of-objects">Example of an <code>Array</code> of <code>Object</code>s:</h5> 289<pre><code class="language-css">/* returns */ 290*:attr(contributors, [email=ruyadorno@github.com]) 291</code></pre> 292<h3 id="groups">Groups</h3> 293<p>Dependency groups are defined by the package relationships to their ancestors (ie. the dependency types that are defined in <code>package.json</code>). This approach is user-centric as the ecosystem has been taught to think about dependencies in these groups first-and-foremost. Dependencies are allowed to be included in multiple groups (ex. a <code>prod</code> dependency may also be a <code>dev</code> dependency (in that it's also required by another <code>dev</code> dependency) & may also be <code>bundled</code> - a selector for that type of dependency would look like: <code>*.prod.dev.bundled</code>).</p> 294<ul> 295<li><code>.prod</code></li> 296<li><code>.dev</code></li> 297<li><code>.optional</code></li> 298<li><code>.peer</code></li> 299<li><code>.bundled</code></li> 300<li><code>.workspace</code></li> 301</ul> 302<p>Please note that currently <code>workspace</code> deps are always <code>prod</code> dependencies. Additionally the <code>.root</code> dependency is also considered a <code>prod</code> dependency.</p> 303<h3 id="programmatic-usage">Programmatic Usage</h3> 304<ul> 305<li><code>Arborist</code>'s <code>Node</code> Class has a <code>.querySelectorAll()</code> method 306<ul> 307<li>this method will return a filtered, flattened dependency Arborist <code>Node</code> list based on a valid query selector</li> 308</ul> 309</li> 310</ul> 311<pre><code class="language-js">const Arborist = require('@npmcli/arborist') 312const arb = new Arborist({}) 313</code></pre> 314<pre><code class="language-js">// root-level 315arb.loadActual().then(async (tree) => { 316 // query all production dependencies 317 const results = await tree.querySelectorAll('.prod') 318 console.log(results) 319}) 320</code></pre> 321<pre><code class="language-js">// iterative 322arb.loadActual().then(async (tree) => { 323 // query for the deduped version of react 324 const results = await tree.querySelectorAll('#react:not(:deduped)') 325 // query the deduped react for git deps 326 const deps = await results[0].querySelectorAll(':type(git)') 327 console.log(deps) 328}) 329</code></pre> 330<h2 id="see-also">See Also</h2> 331<ul> 332<li><a href="../commands/npm-query.html">npm query</a></li> 333<li><a href="https://npm.im/@npmcli/arborist">@npmcli/arborist</a></li> 334</ul></div> 335 336<footer id="edit"> 337<a href="https://github.com/npm/cli/edit/latest/docs/content/using-npm/dependency-selectors.md"> 338<svg role="img" viewBox="0 0 16 16" width="16" height="16" fill="currentcolor" style="vertical-align: text-bottom; margin-right: 0.3em;"> 339<path fill-rule="evenodd" d="M11.013 1.427a1.75 1.75 0 012.474 0l1.086 1.086a1.75 1.75 0 010 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 01-.927-.928l.929-3.25a1.75 1.75 0 01.445-.758l8.61-8.61zm1.414 1.06a.25.25 0 00-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 000-.354l-1.086-1.086zM11.189 6.25L9.75 4.81l-6.286 6.287a.25.25 0 00-.064.108l-.558 1.953 1.953-.558a.249.249 0 00.108-.064l6.286-6.286z"></path> 340</svg> 341Edit this page on GitHub 342</a> 343</footer> 344</section> 345 346 347 348</body></html>