Last active
September 26, 2025 06:55
-
-
Save phxgg/737198b6e945aba7046e9f9328576271 to your computer and use it in GitHub Desktop.
This script will check your npm cache and find if any of the affected packages was pulled in your machine. `chmod +x check-npm-cache.sh` before usage. Requires jq, use `brew install jq` to install. Only tested on MacOS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| packages_json='[ | |
| {"name":"backslash","version":"0.2.1"}, | |
| {"name":"chalk-template","version":"1.1.1"}, | |
| {"name":"supports-hyperlinks","version":"4.1.1"}, | |
| {"name":"has-ansi","version":"6.0.1"}, | |
| {"name":"simple-swizzle","version":"0.2.3"}, | |
| {"name":"color-string","version":"2.1.1"}, | |
| {"name":"error-ex","version":"1.3.3"}, | |
| {"name":"color-name","version":"2.0.1"}, | |
| {"name":"is-arrayish","version":"0.3.3"}, | |
| {"name":"slice-ansi","version":"7.1.1"}, | |
| {"name":"color-convert","version":"3.1.1"}, | |
| {"name":"wrap-ansi","version":"9.0.1"}, | |
| {"name":"ansi-regex","version":"6.2.1"}, | |
| {"name":"supports-color","version":"10.2.1"}, | |
| {"name":"strip-ansi","version":"7.1.1"}, | |
| {"name":"chalk","version":"5.6.1"}, | |
| {"name":"debug","version":"4.4.2"}, | |
| {"name":"ansi-styles","version":"6.2.2"}, | |
| {"name":"proto-tinker-wc","version":"0.1.87"}, | |
| {"name":"duckdb","version":"1.3.3"}, | |
| {"name":"@duckdb/node-api","version":"1.3.3"}, | |
| {"name":"@duckdb/node-bindings","version":"1.3.3"} | |
| ]' | |
| if ! command -v jq >/dev/null 2>&1; then | |
| echo "Error: 'jq' is required (to parse the JSON array-of-objects)." | |
| exit 1 | |
| fi | |
| names=$(printf '%s\n' "$packages_json" | jq -r '.[].name' | tr '\n' ' ') | |
| echo "Running 'npm cache ls' for given packages..." | |
| npm_output="$(npm cache ls $names 2>/dev/null || true)" | |
| echo | |
| echo "Packages found in npm cache:" | |
| tmpfile=$(mktemp) | |
| trap 'rm -f "$tmpfile"' EXIT | |
| # loop through package/version | |
| printf '%s\n' "$packages_json" | jq -r '.[] | "\(.name)\t\(.version)"' | \ | |
| while IFS=$'\t' read -r name version; do | |
| if [ -n "$name" ] && printf '%s\n' "$npm_output" | grep -q "${name}-${version}"; then | |
| echo "• $name@$version" | |
| echo 1 >> "$tmpfile" | |
| fi | |
| done | |
| if ! grep -q 1 "$tmpfile"; then | |
| echo "(none)" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
📣 @phxgg @qsniyg @ernestognw and others - I have created a fork that does a much more broad scan including for Yarn and PNPM global caches and all package.json, Dockerfiles, etc. under the current working directory.
https://gist.github.com/joeskeen/202fe9f6d7a2f624097962507c5ab681
Edit: @qsniyg I've updated my fork to include that new package, thanks for reporting it!
Update: I've updated my script to group issues by project and show a suggested remediation commands section at the end which should give you what you need to fix all the issues. I ran it on the root directory containing all of all my cloned repositories and ended up with 235 issues! But it grouped them and for me it comes down to updating dependencies in 13 projects.